AT&T and Verizon are tracking their customers' web habits using undeletable "supercookies."
Both services are inserting a special code—dubbed a “supercookie”—into their networks’ cellular web traffic. This code is then used to track the browsing habits of customers; in Verizon’s case, it is also used to help marketing companies send mobile users targeted ads.
The Washington Post reports that Verizon has been tracking its 106 million retail customers (those without business or government contracts) since 2012. AT&T is testing a similar tracking system for advertising purposes. Customers can check if their web activity is being tracked using tools such as AmIBeingTracked.com.
Companies like Google and Facebook have long used cookies, numerical identifiers that travel with users between sites, to track their customers’ activity and send relevant advertising. But the extent of Verizon and AT&T’s snooping appears unprecedented. Unlike normal cookies, the so-called supercookies cannot be deleted by clearing browser data, and because the markers are added by the carrier at the network level, customers are tracked no matter which sites they visit.
Worse, privacy advocates say, the networks’ supercookies are shared with all unencrypted websites the user visits, making it possible for websites to piggyback on Verizon’s perma-cookie and reassign their own tracking mechanisms, effectively making normal cookies stronger.
Verizon says it is allowing users to opt out of the program (using this link) and that it has taken steps to notify customers of the tracking. But according to the Electronic Frontier Foundation, opting out of the program doesn’t actually disable the supercookie, it just means Verizon won’t share its tracking information with advertisers. That means third-party websites can still use the company’s unremovable cookie for their own tracking purposes.
A Verizon spokeswoman noted that the company changes its cookie’s identifier frequently to prevent exactly this type of piggybacking, but she declined to say how often the cookie changes (AT&T revalues its cookie once per day). EFF points out that ad networks can use their own less-powerful cookies to connect Verizon’s old and new identifiers together.
The carriers’ tracking methods are also worrying because they ignore browsers’ Do Not Track setting, which is meant to give users an easy way to opt out of surveillance. Critics contend they may even be against the law. The Post cites potential violation of the federal Wiretap Act, which “prohibits altering personal communications during transmission without consent or a court order.”
The Electronic Frontier Foundation is also considering suing the carriers for violating the Communications Act, which says carriers cannot reveal identifying information about their customers.