Verizon and AT&T Using Undeletable 'Supercookies' to Track Customers

Service giants Verizon and AT&T have been quietly following more than 100 million users’ internet activity without their consent for years through the use of invasive "supercookie" tracking technology that is nearly impossible to detect or escape.

According to the Electronic Frontier Foundation (EFF), those methods may violate federal laws.

The tracking codes—called Unique Identifier Headers, or X-UIDH—are installed on every unencrypted web page that users of both services visit on their mobile devices, which in turn allows Verizon and AT&T to monitor their customers’ browsing history and create permanent identification profiles of their habits, likes, and interests. Once installed, the supercookies cannot be deleted nor evaded, even if customers clear their cookies, use private browsing modes, disable third-party cookies, or select "Do Not Track" in their settings.

Verizon allows individual users to opt-out of the marketing program—but that option does not prevent the company from collecting its customers’ browsing data, only from sharing it with third-party advertisers.

"Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data," EFF senior staff technologist Jacob Hoffman-Andrews explains.

That federal law is the Communications Act, a portion of which requires service providers to protect their customers’ confidential data, and bars carriers from using information they acquire from other providers for their own marketing efforts.

The Washington Post notes that Verizon and AT&T could also be in violation of the federal Wiretap Act, "which prohibits altering personal communications during transmission without consent or a court order.... the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate."

According to Verizon, which has been gathering data on its customers since 2012 with its Precision Marketing Insights tracking program, the technology was developed to help third-party companies create targeted ads for users—but as experts point out, its privacy implications go far beyond that.

"We have seen that the NSA [National Security Agency] uses similar identifying metadata as 'selectors' to collect all of a single person's Internet activity," Hoffman-Andrews says. "Having all Verizon mobile users' web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone."

Unlike regular cookies, supercookies are tied to data plans, so anyone who browses the internet through hotspots or shares computers that use cellular data gets monitored as well.

"That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising," Hoffman-Andrews says.

Even those who are not Verizon customers are subject to tracking. Because the code is injected at the network level, it interacts with devices and servers—so the supercookies are installed on any phone or tablet which uses a Verizon tower.

A select few customers are not targeted by the tracking tool, EFF notes. According to AdAge, "Corporate and government subscribers are excluded from the new marketing solution."

"If they are indeed excepted from the program, that indicates to us that implementing an opt-out is feasible," Hoffman-Andrews says. "We're disappointed that Verizon takes some of its users' privacy more seriously than others."

There are other privacy concerns as well. The Post continues:

Verizon’s experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.

Those companies track their users and sell targeted advertising based on what they learn. Supercookies could allow cellular carriers and other Internet providers to do the same, potentially encircling ordinary users in a Web of tracking far more extensive than experienced today.

AT&T would not disclose how long it has been using supercookies. The company says it is putting protective measures in place to ensure that their X-UIDH codes change daily for every user, but security researcher Kenneth White—who discovered AT&T's tracking program—told Forbes that those claims are "categorically untrue." At least three of the AT&T's identifying codes are persistent, White said.

Mobile users can check if their web activity is being monitored at AmIBeingTracked.com or lessonslearned.org/sniff.