How Dozens of Companies Know You're Reading About Those NSA Leaks

As news websites around the globe are publishing story after story about dragnet surveillance, these news sites all have one thing in common: when you visit these websites, your personal information is broadcast to dozens of companies, many of which have the ability to track your surfing habits, and many of which are subject to government data requests.

How Does This Happen?

When you load a webpage in your browser, the page normally includes many elements that get loaded separately, like images, fonts, CSS files, and javascript files. These files can be, and often are, loaded from different domain names hosted by different companies. For example, if a website has a Facebook Like button on it, your browser loads javascript and images from Facebook's server to display that Like button, even if the website you're visiting has nothing to do with Facebook.

Why Does This Matter?

Each time your browser makes a request it sends the following information with it:

• Your IP address and the exact time of the request
• User-Agent string: which normally contains the web browser you're using, your browser's version, your operating system, processor information (32-bit, 64-bit), language settings, and other data
• Referrer: the URL of the website you're coming from—in the case of the Facebook Like button example, your browser tells Facebook which website you're viewing
• Other HTTP headers which contain potentially identifying information
• Sometimes tracking cookies

Every company has different practices, but they generally log some or all of this information, perhaps indefinitely.

It takes very little information about your web browser to build a unique fingerprint of it. See EFF's Panopticlick website to see how unique and trackable your web browser is even without the use of tracking cookies. You can read more in our Primer on Information Theory and Privacy.

Who is Using Third Party Resources?

Here are some examples of prominent news websites that have been reporting on surveillance issues and which domain names they load third party resources from as of June 2013:

The Guardian, which is hosted at guardian.co.uk and was the first to publish about the recent NSA spying leaks, loads scripts from:

guim.co.uk ajax.googleapis.com criteo.com amazonaws.com optimizely.com facebook.com twitter.com google.com quantserve.com wunderloop.net outbrain.com chartbeat.com

The Washington Post, which is hosted at www.washingtonpost.com and was published the first story about PRISM alongside the Guardian, loads scripts from:

troveread.com wpdigital.net doubleclick.net criteo.com omtrdc.net theroot.com slate.com expressnightout.com trove.com ooyala.com adsonar.com mathtag.com spotxchange.com bloomberg.com revsci.net scorecardresearch.com chartbeat.com twitter.com cloudfront.net

The New York Times, which is hosted at nytimes.com, loads scripts from:

nyt.com doubleclick.net krxd.net moatads.com googlesyndication.com typekit.com revsci.net scorecardresearch.com imrworldwide.com chartbeat.com

The Wall Street Journal, which is hosted at online.wsj.com, loads scripts from:

wsj.net msn.com axf8.net peer39.net typekit.net llnwd.net imrworldwide.com facebook.net dowjoneson.com akamai.net doubleclick.net chartbeat.com bluekai.com

All of these websites, by loading third party resources from servers controlled by major providers like Facebook, Google, and others, are sending information about their visitors to companies subject to US government data requests. While these news companies themselves could directly recieve requests for this data, the fact that they voluntarily send this data to the same small, centralized group of third parties makes these third parties convenient and attractive targets to collect visitor information from vast swaths of the web. Once a website sends data to a third party, it no longer has the power to stand up for its users against unconstitutional government requests for that data.

These news websites are not alone. Other websites that send information about all of their visitors to large companies that are subject to US government data requests include CNN, Huffington Post, MSNBC, BBC, Al Jazeera, BoingBoing, Slashdot,