If you count yourself among the nearly 9 out of 10 web users (as of September 2013) who periodically clears your cookies, disables your browser history, or otherwise takes steps to maintain some semblance of privacy and anonymity online, bear in mind that if you're a cellular customer of AT&T or Verizon, your efforts are most likely useless: they're tracking all your online phone-based activities anyway.
The Washington Post reported Monday night that Verizon and AT&T have been tracking the activities of up to 100 million of their cellular customers with so-called “supercookies” — tracking markers so powerful, even conscientious and tech-savvy users find them hard to avoid:
The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.
Short-term serial number
What the Post calls “supercookies,” Wired and Forbes call “perma-cookies”; on Oct. 27, Wired warned its readers that “Verizon's 'perma-cookie' is a privacy-killing machine.” But how does it actually work?
Verizon Wireless has been subtly altering the web traffic of its wireless customers for the past two years, inserting a string of about 50 letters, numbers, and characters into data flowing between these customers and the websites they visit.
The company—one the country’s largest wireless carriers, providing cell phone service for about 123 million subscribers—calls this a Unique Identifier Header, or UIDH. It’s a kind of short-term serial number that advertisers can use to identify you on the web, and it’s the lynchpin of the company’s internet advertising program. But critics say that it’s also a reckless misuse of Verizon’s power as an internet service provider—something that could be used as a trump card to obviate established privacy tools such as private browsing sessions or “do not track” features.
Of course, the only people who seem to think “Internet privacy” is a good thing are actual Internet users; everyone else, from hackers and identity thieves to the advertising industry and the United States government (particularly the FBI and NSA) would prefer to collect as much information about people as they possibly can.
A Verizon spokeswoman told Wired that there's no way to turn this perma-cookie feature off. But a spokeswoman for AT&T told the Washington Post that AT&T, unlike Verizon, changes its “supercookie” every 24 hours to protect privacy.
Yet the program has been around, though largely unnoticed, for months; back in May, Ad Agereported that Verizon's marketing arm, Precision Market Insights, was forming a partnership with three other companies to sell a “tool to advertisers for mobile ad campaigns.” At the time, Ad Age described that advertising tool as “a cookie alternative for a marketing space vexed by the absence of cookies.”
Translation: a way to track users who vexingly do not want to be tracked.
Incidentally, these cookie alternatives are only found on so-called “retail” accounts – corporate and government phone accounts are not being tracked by these supercookies or perma-cookies. As Jacob Hoffman-Andrews, a senior staff technologist for the pro-privacy Electronic Frontier Foundation, observed on Twitter when he called attention to the May Ad Age story in late October:
"Corporate and government subscribers are excluded from the new marketing solution." In other words: we know this is bad.