Supercookies Live On, and We’ve Got to Stop Them


Access has been fighting the use of supercookies since last fall, when we learned that the mobile carrier Verizon Wireless had been secretly injecting Unique Identifier Headers, or UIDH, into every single http request made by its mobile users. Recently, we learned even more disturbing news about mobile tracking on Verizon and other cell phone carriers over the past few weeks.

An advertising broker called Turn developed a supercookie which allows the company to track the browsing habits of individual users–even after they have opted out of Verizon’s cookies. Turn then sells information about these users in automated auctions to advertisers at a staggering scale, according to a recent article in The New York Times:

Advertisers place orders with Turn to show ads to a specific audience, such as young suburban mothers or surfers who live near beaches. When Turn’s system sees tags identifying users in those consumer clusters, it can place bids in electronic auctions to show those groups digital ads. Turn’s system sees one million such bid opportunities a minute. (emphasis added)

In addition to consumer-related privacy problems, we believe that these cookies can make users vulnerable to spoofing by criminals. They could also potentially enable governments to surveil users without their knowledge. Even without this type of third-party abuse, though, the very existence of these cookies violates our privacy rights if we can’t truly opt out.

In response, Access developed a tool that allows mobile users to test whether they are being tracked. To date, 124,000 users have taken the test. Not only have we found tracking in the U.S., but we have discovered that the issue may be an international phenomenon.

AT&T has already stopped its use of supercookies after it received negative publicity. Likewise, Turn announced it would soon end use of this tracking method. But Verizon has yet to conclusively put an end to the practice. Moreover, we are deeply disturbed that telcos in other countries are imitating these practices–a worrying trend given that many governments afford even less privacy protections to their users than in the U.S.

We’re currently strengthening our testing tool for a new round of tests, and we’ll keep pressuring telcos to operate responsibly and respect their users’ privacy. If you live in the U.S. you can take action here to tell the FCC and the FTC to investigate the use of these cookies.