Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 3 MINUTES AGO.
You are here: Home / World Wide Web / AT&T, Verizon Track Phone Web Use
AT&T, Verizon Use 'Perma-Cookies' To Track Phone Web Browsing
AT&T, Verizon Use 'Perma-Cookies' To Track Phone Web Browsing
By Shirley Siluk / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
OCTOBER
30
2014
Verizon Wireless and AT&T are inserting header codes into mobile traffic data that enables them to track customers' browsing activities over LTE, 4G and 3G networks, according to an online security expert. The "unique identifier header," or UIDH, can be used to understand customer Web habits and deliver more targeted advertising to them.

AT&T said it is only testing the use of UIDHs, and is not currently running a mobile-relevant advertising program that would use such ID-tracked information. Verizon Wireless, which did not respond to our phone calls or e-mails, has been using the tracking codes for two years, according to a report in Wired.

Described as a "perma-cookie," the UIDH is a long string of characters that is inserted into users' mobile Web traffic without their knowledge. Crypto-security expert Kenneth White discovered the use of these codes and has developed a Web page that enables mobile users to test whether their traffic is being labeled in that way.

1M Hits to 'Sniffer' Page

Since news of the discovery was first reported in the media, White's "sniffer" testing page has received nearly one million hits, according to an update White posted Tuesday on Twitter. In an earlier tweet, he noted, "It's almost as if there's interest in mobile providers not being creepy and broadcasting tracking beacons to the world."

ProPublica reported today that the hidden code is also being used by MoPub, a mobile advertising-focused company acquired by Twitter last year. The article linked to a Twitter developer page with information on how UIDHs can be used in apps development.

According to the earlier report in Wired, there is no way for mobile phone users to prevent the insertion of UIDHs into their browsing traffic. A Verizon spokesperson told Wired that if customers choose to opt out, the codes wouldn't be used to generate targeted ads for them. However, the codes themselves would continue to be added to users' traffic headers.

Mark Siegel, AT&T’s executive director for media relations, told us that AT&T is changing its numeric test codes on a daily basis. At some point in the future, the company plans to streamline its opt-out process to enable customers to not only prevent targeted ads but the use of UIDHs themselves, he added.

'Publicly Broadcasting Beacons'

We reached out to White to learn more about his findings on the use of UIDHs by mobile carriers.

He said that even though an individual's tracking code is supposedly changed on a regular basis, he has observed the same UIDH in use on his Verizon phone for about one week now.

"One of the key issues is that for customers (both enterprise and individuals), these beacons persist across IP address changes and users' physical location," White added. "Any site that a person browses or any app accessed over HTTP is publicly broadcasting these beacons, bypassing any privacy preferences or settings."

Since discovering the use of the UIDHs, White said his biggest surprise from the carriers was, "(C)laims of, 'We have been doing this for quite some time, so why is this news?' Other carriers have been confirmed to be using similar technology, most notably Vodaphone, which was actually caught sending customer mobile phone numbers and IMSI (SIM) card numbers.

Tell Us What You Think
Comment:

Name:

Ed.:
Posted: 2014-10-31 @ 10:09am PT
Browser, the sniffer page is at http://lessonslearned.org/sniff.

ExaltedRuler:
Posted: 2014-10-30 @ 2:07pm PT
Greed beats security, again.

Like Us on FacebookFollow Us on Twitter
MORE IN WORLD WIDE WEB
ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.