AT&T, Verizon Use 'Perma-Cookies' To Track Phone Web Browsing
Verizon Wireless and AT&T are inserting header codes into mobile traffic data that enables them to track customers' browsing activities over LTE, 4G and 3G networks, according to an online security expert. The "unique identifier header," or UIDH, can be used to understand customer Web habits and deliver more targeted advertising to them.
AT&T said it is only testing the use of UIDHs, and is not currently running a mobile-relevant advertising program that would use such ID-tracked information. Verizon Wireless, which did not respond to our phone calls or e-mails, has been using the tracking codes for two years, according to a report in Wired.
Described as a "perma-cookie," the UIDH is a long string of characters that is inserted into users' mobile Web traffic without their knowledge. Crypto-security expert Kenneth White discovered the use of these codes and has developed a Web page that enables mobile users to test whether their traffic is being labeled in that way.
1M Hits to 'Sniffer' Page
Since news of the discovery was first reported in the media, White's "sniffer" testing page has received nearly one million hits, according to an update White posted Tuesday on Twitter. In an earlier tweet, he noted, "It's almost as if there's interest in mobile providers not being creepy and broadcasting tracking beacons to the world."
ProPublica reported today that the hidden code is also being used by MoPub, a mobile advertising-focused company acquired by Twitter last year. The article linked to a Twitter developer page with information on how UIDHs can be used in apps development.
According to the earlier report in Wired, there is no way for mobile phone users to prevent the insertion of UIDHs into their browsing traffic. A Verizon spokesperson told Wired that if customers choose to opt out, the codes wouldn't be used to generate targeted ads for them. However, the codes themselves would continue to be added to users' traffic headers.
Mark Siegel, AT&T’s executive director for media relations, told us that AT&T is changing its numeric test codes on a daily basis. At some point in the future, the company plans to streamline its opt-out process to enable customers to not only prevent targeted ads but the use of UIDHs themselves, he added.
'Publicly Broadcasting Beacons'
We reached out to White to learn more about his findings on the use of UIDHs by mobile carriers.
He said that even though an individual's tracking code is supposedly changed on a regular basis, he has observed the same UIDH in use on his Verizon phone for about one week now.
"One of the key issues is that for customers (both enterprise and individuals), these beacons persist across IP address changes and users' physical location," White added. "Any site that a person browses or any app accessed over HTTP is publicly broadcasting these beacons, bypassing any privacy preferences or settings."
Since discovering the use of the UIDHs, White said his biggest surprise from the carriers was, "(C)laims of, 'We have been doing this for quite some time, so why is this news?' Other carriers have been confirmed to be using similar technology, most notably Vodaphone, which was actually caught sending customer mobile phone numbers and IMSI (SIM) card numbers.
Posted: 2014-10-31 @ 10:09am PT
Browser, the sniffer page is at http://lessonslearned.org/sniff.
Posted: 2014-10-30 @ 2:07pm PT
Greed beats security, again.