I first learned that supercookies (AKA perma-cookies, PrecisionIDs, or the more generic term tracking headers) were being used by mobile carriers to track people traversing their mobile networks in 2014. The rationale behind tracking is to provide better advertising content. Whether that’s okay depends on which side of the privacy fence you stand.
Nader Ammari, Gustaf Björksten, Peter Micek, and Deji Olukotun, staff at the digital-rights organization Access.org and authors of the paper The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy (PDF), informed me that tracking started much earlier, in 2000 to be exact. Dr. Kevin Fu, professor and medical-device security researcher at the University of Michigan, noticed his wife’s phone was leaking information to web servers. “Some wireless web browsers reveal your phone number to web servers you visit,” wrote Fu. “As a result, advertisers can obtain your phone number to annoy you by running up your airtime.”
In 2010, Dr. Collin Mulliner, Technische Universität in Berlin, Germany, published additional research on tracking headers in the paper Privacy Leaks in Mobile Phone Internet Access. However, neither Fu’s nor Mulliner’s efforts resulted in any pushback by consumers or government agencies.
It took Robert McMillan’s October 2014 WIRED article Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine to get the kettle boiling. “The company (Verizon) – one of the country’s largest wireless carriers, providing cell phone service for about 123 million subscribers — calls this a Unique Identifier Header, or UIDH,” wrote McMillan. “It’s a kind of short-term serial number that advertisers can use to identify you on the web, and it’s the lynchpin of the company’s internet advertising program.”
As it turned out, people were less than thrilled about tracking headers, prompting an investigation by the FCC, legislation by the US Congress, and more than a few lawsuits. The two mobile carriers implicated in 2014 — AT&T and Verizon — stopped (AT&T) or offered an opt-out (Verizon) for their particular type of tracking header.
How does a tracking header track?
Figure A explains how tracking headers work using a fictional character named Kavita.
Simply put, the mobile carrier receives the HTTP request from Kavita and adds the details to her data profile. The mobile carrier then creates a chunk of data that identifies Kavita and adds it to the original HTTP request as a custom HTTP header. As to why mobile providers even do this, there’s money in it for them. Figure B shows how.
The mobile carrier can monetize this by providing additional information about Kavita, at a cost, to the website listed in the HTTP request.
Supercookies are back
Tracking headers are back in play, and more mobile carriers than AT&T and Verizon are using them. To determine which mobile carriers are involved and the prevalence of tracking headers, the people at Access developed the Am I Being Tracked? website illustrated at the beginning of the article. “The website performs several simple tests to determine whether users are being tracked,” the paper’s authors write. The procedure is as follows:
- Determine whether the device making the request is a mobile device operating on a 3G, 4G, or LTE carrier network.
- Extract the user’s IP address from the normal HTTP header (not the injected header).
- Look up the IP address in an IP geolocation database, matching the IP address with publicly available information about where the IP range is located.
- Look for any unusual or custom headers in the HTTP request and, if found, they are logged.
- Results of the test are returned to the user stating whether the user is being tracked.
After six months of activity (as of the time the paper was published), the Am I Being Tracked? web tool had processed nearly 180,000 tests, and over 15% were identified as being tracked. Figure C shows the results listed by carrier.
The authors conclude their paper with lots of questions, “Despite these small victories, tracking headers are still being used around the world, and important questions remain. How extensive is the use of these tracking headers? What kind of information have carriers been collecting with them? Does their use violate users’ privacy? And what should be done about them, if anything?”
After reading a draft of this column, my friend got right to the point, “If tracking headers are good for us, one might think the mobile carriers would at least let us know.”