Do you trust your carrier when you sign up for a new mobile phone? You may not realize that when you check a box on the application form you may be enrolling in an invasive tracking program that you cannot control — one that could potentially expose you to surveillance by governments or exploitation by criminals.
Today, Access released our new report The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy, our in-depth investigation into the global use of so-called “supercookies” or “permacookies” to track your web browsing. The results were based on almost 200,000 tests taken on Amibeingtracked.com — a site developed by Access to allow people to test their devices to see if they were being tracked. We offer findings, collated over six months, about the use of tracking headers worldwide, and provide recommendations for governments, carriers, websites, intergovernmental bodies, and researchers.
We entrust carriers with our most private and intimate information on our mobile devices. These tracking programs, sometimes disguised under the moniker “Relevant Advertising,” violate our trust in the integrity of the networks upon which we rely. As the next billion come online, they’ll increasingly be using mobile devices, and tracking headers expose them as soon as they touch the internet.
Our report found alarming results, among them:
- Evidence of widespread deployment: tracking is happening all over the world in many different forms;
- Tracking headers have been around for nearly 15 years;
- Users cannot block tracking headers because they are injected by carriers beyond their control, and they can attach to users even when roaming across international borders;
- Tracking headers leak private information about users and make them vulnerable to criminal attacks or even government surveillance;
- Tracking headers depend upon an HTTP, or unencrypted connection, to function, and may lead to fewer websites offering HTTPS
In order to address the prevalence of these tracking headers, we recommend several courses of action, building upon our petition to press the FCC and FTC to investigate the use of tracking headers in the U.S. We call for government authorities to investigate their use; demand clear opt-in and easy opt-out mechanisms by carriers; and lay out next steps for security researchers into their use and scope.
Access is not alone in being alarmed about these practices. Just last month, the W3C Consortium, which is led by the inventor of the World Wide Web, Sir Tim Berners-Lee, came out strongly against the use of tracking headers, stating that “unsanctioned tracking may introduce privacy, security, and consumer protection concerns.” In the U.S., Senators Bill Nelson, Edward Markey, and Richard Blumenthal sent a letter to the FTC and FCC to consider bringing charges against Verizon Wireless. The time is ripe for an informed conversation about tracking headers.
You can download the full report here (PDF). Or you can read an executive summary here (PDF).