If you think the websites you visit on your smartphone are nobody’s business but your own, you’re likely under the wrong impression.
According to recent reports by Electronic Frontier Foundation and various news outlets, carriers Verizon and AT&T are tracking the web activity of their mobile customers as a way to formulate profiles of customers’ browsing habits (without their consent) for advertisers.
They are enlisting the help of special codes, or “supercookies,” to track mobile web traffic. This collects information on browsing habits, and in Verizon’s case, helps marketing companies send mobile users targeted ads.
“In an effort to better serve its advertisers, Verizon Wireless has been silently modifying its users’ web traffic on its network to inject a cookie-like tracker,” the EFF report explains. “This tracker, included in an HTTP header called X-UIDH, is sent to every encrypted website a Verizon customer visits from a mobile device.”
The EFF says it is particularly concerned about what this technology allows others to find out about users’ web activity.
“The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy,” the EFF states.
“Besides the ad networks, the unique X-UIDH header is a boon to eavesdroppers,” says the EFF. “We have seen that the NSA uses similar identifying metadata as ‘selectors’ to collect all of a single person’s Internet activity. They also have been shown to use selectors to choose targets for delivering malware via QUANTUMINSERT and similar programs.”
Verizon does not let users turn off this “feature,” and it functions even if you use a private browsing mode or clear your cookies, according to the EFF.
Verizon said it began tracking customers’ web activity in 2012.
AT&T is also tagging their customers with unique codes visible to third parties. According to Forbes, AT&T said it’s “testing” a new way of tracking customers for ad display purposes, but also claims to be working on a privacy-protective measure.
Customers can test whether the X-UIDH header is injected into their traffic by visiting lessonslearned.org/sniff or amibeingtracked.com over a cell data connection.
The carriers’ methods of snooping are also troublesome because they ignore browsers’ Do Not Track setting, which is meant to allow users to opt out of tracking.
The EFF is contemplating suing the carriers for violating the Communications Act, which protects customers from having identifying information revealed by their carriers.