The Electronic Frontier Foundation this week renewed its protests against Verizon Wireless’ and AT&T’s use of supercookies that can’t be deleted or disabled to track customers’ mobile Web-browsing activities without their knowledge.
It’s not as if the carriers’ tracking is new — Verizon has, by its own admission, been using these supercookies for two years. However, that has not been generally known.
The Electronic Frontier Foundation’s Senior Staff Technologist Jacob Hoffman-Andrews last monthtweeted about the practice, kindling outrage in the blogosphere.
Hoffman-Andrews elaborated on the issue in a Tuesday post.
“Verizon and AT&T should immediately stop modifying their customers’ Web browsing to insert the supercookie, and should re-engineer the program so that it functions on a true opt-in basis,” he told the E-Commerce Times. “Modifying customer Web browsing is too invasive to do without consent.”
It’s a Spy… It’s a Snoop… It’s a Supercookie!
The supercookies are included in an HTTP header called “X-UIDH,” according to Hoffman-Andrews. They are sent to every unencrypted website mobile device users visit.
They are tied to data plans, so anyone who browses the Web through a hotspot or shares a computer that users cellular data gets the same X-UIDH header as everyone else using those devices.
That could let third-party advertisers build a profile that reveals private browsing activity to coworkers, friends or family through targeted advertising, Hoffman-Andrews suggested.
Further, the header ignores Incognito Mode or Private Browsing Mode because it’s injected at the network layer. It can’t be taken out by disabling third-party cookies in browser settings.
The header also gets injected into mobile apps that send HTTP requests, which means users’ behavior in those apps can be correlated with their behavior on the Web.
Verizon describes this as a key benefit of its system — but it bypasses the “limit ad tracking” settings in iOS and Android that are intended to prevent abuse of unique identifiers by mobile apps, Hoffman-Andrews pointed out.
Finally, the header makes it easy for anyone passively eavesdropping on the Internet to track people, Hoffman-Andrews noted, raising the specter of NSA surveillance.
The New Cookie Monsters
Verizon’s X-UIDH header works “with select ad technology partners” to identify audiences they are trying to reach on mobile devices and to deliver relevant ads to those customers, according to Verizon .
Information about the customers is anonymized, the company said. Customers can opt in to one of the two programs Verizon is running — Verizon Selects — and opt out of the other — Relevant Mobile Advertising.
However, the opt-out merely tells Verizon not to share detailed demographic information with advertisers, Hoffman-Andrews observed.
AT&T has “completed testing of the numeric code that would be part of any new mobile relevant advertising program we may launch,” company spokesperson Emily Edmonds told the E-Commerce Times.
“Any new program we would offer would maintain our fundamental commitment to customer privacy,” Edmonds said, adding that customers would be able to opt out of the ad program.
AT&T’s code changes every 24 hours, she maintained, although security experts previously have pooh-poohed that claim.
Seeking That Mobile Pot O’Gold
The carriers’ moves perhaps should have been expected. Mobile ad spending is expected to surpass US$31 billion this year, eMarketer has forecast.
“Targeted advertising dollars are incredibly valuable,” Joe Hoffman, a practice director at ABI Research, told the E-Commerce Times. “Couple this website tracking with the location data they have, and we are looking at the money-printing machine of tomorrow.”
It’s easy to cross the line in the mobile space, because “there are different rules on mobile than for PCs, and companies are still trying to figure out the best way to use tracking data on mobile,” Josh Martin, a research director at Strategy Analytics, told the E-Commerce Times.
As for solutions, Verizon Wireless customers can use a virtual private network, Hoffman-Andrews said, but such services cost money, and “Verizon customers should not be forced to buy their privacy a la carte.”