How Phone Companies Used ‘Supercookies’ to Track Customers’ Web Browsing

AT&T and Verizon continued tracking users’ unencrypted traffic for months after backlash over the practice erupted in November 2014, researchers found.

The Verizon logo is seen at the headquarters for Northern Virginia on January 2, 2015 in Ashburn, Virginia.
Add to Briefcase
Kaveh Waddell
Aug. 17, 2015, 7:49 a.m.

Ten­a­cious “su­per­cook­ies” al­lowed mo­bile broad­band pro­viders to fol­low their cus­tom­ers’ activ­ity—both in the U.S. and abroad—for over a dec­ade, un­til the prac­tice was dis­covered and pub­li­cized late last year and com­pan­ies began to roll back the cook­ies.

But for months after the rev­el­a­tions promp­ted heightened scru­tiny of AT&T’s and Ve­r­i­zon’s track­ing pro­grams, the com­pan­ies con­tin­ued keep­ing tabs on their cus­tom­ers, ac­cord­ing to data gathered over the course of six months by Ac­cess, an in­ter­na­tion­al di­git­al hu­man rights or­gan­iz­a­tion, and re­leased in a re­port Monday.

AT&T and Ve­r­i­zon were able to track their cus­tom­ers—even when users were roam­ing in­ter­na­tion­ally or ac­tiv­ated private brows­ing modes—by in­ject­ing code called track­ing head­ers in­to the data sent from users’ devices.

When a user re­quests a web­site from a mo­bile car­ri­er that uses track­ing head­ers, the car­ri­er in­ter­cepts the re­quest on the way to its in­ten­ded tar­get (e.g. a web­site on the In­ter­net), and in­serts a unique iden­ti­fi­er tied to that user.

If the web­site that re­ceives the mod­i­fied re­quest has paid the car­ri­er for ac­cess to the user’s unique iden­ti­fi­er, the web­site can ac­cess in­form­a­tion about the user—his or her Web-brows­ing his­tory or shop­ping pref­er­ences, for ex­ample—in or­der to serve tar­geted ad­vert­ising.

For six months start­ing in Novem­ber 2014, nearly 180,000 people ran an on­line test on their mo­bile devices to de­term­ine wheth­er com­pan­ies were track­ing their mo­bile activ­ity, and shared the res­ults with Ac­cess. Of those tests, which ori­gin­ated from 164 coun­tries, more than 15 per­cent re­vealed the pres­ence of track­ing head­ers, ac­cord­ing to the re­port.

Be­cause car­ri­ers in­sert the head­ers in­to In­ter­net re­quests after they have left a user’s device, it is al­most im­possible for a user to pre­vent their use—or even to know that his or her in­form­a­tion is be­ing shared with ad­vert­isers. Ac­cess re­search­ers note, however, that en­cryp­ted Web traffic sent over the HT­TPS pro­tocol can­not be tracked by car­ri­ers.

Tele­com com­pan­ies have been us­ing ver­sions of track­ing head­ers since at least 2000, when pri­vacy re­search­ers dis­covered that Sprint was in­ject­ing mo­bile users’ phone num­bers in their Web re­quests. Ve­r­i­zon began its far more soph­ist­ic­ated track­ing pro­gram in 2012, ac­cord­ing to the com­pany.

After me­dia re­ports about the track­ing prac­tices in­tens­i­fied in late 2014, the tele­com com­pan­ies took steps to phase out their pro­grams—but took months to do so com­pletely.

AT&T said it stopped us­ing the head­ers in Novem­ber 2014, but user data sub­mit­ted to Ac­cess start­ing that month showed AT&T users still had track­ing head­ers in­jec­ted in­to their Web traffic for 17 weeks after the tests began.

AT&T did not im­me­di­ately reply to re­quests for com­ment on the tim­ing of its track­ing pro­gram.

Ve­r­i­zon, which had a more ro­bust track­ing sys­tem in place, took un­til Janu­ary to an­nounce that it would of­fer its cus­tom­ers an op­tion to opt out from its pro­gram com­pletely. Cus­tom­ers already could ask to be re­moved from Ve­r­i­zon’s mar­ket­ing pro­gram, but their unique iden­ti­fi­ers con­tin­ued to be in­jec­ted in­to their Web re­quests. The change was not made un­til March, when Ve­r­i­zon said its sys­tem had been mod­i­fied to stop in­sert­ing the track­ing head­ers for cus­tom­ers who had op­ted out.

Ac­cord­ing to Deji Oluko­tun, the Ac­cess re­port’s lead au­thor, the data on the ef­fect­ive­ness of Ve­r­i­zon’s opt-out pro­gram is “in­con­clus­ive.” A Ve­r­i­zon spokes­man said Monday that the car­ri­er “provides clear no­tice and opt out choices for par­ti­cip­a­tion in our ad­vert­ising pro­grams,” and poin­ted to the com­pany’s FAQ pages about head­ers and ad­vert­ising.

Between Novem­ber 2014 and April 2015, nearly 18,900 Ve­r­i­zon users and about 5,700 AT&T users who took the Ac­cess track­ing-head­er test found they were be­ing tracked by their car­ri­ers. (The sample was not rep­res­ent­at­ive of the world’s mo­bile user pop­u­la­tion.)

After they were widely re­por­ted last year, the car­ri­ers’ track­ing prac­tices earned them the at­ten­tion of pri­vacy-ori­ented law­makers and fed­er­al reg­u­lat­ors.

A group of Demo­crat­ic sen­at­ors wrote to the Fed­er­al Com­mu­nic­a­tions Com­mis­sion and Fed­er­al Trade Com­mis­sion in Feb­ru­ary to ask for an in­vest­ig­a­tion of Ve­r­i­zon’s track­ing prac­tices.

Sen. Bill Nel­son, who signed the let­ter along with Sens. Ed­ward Mar­key and Richard Blu­menth­al, said in a state­ment that the “whole su­per­cook­ie busi­ness raises the specter of cor­por­a­tions be­ing able to peek in­to the habits of Amer­ic­ans without their know­ledge or con­sent,” and he said he was con­sid­er­ing in­tro­du­cing le­gis­la­tion around the track­ing prac­tices.

The FCC said in March it would re­view wheth­er car­ri­ers’ track­ing prac­tices vi­ol­ated any con­sumer se­cur­ity or pri­vacy rules.

Al­though mo­bile track­ing us­ing track­ing head­ers began drop­ping off this year, after back­lash from con­sumers and the gov­ern­ment, Ac­cess re­search­ers note that there could be count­less oth­er ways In­ter­net pro­viders can si­lently track users.

Their test­ing, for ex­ample, did not touch on broad­band pro­viders’ track­ing prac­tices, but broad­band users can be tracked in much the same way as mo­bile users. AT&T’s “Giga­Power” fiber broad­band ser­vice al­lows cus­tom­ers to opt out of track­ing-based mar­ket­ing—as long as they’re will­ing to pay an ex­tra $29 a month.

The broad­band track­ing pro­gram “works in­de­pend­ently of your browser’s pri­vacy set­tings re­gard­ing cook­ies, do-not-track, and private brows­ing,” ac­cord­ing to the com­pany.

Contributions by Libby Isenstein

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.