Service giants Verizon and AT&T have been quietly following more than 100 million users’ internet activity without their consent for years through the use of invasive “supercookie” tracking technology that is nearly impossible to detect or escape.
According to the Electronic Frontier Foundation (EFF), those methods may violate federal laws.
The tracking codes—called Unique Identifier Headers, or X-UIDH—are installed on every unencrypted web page that users of both services visit on their mobile devices, which in turn allows Verizon and AT&T to monitor their customers’ browsing history and create permanent identification profiles of their habits, likes, and interests. Once installed, the supercookies cannot be deleted nor evaded, even if customers clear their cookies, use private browsing modes, disable third-party cookies, or select “Do Not Track” in their settings.
Verizon allows individual users to opt-out of the marketing program—but that option does not prevent the company from collecting its customers’ browsing data, only from sharing it with third-party advertisers.
“Verizon’s failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers’ data,” EFF senior staff technologist Jacob Hoffman-Andrews explains.
That federal law is the Communications Act, a portion of which requires service providers to protect their customers’ confidential data, and bars carriers from using information they acquire from other providers for their own marketing efforts.
The Washington Post notes that Verizon and AT&T could also be in violation of the federal Wiretap Act, “which prohibits altering personal communications during transmission without consent or a court order…. the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate.”
According to Verizon, which has been gathering data on its customers since 2012 with its Precision Marketing Insights tracking program, the technology was developed to help third-party companies create targeted ads for users—but as experts point out, its privacy implications go far beyond that.
“We have seen that the NSA [National Security Agency] uses similar identifying metadata as ‘selectors’ to collect all of a single person’s Internet activity,” Hoffman-Andrews says. “Having all Verizon mobile users’ web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone.”
Unlike regular cookies, supercookies are tied to data plans, so anyone who browses the internet through hotspots or shares computers that use cellular data gets monitored as well.
SCROLL TO CONTINUE WITH CONTENT