Zombie cookies rise again as telcos respond to our report on tracking headers

Even George A. Romero, visionary creator of zombie movies, would scarcely believe this script. After public outcry, policy turnarounds, and regulatory scrutiny, tracking headers live on in Verizon’s networks. The company just announced a new program combining AOL’s online advertising and tracking capabilities with Verizon’s UIDH mobile tracking headers, to track users across the fixed and mobile web.

It’s the ultimate blast from the past. The lifespan of tracking headers has persisted from their development in the 1990s in GSM networks through this new advertising deal Verizon inked with AOL.

But of course, we should have expected it: persistence is in the DNA of tracking headers. As we detailed in our report The Rise of Tracking Headers: How Telcos Around the World Are Threatening Our Privacy (PDF), these headers cannot be deleted like ordinary cookies. Telcos insert them into your mobile HTTP requests, invisibly, beyond your reach.

We have fought to expose the use of mobile tracking headers, and made some progress in holding companies to account. We built a tool at Amibeingtracked.com that allowed mobile device users to test whether they were being tracked, and nearly 200,000 people took our test over a six month period. In our report, released in August, we found around 15% of the tests showed evidence of tracking headers in 10 countries around the globe.

The nonprofit Business and Human Rights Resource Centre invited formal responses from the companies named in our report. As shown on their website, we have now received responses from five of the telcos: AT&T, Cricket, Telefónica, Verizon, and Vodafone. A sixth, Indian firm Bharti Airtel, responded to media and reached out with questions to Access, but never followed up or responded to us directly.

Let’s go through the responses, one by one.

AT&T: The company provided a one line reply — “AT&T maintains a fundamental commitment to customer privacy, which is detailed at http://att.com/privacy.”

We appreciate the response. However, pointing to a voluminous, esoteric privacy policy does not help customers understand the specific tracking identified in our report, nor contribute to dialogue on this practice. To its credit, AT&T terminated its use of mobile tracking headers not long after initial reports about the headers emerged in the fall of 2014. Our tests confirmed the company’s claims, showing a precipitous drop in AT&T tracking.

Cricket: Cricket denied that it inserts tracking headers, and made clear that it takes customer privacy seriously.

Access stands by our results. We found less than 10 conclusive results of tracking for Cricket, and we will gladly discuss our methodology and results with the company.

Vodafone: Vodafone provided the most support and outreach on their use of tracking headers. They also made meaningful changes in the Netherlands in spring 2015. Now, the headers are largely used for “charge-to-bill” services, a service that charges purchases to your mobile carrier bill instead of to a credit card. They created an approved list of those services, rather than broadcasting the headers broadly, and generate the randomized headers securely, Vodafone wrote.

Access appreciates the candor and willingness of Vodafone to explain its use of tracking headers. Since the release of our report, the company has engaged transparently with Access and taken our concerns seriously. Yet we find that tracking headers are fundamentally insecure because they rely on unencrypted connections — and can transmit user data in the clear — so that whether they are used for charge-to-bill or for some other purpose, they leave users vulnerable to malicious actors or even surveillance by governments.

Telefónica: Telefónica sent a full page-long letter, including its commitments to respect privacy, information about Spanish privacy laws, and promotion of its Data Transparency Lab. The company says it goes beyond what’s required by law in protecting privacy. One sentence truly responded to our report, reading, “Telefónica of España does not use header enrichment tools unless customer identification is technically required, for the provision of the subscribed services.” The company reached out initially but has not responded to our request for a meeting.

We appreciate the reply. However, the specific line about our report leaves many unanswered questions: who determines whether and when tracking headers (or “header enrichment tools”) are “technically required?” How does a customer subscribe to those services? Are customers opted-in by default, or fully informed and asked for explicit, specific, unequivocal consent? We are willing to speak with Telefónica of España to explain our methodology and results, and we underscore that we found the company tracking thousands of users.

Verizon: Alone among telcos, Verizon raised the human rights implications of our report, and pointed us to various online documents where they explain their specific use of tracking headers, or UIDH. It appears they made changes to their program, switching to a whitelist, rather than broadcasting the headers, and offering an opt-out (customers must log in here to opt out.) Their recent blog post announcing the AOL partnership also links to their various FAQs.

We appreciate that Verizon acknowledges the human rights implications of privacy. We are also encouraged by the decision to allow for a true opt out. However, we don’t feel the company goes far enough. Users should have to opt-in by default — which Verizon utilizes for other programs, such as the much smaller Verizon Selects program — and this is all the more necessary after the merger with AOL, a company with an extensive ad network that courses over an estimated 40 percent of the entire web. We found Verizon’s new, interwoven FAQs especially difficult to understand, and they raise more questions than answers. For example, Verizon writes that, “Partners that receive the UIDH will be required to use the UIDH only as part of Verizon and AOL services and not for their own separate uses,” yet they do not promise to notify users of misuses, or explain how Verizon will enforce the requirement.

We’re disappointed that the company has doubled down on UIDH, an aging technology that carries persistent risks for customers.


It’s been nearly a year since researchers revealed the extent of the use of tracking headers. It’s once again Halloween, and we’ve learned a tremendous amount about the risks and reach of these technologies. We’ve also shared numerous recommendations in our report — such as developing new standards at the GSMA — about how best to protect the privacy of users at risk in around the world. We salute the telcos that have vowed to curtail the use of tracking headers, but we’re frightened that zombie cookies appear set to rise again.