SUBSCRIBE TO OUR FREE NEWSLETTER
Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
5
#000000
#FFFFFF
5
#000000
#FFFFFF
Verizon and AT&T Using Undeletable 'Supercookies' to Track Customers
Tracking program collects data on users' browsing history to create permanent online profiles to share with advertisers
Nov 04, 2014
Service giants Verizon and AT&T have been quietly following more than 100 million users' internet activity without their consent for years through the use of invasive "supercookie" tracking technology that is nearly impossible to detect or escape.
According to the Electronic Frontier Foundation (EFF), those methods may violate federal laws.
The tracking codes--called Unique Identifier Headers, or X-UIDH--are installed on every unencrypted web page that users of both services visit on their mobile devices, which in turn allows Verizon and AT&T to monitor their customers' browsing history and create permanent identification profiles of their habits, likes, and interests. Once installed, the supercookies cannot be deleted nor evaded, even if customers clear their cookies, use private browsing modes, disable third-party cookies, or select "Do Not Track" in their settings.
Verizon allows individual users to opt-out of the marketing program--but that option does not prevent the company from collecting its customers' browsing data, only from sharing it with third-party advertisers.
"Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data," EFF senior staff technologist Jacob Hoffman-Andrews explains.
That federal law is the Communications Act, a portion of which requires service providers to protect their customers' confidential data, and bars carriers from using information they acquire from other providers for their own marketing efforts.
The Washington Post notes that Verizon and AT&T could also be in violation of the federal Wiretap Act, "which prohibits altering personal communications during transmission without consent or a court order.... the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate."
According to Verizon, which has been gathering data on its customers since 2012 with its Precision Marketing Insights tracking program, the technology was developed to help third-party companies create targeted ads for users--but as experts point out, its privacy implications go far beyond that.
"We have seen that the NSA [National Security Agency] uses similar identifying metadata as 'selectors' to collect all of a single person's Internet activity," Hoffman-Andrews says. "Having all Verizon mobile users' web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone."
Unlike regular cookies, supercookies are tied to data plans, so anyone who browses the internet through hotspots or shares computers that use cellular data gets monitored as well.
"That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising," Hoffman-Andrews says.
Even those who are not Verizon customers are subject to tracking. Because the code is injected at the network level, it interacts with devices and servers--so the supercookies are installed on any phone or tablet which uses a Verizon tower.
A select few customers are not targeted by the tracking tool, EFF notes. According to AdAge, "Corporate and government subscribers are excluded from the new marketing solution."
"If they are indeed excepted from the program, that indicates to us that implementing an opt-out is feasible," Hoffman-Andrews says. "We're disappointed that Verizon takes some of its users' privacy more seriously than others."
There are other privacy concerns as well. The Post continues:
Verizon's experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.
Those companies track their users and sell targeted advertising based on what they learn. Supercookies could allow cellular carriers and other Internet providers to do the same, potentially encircling ordinary users in a Web of tracking far more extensive than experienced today.
AT&T would not disclose how long it has been using supercookies. The company says it is putting protective measures in place to ensure that their X-UIDH codes change daily for every user, but security researcher Kenneth White--who discovered AT&T's tracking program--told Forbes that those claims are "categorically untrue." At least three of the AT&T's identifying codes are persistent, White said.
Mobile users can check if their web activity is being monitored at AmIBeingTracked.com or lessonslearned.org/sniff.
An Urgent Message From Our Co-Founder
Dear Common Dreams reader, It’s been nearly 30 years since I co-founded Common Dreams with my late wife, Lina Newhouser. We had the radical notion that journalism should serve the public good, not corporate profits. It was clear to us from the outset what it would take to build such a project. No paid advertisements. No corporate sponsors. No millionaire publisher telling us what to think or do. Many people said we wouldn't last a year, but we proved those doubters wrong. Together with a tremendous team of journalists and dedicated staff, we built an independent media outlet free from the constraints of profits and corporate control. Our mission has always been simple: To inform. To inspire. To ignite change for the common good. Building Common Dreams was not easy. Our survival was never guaranteed. When you take on the most powerful forces—Wall Street greed, fossil fuel industry destruction, Big Tech lobbyists, and uber-rich oligarchs who have spent billions upon billions rigging the economy and democracy in their favor—the only bulwark you have is supporters who believe in your work. But here’s the urgent message from me today. It's never been this bad out there. And it's never been this hard to keep us going. At the very moment Common Dreams is most needed, the threats we face are intensifying. We need your support now more than ever. We don't accept corporate advertising and never will. We don't have a paywall because we don't think people should be blocked from critical news based on their ability to pay. Everything we do is funded by the donations of readers like you. When everyone does the little they can afford, we are strong. But if that support retreats or dries up, so do we. Will you donate now to make sure Common Dreams not only survives but thrives? —Craig Brown, Co-founder |
Our work is licensed under Creative Commons (CC BY-NC-ND 3.0). Feel free to republish and share widely.
Nadia Prupis
Nadia Prupis is a former Common Dreams staff writer. She wrote on media policy for Truthout.org and has been published in New America Media and AlterNet. She graduated from UC Santa Barbara with a BA in English in 2008.
Service giants Verizon and AT&T have been quietly following more than 100 million users' internet activity without their consent for years through the use of invasive "supercookie" tracking technology that is nearly impossible to detect or escape.
According to the Electronic Frontier Foundation (EFF), those methods may violate federal laws.
The tracking codes--called Unique Identifier Headers, or X-UIDH--are installed on every unencrypted web page that users of both services visit on their mobile devices, which in turn allows Verizon and AT&T to monitor their customers' browsing history and create permanent identification profiles of their habits, likes, and interests. Once installed, the supercookies cannot be deleted nor evaded, even if customers clear their cookies, use private browsing modes, disable third-party cookies, or select "Do Not Track" in their settings.
Verizon allows individual users to opt-out of the marketing program--but that option does not prevent the company from collecting its customers' browsing data, only from sharing it with third-party advertisers.
"Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data," EFF senior staff technologist Jacob Hoffman-Andrews explains.
That federal law is the Communications Act, a portion of which requires service providers to protect their customers' confidential data, and bars carriers from using information they acquire from other providers for their own marketing efforts.
The Washington Post notes that Verizon and AT&T could also be in violation of the federal Wiretap Act, "which prohibits altering personal communications during transmission without consent or a court order.... the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate."
According to Verizon, which has been gathering data on its customers since 2012 with its Precision Marketing Insights tracking program, the technology was developed to help third-party companies create targeted ads for users--but as experts point out, its privacy implications go far beyond that.
"We have seen that the NSA [National Security Agency] uses similar identifying metadata as 'selectors' to collect all of a single person's Internet activity," Hoffman-Andrews says. "Having all Verizon mobile users' web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone."
Unlike regular cookies, supercookies are tied to data plans, so anyone who browses the internet through hotspots or shares computers that use cellular data gets monitored as well.
"That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising," Hoffman-Andrews says.
Even those who are not Verizon customers are subject to tracking. Because the code is injected at the network level, it interacts with devices and servers--so the supercookies are installed on any phone or tablet which uses a Verizon tower.
A select few customers are not targeted by the tracking tool, EFF notes. According to AdAge, "Corporate and government subscribers are excluded from the new marketing solution."
"If they are indeed excepted from the program, that indicates to us that implementing an opt-out is feasible," Hoffman-Andrews says. "We're disappointed that Verizon takes some of its users' privacy more seriously than others."
There are other privacy concerns as well. The Post continues:
Verizon's experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.
Those companies track their users and sell targeted advertising based on what they learn. Supercookies could allow cellular carriers and other Internet providers to do the same, potentially encircling ordinary users in a Web of tracking far more extensive than experienced today.
AT&T would not disclose how long it has been using supercookies. The company says it is putting protective measures in place to ensure that their X-UIDH codes change daily for every user, but security researcher Kenneth White--who discovered AT&T's tracking program--told Forbes that those claims are "categorically untrue." At least three of the AT&T's identifying codes are persistent, White said.
Mobile users can check if their web activity is being monitored at AmIBeingTracked.com or lessonslearned.org/sniff.
Nadia Prupis
Nadia Prupis is a former Common Dreams staff writer. She wrote on media policy for Truthout.org and has been published in New America Media and AlterNet. She graduated from UC Santa Barbara with a BA in English in 2008.
Service giants Verizon and AT&T have been quietly following more than 100 million users' internet activity without their consent for years through the use of invasive "supercookie" tracking technology that is nearly impossible to detect or escape.
According to the Electronic Frontier Foundation (EFF), those methods may violate federal laws.
The tracking codes--called Unique Identifier Headers, or X-UIDH--are installed on every unencrypted web page that users of both services visit on their mobile devices, which in turn allows Verizon and AT&T to monitor their customers' browsing history and create permanent identification profiles of their habits, likes, and interests. Once installed, the supercookies cannot be deleted nor evaded, even if customers clear their cookies, use private browsing modes, disable third-party cookies, or select "Do Not Track" in their settings.
Verizon allows individual users to opt-out of the marketing program--but that option does not prevent the company from collecting its customers' browsing data, only from sharing it with third-party advertisers.
"Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data," EFF senior staff technologist Jacob Hoffman-Andrews explains.
That federal law is the Communications Act, a portion of which requires service providers to protect their customers' confidential data, and bars carriers from using information they acquire from other providers for their own marketing efforts.
The Washington Post notes that Verizon and AT&T could also be in violation of the federal Wiretap Act, "which prohibits altering personal communications during transmission without consent or a court order.... the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate."
According to Verizon, which has been gathering data on its customers since 2012 with its Precision Marketing Insights tracking program, the technology was developed to help third-party companies create targeted ads for users--but as experts point out, its privacy implications go far beyond that.
"We have seen that the NSA [National Security Agency] uses similar identifying metadata as 'selectors' to collect all of a single person's Internet activity," Hoffman-Andrews says. "Having all Verizon mobile users' web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone."
Unlike regular cookies, supercookies are tied to data plans, so anyone who browses the internet through hotspots or shares computers that use cellular data gets monitored as well.
"That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising," Hoffman-Andrews says.
Even those who are not Verizon customers are subject to tracking. Because the code is injected at the network level, it interacts with devices and servers--so the supercookies are installed on any phone or tablet which uses a Verizon tower.
A select few customers are not targeted by the tracking tool, EFF notes. According to AdAge, "Corporate and government subscribers are excluded from the new marketing solution."
"If they are indeed excepted from the program, that indicates to us that implementing an opt-out is feasible," Hoffman-Andrews says. "We're disappointed that Verizon takes some of its users' privacy more seriously than others."
There are other privacy concerns as well. The Post continues:
Verizon's experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.
Those companies track their users and sell targeted advertising based on what they learn. Supercookies could allow cellular carriers and other Internet providers to do the same, potentially encircling ordinary users in a Web of tracking far more extensive than experienced today.
AT&T would not disclose how long it has been using supercookies. The company says it is putting protective measures in place to ensure that their X-UIDH codes change daily for every user, but security researcher Kenneth White--who discovered AT&T's tracking program--told Forbes that those claims are "categorically untrue." At least three of the AT&T's identifying codes are persistent, White said.
Mobile users can check if their web activity is being monitored at AmIBeingTracked.com or lessonslearned.org/sniff.
We've had enough. The 1% own and operate the corporate media. They are doing everything they can to defend the status quo, squash dissent and protect the wealthy and the powerful. The Common Dreams media model is different. We cover the news that matters to the 99%. Our mission? To inform. To inspire. To ignite change for the common good. How? Nonprofit. Independent. Reader-supported. Free to read. Free to republish. Free to share. With no advertising. No paywalls. No selling of your data. Thousands of small donations fund our newsroom and allow us to continue publishing. Can you chip in? We can't do it without you. Thank you.