So last month I was hacking together some software tools as a side project to make it easier for some folks I work with to compare Excel spreadsheets. For the techies reading along, it's some HTML 5 and jQuery, jQueryUI and Backbone that does everything in the browser. It handles all of the weird, one-off spreadsheets that have extra columns added, superfluous columns, etc. so you can quickly determine month-over-month what's changed.
Anyhow, the URL for the web page was completely private. It was never published anywhere. It couldn't be reached unless someone knew the URL.
Two people knew the URL; myself and a co-worker who tested the tool during the second half of May. Now check out who visited the page, courtesy of Google Analytics (the two redactions are my host networks) a couple of weeks after I launched the page.
I'm guessing that list represents the DOD, German intelligence, a European intelligence agency (likely the GCHQ, the UK's version of the NSA), China's People's Liberation Army (PLA), Korean intelligence, Japanese intelligence, Saudi intelligence and several others.
The question is how?
Let's back up the tracking to the first 24 hours the site was operating with Google Analytics. The very first external visitor was Google, which makes sense because I installed Google Analytics to track usage of the page.
Less than 24 hours later, the visitors looked like this:
Remember, this was a private URL that only Google Analytics was aware of (as well as two users' Chrome surfing history). It wasn't discoverable in a search engine, because there was no listing of it anywhere on the web. It still isn't in Google's index, arguably the most complete anywhere.
Yet, within 24 hours, military and intelligence agencies -- I'm assuming -- around the world were visiting the site to spider it, assess it, review it, whatever.
Which begs the question: is Google aware that their network (or the Analytics core itself or users' browser history) is vulnerable to surveillance?
If anyone know folks at Google, feel free to ask them the question (they can email me at email@example.com).