U.S. trade agency forces Turn to be honest about “supercookies”

Action shows cost of employing business practices that fail to respect privacy

This week the U.S. Federal Trade Commission announced a settlement with the digital advertising firm Turn for its use of supercookies — also known as zombie cookies or “unique identifier headers” (UIDHs) — to track mobile users’ web browsing behavior.

Turn bundled supercookies from Verizon, which was fined $1.35 million in 2015 by the Federal Communications Commission. The FTC, a separate government agency, charged Turn with deceiving internet users by tracking them even after they opted out of such tracking from Verizon Wireless. The settlement requires the company to make it easy for customers to opt out and to provide clear, effective notice about how their data is used by Turn.

“It’s high time we moved from opt-out to opt-in,” said Deji Olukotun, Senior Global Advocacy Manager at Access Now. “The use of supercookie tracking is a global epidemic. Using our tool at AmIBeingTracked.com, hundreds of thousands of mobile users discovered they are being ensnared in mobile tracking schemes, usually with no reasonable way to opt-out. We are encouraged by the FTC settlement with Turn, and we urge regulators around the world to also take action to protect user privacy.”

UIDHs let companies track people across the web to target ads. People cannot block them because they are injected by carriers beyond our control, yet they can leak private information and make people vulnerable to criminal attacks or even government surveillance.

Access Now was alerted to this issue in October 2014, when reporters discovered that Verizon was logging data about its customers’ web browsing behavior — even if those customers had opted out of such schemes. Soon after this discovery, we launched AmIBeingTracked.com, a tool that allowed people around the world to test whether their mobile carrier was injecting similar perma-cookies into their web requests. More than 330,000 people took the test, the results of which are detailed in our report, “The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy.”

“The FCC fine, combined with the FTC settlement, is a strong assertion of user rights,” said Peter Micek, Global Policy Counsel at Access Now. “This sets a positive precedent against insidious online tracking, which is occurring across the globe. We expect regulators worldwide, from the European Union to India, to follow the FTC’s lead, and for other telcos to take notice.

“The settlement is validation for the hundreds of thousands of people who took action on this issue, testing their connections to detect mobile tracking headers, and signing our petition to the FTC,” Micek continued. “Together, we can stop practices that imperil our rights online, and show companies that it’s critically important to be transparent about what they’re doing and to respect our privacy.”

In addition to concerns about transparency and user privacy, Access Now highlighted a number of possible security issues with the use of supercookies. These tracking headers can make users vulnerable to spoofing by criminals. They also potentially enable authorities to surveil users without their knowledge. Even without this type of third-party abuse, however, the very existence of these cookies violates our privacy rights if users cannot truly opt out.

For additional information about tracking headers, see:

The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy

Access Now delivers petition to U.S. agencies to investigate zombie cookies