UPDATE: Thanks to public pressure, AT&T announced on November 14 that it would end the practice of installing perma-cookies on your mobile device! But this fight is not over—Verizon still has not changed its practices and we need your help collecting information about your own carrier.
Over the past few weeks we learned that the mobile carrier Verizon Wireless has been secretly injecting “perma-cookies” into your browser when you visit a website from your mobile phone. We already knew that mobile phones give off copious amounts of personal information, especially when we use high-accuracy location tools. But we didn’t know it was this bad.
Verizon has been injecting Unique Identifier Headers, or UIDHs, into http requests made by its mobile customers through its “Relevant Mobile Advertising” program. That means that, if you’re one of Verizon Wireless’s 123 million customers, every website you visit may be tracked by Verizon and potentially shared with third parties. In response, Access developed the website http://amibeingtracked.com to allow users to figure out if their own mobile carrier network was doing the same thing. The response has been amazing.
Since we launched our tool two weeks ago:
- More than 80,000 unique visitors accessed our site
- More than 62,000 users used our tool
- We discovered that Verizon, AT&T, Vodafone, and Telefonica are all tracking users through perma-cookies (UIDHs)
- However, these telcos did not track every single user:
- 20% of users were tracked
- 36% of users were not tracked
- 44% of users have returned results that we are still investigating—meaning the results could be much higher
- We were also able to break down the tracking by carrier:
- Verizon tracked more than 5,500 users and did not track over 2,900 users
- AT&T tracked more than 4,800 users and did not track over 2,700 users
- Vodafone (9%) and Telefonica (2%) tracked smaller numbers of users
- More than 1,900 users were tracked by an unknown carrier
Unique Identifier Headers are being injected, and shared, by Verizon so that the company can sell more information to ad brokers. What’s especially pernicious is that this method only works on sites that don’t provide SSL encryption when you visit them. So sites that have failed to protect the security of their visitors through widely available security mechanisms are exposing their users to shameful tracking techniques. Verizon’s tool theoretically does not reveal the personal identifying information of the user to the ad companies, but only the user’s behavior. But we know that behavioral profiles can be used to infer personal identity.
Verizon says that if you opt out of its Relevant Mobile Advertising program it won’t use the data to sell you ads. That’s good—but the fact remains that you’re already being opted in to this program without your knowledge. And even if you opt out, Verizon is still tracking your website visits, and we have no idea what else it’s doing with all of that data.
Verizon’s programs, and others like it, are serious violations of our fundamental right to privacy and must be investigated. As a global human rights organization, Access is also concerned about what precedent this may set in repressive regimes with state-run mobile carriers. If Verizon can trample on privacy rights in the U.S., what might the government of Myanmar do as it rolls out its new telecoms network to 60 million users?
Help us do more. Verizon was the first company we’ve identified and it operates at a vast scale. But other carriers, both large and small, may be tracking your information too. Please spread the word and share http://amibeingtracked.com with your friends and family. (Make sure they turn off their wifi and access it through their mobile network instead.)
The Federal Communications Commission and the Federal Trade Commission have the authority to investigate this issue. The more information we can collect about these shady practices, the more we can pressure our government to protect our right to privacy. You can sign our petition here.