Wireless carriers worldwide are still tracking users via "supercookies" or "perma-cookies," yet Americans are tracked by U.S. wireless carriers more than any other carrier in any other country, according to a new report by the digital rights group Access. "Injecting tracking headers out of the control of users, without their informed consent, may abuse the privileged position that telcos occupy." Those tracking headers "leak private information about users and make them vulnerable to criminal attacks or even government surveillance."
It came to light in 2014 that Verizon Wireless and AT&T were injecting special tracking headers, aka "supercookies," to secretly monitor users' web browsing habits. So Access setup the "Am I being tracked?" website for users to find out if their mobile carriers were tracking the websites they visited on their phone. More than 200,000 people from 164 different countries tried out the Amibeingtracked tool; 15.3% were being tracked by tracking headers deployed by their wireless carriers. Of those, the most monitoring occurred in the U.S.
Most people don't bother to read their wireless carrier's End User License Agreement, but Access explained, "You may not realize that when you check a box on the application form you may be enrolling in an invasive tracking program that you cannot control — one that could potentially expose you to surveillance by governments or exploitation by criminals."
Headers are not evil, as they are needed for you to use the Internet, but tracking headers are different and very unfriendly to privacy. There's nothing you can do to stop such tracking as carriers exert their control by injecting tracking headers.
Access researchers included helpful graphics to explain tracking headers:
In "The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy" (pdf), Access researchers wrote:
Thus far, carriers have in general not been transparent or demonstrated accountability with regard to their use of tracking headers. In addition, government investigation of the practice has been inadequate to date. The public policy implications of this practice demand greater attention. The tracking activity revealed in this report takes place within a context of massively increased government surveillance capabilities that span the globe. International human rights experts have extolled anonymity as an important facilitator of the rights to freedom of expression and privacy online, yet users who wish to express themselves and receive and impart information without revealing their identity can face extreme difficulty. Intelligence agencies, malicious users, and other actors can exploit this power imbalance to unlawfully collect personal data, build profiles, and monitor marginalized communities.
You may hear such tracking called by many names, such as by a carrier's use of supercookies, perma-cookies and zombie cookies, but Access researchers say those are "inaccurate" terms; instead "tracking header" best describes the header injected by carriers out of the control of the user. Below is the breakdown of tracking by country.
The data provided by Access shows Verizon as the top offender in regards to monitoring its users with tracking headers, followed by AT&T. AT&T agreed to stop using such tracking methods in November 2014; it wasn't until 17 weeks later that AT&T stopped injecting tracking headers and stopped showing up on Amibeingtracked. Access also noted that Cricket was monitoring U.S. users with tracking headers, but there needs to be a bigger pool of data as it was tested less than 10 times.
About 18,900 Verizon users and approximately 5,700 AT&T users who tried the Amibeingtracked tool between November 2014 and April 2015 were being tracked by their carriers. Verizon is still showing up on the chart because users are opted-in by default, meaning it's on the user to take responsibility and follow the necessary steps if they want to opt-out.
Yet a different breakdown of the data shows the highest percentage of tracking by carrier.
Other key findings in the Access report include:
- Even if tracking headers are not used by the carrier itself to sell advertising, other firms can independently identify and use the tracking headers for advertising purposes.
- Using "Do not track" tools in web browsers does nothing to block the tracking headers.
- Unfortunately, tracking headers "can attach to the user" even when he or she crosses international borders.
- Tracking headers do not work when users visit websites that encrypt connections using Secure Socket Layer (SSL) or Transport Layer Security (TLS), meaning the site has an HTTPS URL. That's great, but Access researchers are concerned that lack of tracking may lead to fewer sites offering secure and encrypted HTTPS connections.
- Tracking headers have been used since 2000, meaning it took 15 years for the U.S. to investigate how they were being used (pdf). Access added, "It is entirely possible that new, undiscovered tracking mechanisms are already being deployed."
It's not only Access warning about such tracking; the W3C Consortium is against unsanctioned web tracking as it is "actively harmful to the web" and "may introduce privacy, security, and consumer protection concerns."
Access pointed out that not all carriers disrespect their users' privacy by secretly monitoring them with tracking headers, but others telcos also need to be "freedom providers."
Carriers must recognize that people are increasingly aware of and concerned about privacy and security issues. The legal, financial, and public relations fallout from invading privacy is growing, and movements to hold corporations accountable for infringing human rights are gaining steam around the world. It is in the best interest of carriers, both in the short and long term, to stop tracking and exploiting people's information without their knowledge or consent, whether or not current regulations ban the practice. There are more ethical ways to gather information, such as giving customers a true opt-in after informed consent.
Access has a "Telco Action Plan" as well as a list of recommendations, including developing policies and practices that provide guidelines for safeguarding users' right to privacy.