Study: 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies'

from the utterly-unaccountable dept

Earlier this year AT&T and Verizon were caught modifying wireless user traffic to inject unique identifier headers (UIDH). This allowed the carriers to ignore a user’s privacy preferences on the browser level and track all online behavior. In Verizon’s case, the practice wasn’t discovered for two years after implementation, and the carrier only integrated a working opt out mechanism only after another six months of public criticism. Verizon and AT&T of course denied that these headers could be abused by third parties. Shortly thereafter it was illustrated that it was relatively easy for these headers to be abused by third parties.

While the fracas over these “stealth” or “zombie” cookies has quieted down since, a new study suggests use of such stealth tracking is increasing around the world as carriers push to nab their share of the advertising pie. Consumer advocacy group Access has been running a website called, which analyzes user traffic to determine whether or not carriers are fiddling with their packets to track online behavior. According to a new study from the group (pdf) examining around 200,000 such tests, about 15% of site visitors were being tracked by the carriers in this fashion all over the globe:

Globally, the report notes that AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de Espa?a, Verizon, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain are all now using stealth headers. In many of these instances there’s no opt-out mechanisms in place for users, or the opt-in mechanisms that exist don’t actually work. Most regulators meanwhile don’t even realize this technology exists, much less have any plan to protect user privacy via hard opt-out requirements. The practice itself, and the stored data, the group’s authors note, makes a delicious target for hackers and the intelligence community alike:

“Using tracking headers also raises concerns related to data retention. When ?honey pots? of sensitive information, such as data on browsing, location, and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike.”

The W3C Consortium recently agreed, noting that stealth carrier tracking header injection is basically a privacy nightmare in the making that undermines user trust in the entire Internet:

“The aggregate effect of unsanctioned tracking is to undermine user trust in the Web itself. Moreover, if browsers cannot isolate activity between sites and offer users control over their data, they are unable to act as trusted agents for the user. Notably, unsanctioned tracking can be harmful even if non-identifying data is shared, because it provides the linkage among disparate information streams across contextual boundaries. For example the sharing of an opaque fingerprint among a set of unrelated online purchases can provide enough information to enable advertisers to determine that user of that browser is pregnant ? and hence to target her with pregnancy-specific advertisements even before she has disclosed her pregnancy.

This is what has been happening while the marketing, tech and telecom industries bickered, prattled and grandstanded over do not track protections — that this technology makes irrelevant anyway. And while companies like Verizon have repeatedly claimed that no privacy or transparency guidelines are necessary because “public shame” will keep them honest, keep in mind that it took security researchers two years before they even realized that the telco was doing this. It took another six months of pressure for Verizon to heed calls for basic opt-out mechanisms most Verizon users don’t know exist. It makes you wonder: just how long will it take the press and public to realize future iterations of stealth tracking technology are being used?

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Study: 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies'”

Subscribe: RSS Leave a comment
GEMont (profile) says:

Re: Re: Re:

I can’t help but wonder if perhaps Win10 has been designed to make all of these surveillance exploits easier for the bad guys to run.

It would explain the Free Install.
Most exploits are also Free Install.
They’re just not advertised as such.

On a Win 10 machine, all internal communications between your computer and the Mother Ship take place in the background, completely beyond the user’s control and awareness.

This strikes me as being the perfect OS for third party exploits which would then use the built in secret background communications ability to run their data mining processes without leaving a trace behind by utilizing the same “trace” remover process MS uses to “clean up” its own proprietary data mining traces.

Socrates says:

Re: Re: Re: Windows 10

On a Win 10 machine, all internal communications between your computer and the Mother Ship take place in the background, completely beyond the user’s control and awareness.

Microsoft copied browser search data verbatim even years ago. This were verified by synthetic search strings (random letter and numbers). This were how Googles responses to these strings ended up in Bing.

With Windows 10, Microsoft have a tunnel directly into your computer wherever you are, wherever you go!

DannyB (profile) says:

Not if you're using HTTPS

This is why everyone needs to be using encryption by default.

The fact that intermediaries can inject anything into your traffic is a huge security hole. Within the last few daze there is news of AT&T injecting ads into HTTP traffic, and actually modifying the HTML markup. This demonstrates an ability to also insert any arbitrary JavaScript executable code. Or Flash objects if your browser might be so equipped. (Or ActiveX, or Silverblight, or Java) They could inject Javascript code that probes for vulnerabilities of your browser so that your next HTTP connection can then have a more targeted payload injected.

The really nice thing about this technique is that AT&T wouldn’t even have to make your browser make strange unexpected connections to the mothership that your network monitoring aparatus (if any) might detect. They can inject ‘outbound’ traffic right into your next HTTP request to anywhere. Then remove it in transit so that your target site like TechDirt doesn’t see any extra content or HTTP Headers. But AT&T’s injection systems would see them as it removes them. Nice neat invisible two-way communication with code running in your browser, and no unexpected connections.

This potential has always existed with HTTP. It’s just that now network equipment has become powerful enough to do this kind of despicable evil, which is even worse than advertising itself, on a massive scale.

OldMugwump (profile) says:

Re: market is self regulating

This has nothing to do with markets.

The telecom industry is heavily regulated. Thanks to regulatory capture (as you note), the regulations serve to keep out competitors.

Once firms don’t have to worry about competition, they are free to abuse their customers.

The solution is to open the market to free competition. Once you do that, the market will punish bad actors.

But not until.

Anonymous Coward says:

Re: Re: Re: market is self regulating

but its true,

Any provider that offered true privacy would be able to build its business so damn fast it would be almost scary.

There is no such thing as a free market in America at the moment, we are far too regulated for that now.

You can’t even open a lemonade stand in your front yard without risk of the police coming by and shutting it down.

Socrates says:

Re: Re: Beware! Don't believe that for a second!

The solution is to open the market to free competition. Once you do that, the market *will* punish bad actors.

Sadly no, it will not!

Giving bullies free reign, give bullies the reign.

This will never change.

When affordable efficient and low-polluting transportation were eradicated, the bad actors profit soared. Because when the citizens no longer have a choice they can be forced. This will always be worth more to the bad actor than the cost to eradicate good solutions, because the bad actor can always abuse more. Destroying electric trams is a good example of this.

When infrastructure is taken over by bad actors, as in Bolivia when they took over the water supply, they can really harm entire populations. This were a wet dream come true for the IMF (pun intended). How bad did it get? Read up on the water wars. Where the infrastructure cheep? Yes of course, it is a chore for a good actor to supply service and limited profit. This nastiness is spreading.

What about Facebook and its “benign” Internet project in India? It would be a lot more difficult to establish Internet infrastructure if they had been allowed to proceed.

Transparent, democratic, firm rules; gives a good and stable foundation free competition that serve the citizens and harm bad actors. This is exactly why ISDS is negotiated in secret! It is meant to be above governments, our goverments.

OldMugwump (profile) says:

Re: Friday night lynching

I share the sentiment, but that is a horrible idea.

I know it’s fun to vent. But fundaments of civilization rely on regulation of violence.

Make clear rules, have a fair and impartial method of judging if people have violated them, have reasonable punishments set for those found guilty.

Keep your torches and nooses at home. That is the way to barbarism.

Derek Kerton (profile) says:

Question On How To Test

If we visit the test site, will it reveal the results correctly if:

– one is currently using a carrier-provided femtocell that backhauls on the customer’s DSL or cable?
– one is currently using a wifi connection?
– one is using HTTPS?

I’m concerned that if people run the test, at home, they may get a negative result over their wifi, but if they left home, they’d be spy fodder.

GEMont (profile) says:

Musical Chairs

…just how long will it take the press and public to realize future iterations of stealth tracking technology are being used?

More to the point, how long before this sort of criminal activity is perceived and treated as criminal activity by the so called Department of Justice, and Law Enforcement?

As for the public, by the time it becomes aware of the exploits being used against it today, a whole new array of exploits will have already been developed and injected into the system.

This is all mainly because the authorities do not consider economic attacks on the public by government and business as crimes and do nothing to end the practice until years after its been replaced by another exploit process and even then, do not actually punish the perpetrators for their crimes in any meaningful way.

This lack of concern and reaction by authority coupled with the lack of consequences for the perpetrators, absolutely guarantees repetition and improvement of the exploitation processes being used against the public.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...