Carriers using ‘supercookies’ to track users’ mobile browsing

By A. Asohan August 20, 2015

Privacy-invasive tracking headers a global trend, new report finds
No evidence of use in Singapore and Malaysia, but users urged to be wary

Carriers using ‘supercookies’ to track users’ mobile browsing

CARRIERS in at least 10 countries have been using ‘supercookies’ or ‘permacookies’ to track their users’ mobile browsing, with the first such use dating back at least 10 years, according to global digital rights organisation Access.

The organisation has just released its The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy report, based on a six-month investigation of supercookies, or special tracking headers that carriers inject into HTTP web requests users make through their mobile devices.

Access developed an online tool at Amibeingtracked.com that allows people to test their devices themselves to see whether they are being tracked, but tests by Digital News Asia (DNA) in Malaysia and Singapore showed no evidence that carriers here are using such supercookies.

The governments of both Malaysia and Singapore are known to be customers of Italian spyware-maker Hacking Team, according to documents and email communications leaked online by hackers.

But while there is no evidence of carriers spying on their users, Access advocacy director Josh Levy cautions that his organisation’s study was not conclusive.

Carriers using ‘supercookies’ to track users’ mobile browsing “It doesn't contain all instances of tracking from carriers, nor is it intended to. In addition, carriers could be tracking users in ways beyond the use of these headers,” he told DNA via email.

“All users should be wary of whether and how their carriers are tracking them,” added Levy (pic), formerly the managing editor of online petition platform Change.org.

The Access report comes just as The New York Times (NYT) reported how US carrier AT&T had helped the US National Security Agency (NSA) conduct wiretapping of all Internet communications at the United Nations headquarters in New York.

The NYT report was based on documents provided by whistleblower and former NSA contractor Edward Snowden.

The Access study

Access began its investigation after security researchers exposed a special code – labelled a ‘supercookie’ by media – used by another US carrier, Verizon, to track its users.

The ‘Am I Being Tracked’ website performs several simple tests to determine whether users are being tracked. The site first determines whether the device making the request is a mobile device operating on a 3G, 4G, or LTE carrier network, Access said in its report.

If the device is operating on a carrier network, the test extracts the user’s IP (Internet Protocol) address from the normal HTTP header (not the injected header) and looks up the IP address in an IP geolocation database, matching the IP address with publicly available information about where the IP range is located.

The system then looks for any unusual or custom headers in the HTTP request and, if found, it logs them.

Finally, the site returns the results of the test to the user stating whether the user is being tracked or not. Access said it never discloses the personally identifying information of people who take its test.

Highlights of The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy include:

Evidence of widespread deployment – carriers in 10 countries around the world, including Canada, China, India, Mexico, Morocco, Peru, the Netherlands, Spain, the United States, and Venezuela, are using tracking headers.

The following mobile carriers are using tracking headers: AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Verizon, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain.

Correlative evidence exists that tracking headers may have been used by carriers for more than a decade, and Access also found information indicating the use of tracking headers dating back 15 years.

Users cannot block tracking headers because they are injected by carriers beyond their control. ‘Do not track’ tools in web browsers do not block the tracking headers. Tracking headers can attach to the user even when roaming across international borders.

Tracking headers leak private information about users and make them vulnerable to criminal attacks or even government surveillance.

Tracking headers do not work when users visit websites that encrypt connections using Secure Socket Layer (SSL) or Transport Layer Security (TLS) (demarcated by ‘HTTPS’ in a web address).

Certain tracking headers leak important private information about the user in clear text, including phone numbers.

Current trends suggest that tracking headers will grow in use or will be replaced by a new tracking technology.

Carriers using ‘supercookies’ to track users’ mobile browsing In its report, Access has also provided recommendations for governments, carriers, websites, intergovernmental bodies, civil rights advocates and researchers.

“We entrust our most valuable information to carriers in communicating information, and in receiving it,” said Access senior global advocacy manager Deji Olukotun (pic), also one of the authors of the report.

“Tracking headers not only violate our trust in the information economy, but also in the network itself,” he told DNA via email.

“That's why we're pushing for a true, informed opt-in – not just for these technologies but for any technology that may be informed in the future,” he added.

For an executive summary of The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy, click here; or download the full report here.