SUBSCRIBE TO OUR FREE NEWSLETTER
Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
5
#000000
#FFFFFF
5
#000000
#FFFFFF
Verizon is among the companies tracking its users' internet activity with undeletable "supercookies." (Photo: Robert Scoble/flickr/cc)
Verizon and AT&T Using Undeletable 'Supercookies' to Track Customers
Tracking program collects data on users' browsing history to create permanent online profiles to share with advertisers
Nov 04, 2014
Service giants Verizon and AT&T have been quietly following more than 100 million users' internet activity without their consent for years through the use of invasive "supercookie" tracking technology that is nearly impossible to detect or escape.
According to the Electronic Frontier Foundation (EFF), those methods may violate federal laws.
The tracking codes--called Unique Identifier Headers, or X-UIDH--are installed on every unencrypted web page that users of both services visit on their mobile devices, which in turn allows Verizon and AT&T to monitor their customers' browsing history and create permanent identification profiles of their habits, likes, and interests. Once installed, the supercookies cannot be deleted nor evaded, even if customers clear their cookies, use private browsing modes, disable third-party cookies, or select "Do Not Track" in their settings.
Verizon allows individual users to opt-out of the marketing program--but that option does not prevent the company from collecting its customers' browsing data, only from sharing it with third-party advertisers.
"Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data," EFF senior staff technologist Jacob Hoffman-Andrews explains.
That federal law is the Communications Act, a portion of which requires service providers to protect their customers' confidential data, and bars carriers from using information they acquire from other providers for their own marketing efforts.
The Washington Post notes that Verizon and AT&T could also be in violation of the federal Wiretap Act, "which prohibits altering personal communications during transmission without consent or a court order.... the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate."
According to Verizon, which has been gathering data on its customers since 2012 with its Precision Marketing Insights tracking program, the technology was developed to help third-party companies create targeted ads for users--but as experts point out, its privacy implications go far beyond that.
"We have seen that the NSA [National Security Agency] uses similar identifying metadata as 'selectors' to collect all of a single person's Internet activity," Hoffman-Andrews says. "Having all Verizon mobile users' web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone."
Unlike regular cookies, supercookies are tied to data plans, so anyone who browses the internet through hotspots or shares computers that use cellular data gets monitored as well.
"That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising," Hoffman-Andrews says.
Even those who are not Verizon customers are subject to tracking. Because the code is injected at the network level, it interacts with devices and servers--so the supercookies are installed on any phone or tablet which uses a Verizon tower.
A select few customers are not targeted by the tracking tool, EFF notes. According to AdAge, "Corporate and government subscribers are excluded from the new marketing solution."
"If they are indeed excepted from the program, that indicates to us that implementing an opt-out is feasible," Hoffman-Andrews says. "We're disappointed that Verizon takes some of its users' privacy more seriously than others."
There are other privacy concerns as well. The Post continues:
Verizon's experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.
Those companies track their users and sell targeted advertising based on what they learn. Supercookies could allow cellular carriers and other Internet providers to do the same, potentially encircling ordinary users in a Web of tracking far more extensive than experienced today.
AT&T would not disclose how long it has been using supercookies. The company says it is putting protective measures in place to ensure that their X-UIDH codes change daily for every user, but security researcher Kenneth White--who discovered AT&T's tracking program--told Forbes that those claims are "categorically untrue." At least three of the AT&T's identifying codes are persistent, White said.
Mobile users can check if their web activity is being monitored at AmIBeingTracked.com or lessonslearned.org/sniff.
An Urgent Message From Our Co-Founder
Dear Common Dreams reader, The U.S. is on a fast track to authoritarianism like nothing I've ever seen. Meanwhile, corporate news outlets are utterly capitulating to Trump, twisting their coverage to avoid drawing his ire while lining up to stuff cash in his pockets. That's why I believe that Common Dreams is doing the best and most consequential reporting that we've ever done. Our small but mighty team is a progressive reporting powerhouse, covering the news every day that the corporate media never will. Our mission has always been simple: To inform. To inspire. And to ignite change for the common good. Now here's the key piece that I want all our readers to understand: None of this would be possible without your financial support. That's not just some fundraising cliche. It's the absolute and literal truth. We don't accept corporate advertising and never will. We don't have a paywall because we don't think people should be blocked from critical news based on their ability to pay. Everything we do is funded by the donations of readers like you. Will you donate now to help power the nonprofit, independent reporting of Common Dreams? Thank you for being a vital member of our community. Together, we can keep independent journalism alive when it’s needed most. - Craig Brown, Co-founder |
Our work is licensed under Creative Commons (CC BY-NC-ND 3.0). Feel free to republish and share widely.
Nadia Prupis
Nadia Prupis is a former Common Dreams staff writer. She wrote on media policy for Truthout.org and has been published in New America Media and AlterNet. She graduated from UC Santa Barbara with a BA in English in 2008.
Service giants Verizon and AT&T have been quietly following more than 100 million users' internet activity without their consent for years through the use of invasive "supercookie" tracking technology that is nearly impossible to detect or escape.
According to the Electronic Frontier Foundation (EFF), those methods may violate federal laws.
The tracking codes--called Unique Identifier Headers, or X-UIDH--are installed on every unencrypted web page that users of both services visit on their mobile devices, which in turn allows Verizon and AT&T to monitor their customers' browsing history and create permanent identification profiles of their habits, likes, and interests. Once installed, the supercookies cannot be deleted nor evaded, even if customers clear their cookies, use private browsing modes, disable third-party cookies, or select "Do Not Track" in their settings.
Verizon allows individual users to opt-out of the marketing program--but that option does not prevent the company from collecting its customers' browsing data, only from sharing it with third-party advertisers.
"Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data," EFF senior staff technologist Jacob Hoffman-Andrews explains.
That federal law is the Communications Act, a portion of which requires service providers to protect their customers' confidential data, and bars carriers from using information they acquire from other providers for their own marketing efforts.
The Washington Post notes that Verizon and AT&T could also be in violation of the federal Wiretap Act, "which prohibits altering personal communications during transmission without consent or a court order.... the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate."
According to Verizon, which has been gathering data on its customers since 2012 with its Precision Marketing Insights tracking program, the technology was developed to help third-party companies create targeted ads for users--but as experts point out, its privacy implications go far beyond that.
"We have seen that the NSA [National Security Agency] uses similar identifying metadata as 'selectors' to collect all of a single person's Internet activity," Hoffman-Andrews says. "Having all Verizon mobile users' web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone."
Unlike regular cookies, supercookies are tied to data plans, so anyone who browses the internet through hotspots or shares computers that use cellular data gets monitored as well.
"That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising," Hoffman-Andrews says.
Even those who are not Verizon customers are subject to tracking. Because the code is injected at the network level, it interacts with devices and servers--so the supercookies are installed on any phone or tablet which uses a Verizon tower.
A select few customers are not targeted by the tracking tool, EFF notes. According to AdAge, "Corporate and government subscribers are excluded from the new marketing solution."
"If they are indeed excepted from the program, that indicates to us that implementing an opt-out is feasible," Hoffman-Andrews says. "We're disappointed that Verizon takes some of its users' privacy more seriously than others."
There are other privacy concerns as well. The Post continues:
Verizon's experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.
Those companies track their users and sell targeted advertising based on what they learn. Supercookies could allow cellular carriers and other Internet providers to do the same, potentially encircling ordinary users in a Web of tracking far more extensive than experienced today.
AT&T would not disclose how long it has been using supercookies. The company says it is putting protective measures in place to ensure that their X-UIDH codes change daily for every user, but security researcher Kenneth White--who discovered AT&T's tracking program--told Forbes that those claims are "categorically untrue." At least three of the AT&T's identifying codes are persistent, White said.
Mobile users can check if their web activity is being monitored at AmIBeingTracked.com or lessonslearned.org/sniff.
Nadia Prupis
Nadia Prupis is a former Common Dreams staff writer. She wrote on media policy for Truthout.org and has been published in New America Media and AlterNet. She graduated from UC Santa Barbara with a BA in English in 2008.
Service giants Verizon and AT&T have been quietly following more than 100 million users' internet activity without their consent for years through the use of invasive "supercookie" tracking technology that is nearly impossible to detect or escape.
According to the Electronic Frontier Foundation (EFF), those methods may violate federal laws.
The tracking codes--called Unique Identifier Headers, or X-UIDH--are installed on every unencrypted web page that users of both services visit on their mobile devices, which in turn allows Verizon and AT&T to monitor their customers' browsing history and create permanent identification profiles of their habits, likes, and interests. Once installed, the supercookies cannot be deleted nor evaded, even if customers clear their cookies, use private browsing modes, disable third-party cookies, or select "Do Not Track" in their settings.
Verizon allows individual users to opt-out of the marketing program--but that option does not prevent the company from collecting its customers' browsing data, only from sharing it with third-party advertisers.
"Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data," EFF senior staff technologist Jacob Hoffman-Andrews explains.
That federal law is the Communications Act, a portion of which requires service providers to protect their customers' confidential data, and bars carriers from using information they acquire from other providers for their own marketing efforts.
The Washington Post notes that Verizon and AT&T could also be in violation of the federal Wiretap Act, "which prohibits altering personal communications during transmission without consent or a court order.... the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate."
According to Verizon, which has been gathering data on its customers since 2012 with its Precision Marketing Insights tracking program, the technology was developed to help third-party companies create targeted ads for users--but as experts point out, its privacy implications go far beyond that.
"We have seen that the NSA [National Security Agency] uses similar identifying metadata as 'selectors' to collect all of a single person's Internet activity," Hoffman-Andrews says. "Having all Verizon mobile users' web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone."
Unlike regular cookies, supercookies are tied to data plans, so anyone who browses the internet through hotspots or shares computers that use cellular data gets monitored as well.
"That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising," Hoffman-Andrews says.
Even those who are not Verizon customers are subject to tracking. Because the code is injected at the network level, it interacts with devices and servers--so the supercookies are installed on any phone or tablet which uses a Verizon tower.
A select few customers are not targeted by the tracking tool, EFF notes. According to AdAge, "Corporate and government subscribers are excluded from the new marketing solution."
"If they are indeed excepted from the program, that indicates to us that implementing an opt-out is feasible," Hoffman-Andrews says. "We're disappointed that Verizon takes some of its users' privacy more seriously than others."
There are other privacy concerns as well. The Post continues:
Verizon's experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.
Those companies track their users and sell targeted advertising based on what they learn. Supercookies could allow cellular carriers and other Internet providers to do the same, potentially encircling ordinary users in a Web of tracking far more extensive than experienced today.
AT&T would not disclose how long it has been using supercookies. The company says it is putting protective measures in place to ensure that their X-UIDH codes change daily for every user, but security researcher Kenneth White--who discovered AT&T's tracking program--told Forbes that those claims are "categorically untrue." At least three of the AT&T's identifying codes are persistent, White said.
Mobile users can check if their web activity is being monitored at AmIBeingTracked.com or lessonslearned.org/sniff.
We've had enough. The 1% own and operate the corporate media. They are doing everything they can to defend the status quo, squash dissent and protect the wealthy and the powerful. The Common Dreams media model is different. We cover the news that matters to the 99%. Our mission? To inform. To inspire. To ignite change for the common good. How? Nonprofit. Independent. Reader-supported. Free to read. Free to republish. Free to share. With no advertising. No paywalls. No selling of your data. Thousands of small donations fund our newsroom and allow us to continue publishing. Can you chip in? We can't do it without you. Thank you.