AT&T Quietly Backs Away From Its Use of Sneaky Super Cookies

from the you're-the-product----and-the-guinea-pig dept

As we noted a few weeks ago, Verizon and AT&T recently began utilizing a controversial new snoopvertising method that involves meddling with user traffic to insert a unique identifier traffic header, or X-UIDH. This header is then read by marketing partners to track your behavior around the Internet, which Verizon and AT&T then hope to sell to marketers and other third parties. In addition to the fact they're modifying user traffic, these headers can also be read by third parties -- even if customers opt out from carrier-specific programs.

After the practice received heat from security experts and groups like the EFF, AT&T has since announced they're backing away from the practice. AT&T insists that unlike Verizon (who has been using this technology commercially for two years with clients like Twitter), AT&T's implementation was only a trial. That trial is now complete, insists AT&T, and while they may return to the practice -- AT&T promises it will be somehow modified so user information isn't broadcast and opting out actually works:
"AT&T says it has stopped its controversial practice of adding a hidden, undeletable tracking number to its mobile customers' Internet activity. "It has been phased off our network," said Emily J. Edmonds, an AT&T spokeswoman....AT&T said it used the tracking numbers as part of a test, which it has now completed. Edmonds said AT&T may still launch a program to sell data collected by its tracking number, but that if and when it does, "customers will be able to opt out of the ad program and not have the numeric code inserted on their device."
The EFF confirms that the appearance of the header has indeed declined on AT&T's network. But while AT&T appears to have smelled the looming lawsuit on the wind, Verizon so far has stood tough on their use of the technology. Verizon says that the company's program continues but as with any program, Verizon is "constantly evaluating." Years ago when Verizon was fighting tougher privacy rules, the company proclaimed that "public shame" would keep them honest.

This particular privacy abuse took two years for savvy network engineers and security consultants to even spot, and so far there's no indication that two weeks of public scolding have done anything to thwart Verizon's ambitions. Cue the class actions and regulatory wrist slaps.

Filed Under: permacookies, privacy, super cookies, tracking
Companies: at&t, verizon


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Hephaestus (profile), 18 Nov 2014 @ 4:20pm

    and opting out actually works

    I have an idea. How about these companies use an opt in policy instead, wouldn't that solve a ton of problems.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Nov 2014 @ 5:03pm

    " the company proclaimed that "public shame" would keep them honest"

    Hahahahaha - yeah, right. They have no shame.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 18 Nov 2014 @ 6:28pm

    I wonder if VPN's will find a way to work around this kind of crap. If so, I will be using one for my phone on principle alone.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Nov 2014 @ 6:45pm

    Actually, the technique was used by a private person to intercept the unencrypted header and collecting data along with the phone number using the connection by setting up his own host to collect the data. Since the data is completely unencrypted, holds strongly identifying data and isn't in any way restricted to be read by a specific server, the system is quite the shady marketing companys wet dream.

    Such idiots. It is so far from even basic standards of security that using it with immediately identifying data such as a phone number should be punishable by law...

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 18 Nov 2014 @ 7:57pm

    Just wait until the noise dies down: Then they'll back away from backing away.

    reply to this | link to this | view in chronology ]

  • icon
    Sheogorath (profile), 19 Nov 2014 @ 1:29am

    Edmonds said AT&T may still launch a program to sell data collected by its tracking number, but that if and when it does, "customers will be able to opt out of the ad program and not have the numeric code inserted on their device."
    Or just make it opt-in. You'd be surprised how many people will say no to being tracked, even if their data is 'anonymised'. Oh, wait...

    reply to this | link to this | view in chronology ]

  • identicon
    James, 19 Nov 2014 @ 5:24am

    They still want this

    AT&T remains part of the misleadingly named Open Web Alliance whose goal is to break end-to-end encryption, particularly SPDY. The launch presentation (from May) explicitly lists UIDH and "value-added services" such as ad insertion as things that will be broken by the adoption of SPDY.

    There doesn't seem to have been much progress since then thankfully, although I haven't checked the HTTP2 working group to see if their "open proxy" proposal has been put forward there.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2014 @ 5:34am

    What I find hard to believe is that people still subscribe to their services.ยค

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2014 @ 5:51am

    profit over privacy

    Cant wait till they start selling privacy as a comodity instead of a right, no money, no budget, oh well, bodes well for the rich

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 19 Nov 2014 @ 11:17am

    Better than Verizon

    ... that's damning with faint praise, but this:

    Verizon offers its customers an opportunity to opt out of the program. But opting out doesn't remove the tracking ID.


    Means that Verizon does not, in fact, offer its customers an opportunity to opt out. That means that on this point, for the time being, Verizon is the greater evil.

    reply to this | link to this | view in chronology ]

    • icon
      Derek Kerton (profile), 20 Nov 2014 @ 11:17am

      Re: Better than Verizon

      Ha. Yeah. That's like your electrician wiring your light directly to the fuse box. Then installing a switch on your wall with no wires at all connected to it.

      "Sure, you've got an on/off switch right there. You use it to indicate your wishes as to whether the light should be on or off."

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Nov 2014 @ 5:33pm

    And here I was thinking how apt it was that "UIDH" could stand for User Is a Dick Head.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.