Study: 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies'
from the utterly-unaccountable dept
Earlier this year AT&T and Verizon were caught modifying wireless user traffic to inject unique identifier headers (UIDH). This allowed the carriers to ignore a user’s privacy preferences on the browser level and track all online behavior. In Verizon’s case, the practice wasn’t discovered for two years after implementation, and the carrier only integrated a working opt out mechanism only after another six months of public criticism. Verizon and AT&T of course denied that these headers could be abused by third parties. Shortly thereafter it was illustrated that it was relatively easy for these headers to be abused by third parties.
While the fracas over these “stealth” or “zombie” cookies has quieted down since, a new study suggests use of such stealth tracking is increasing around the world as carriers push to nab their share of the advertising pie. Consumer advocacy group Access has been running a website called AmiBeingTracked.com, which analyzes user traffic to determine whether or not carriers are fiddling with their packets to track online behavior. According to a new study from the group (pdf) examining around 200,000 such tests, about 15% of site visitors were being tracked by the carriers in this fashion all over the globe:
“Using tracking headers also raises concerns related to data retention. When ?honey pots? of sensitive information, such as data on browsing, location, and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike.”
The W3C Consortium recently agreed, noting that stealth carrier tracking header injection is basically a privacy nightmare in the making that undermines user trust in the entire Internet:
“The aggregate effect of unsanctioned tracking is to undermine user trust in the Web itself. Moreover, if browsers cannot isolate activity between sites and offer users control over their data, they are unable to act as trusted agents for the user. Notably, unsanctioned tracking can be harmful even if non-identifying data is shared, because it provides the linkage among disparate information streams across contextual boundaries. For example the sharing of an opaque fingerprint among a set of unrelated online purchases can provide enough information to enable advertisers to determine that user of that browser is pregnant ? and hence to target her with pregnancy-specific advertisements even before she has disclosed her pregnancy.
This is what has been happening while the marketing, tech and telecom industries bickered, prattled and grandstanded over do not track protections — that this technology makes irrelevant anyway. And while companies like Verizon have repeatedly claimed that no privacy or transparency guidelines are necessary because “public shame” will keep them honest, keep in mind that it took security researchers two years before they even realized that the telco was doing this. It took another six months of pressure for Verizon to heed calls for basic opt-out mechanisms most Verizon users don’t know exist. It makes you wonder: just how long will it take the press and public to realize future iterations of stealth tracking technology are being used?
Filed Under: privacy, trackers, uidh, wireless, zombie cookies
Comments on “Study: 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies'”
If a phone company modified the conversation between two people they would be in serious trouble, so why are they allowed to modify a digital conversataion?
Re: Re:
It’s ‘on a computer’.
Re: Re: Re:
I can’t help but wonder if perhaps Win10 has been designed to make all of these surveillance exploits easier for the bad guys to run.
It would explain the Free Install.
Most exploits are also Free Install.
They’re just not advertised as such.
On a Win 10 machine, all internal communications between your computer and the Mother Ship take place in the background, completely beyond the user’s control and awareness.
This strikes me as being the perfect OS for third party exploits which would then use the built in secret background communications ability to run their data mining processes without leaving a trace behind by utilizing the same “trace” remover process MS uses to “clean up” its own proprietary data mining traces.
—
Re: Re: Re: Windows 10
Microsoft copied browser search data verbatim even years ago. This were verified by synthetic search strings (random letter and numbers). This were how Googles responses to these strings ended up in Bing.
With Windows 10, Microsoft have a tunnel directly into your computer wherever you are, wherever you go!
Not if you're using HTTPS
This is why everyone needs to be using encryption by default.
The fact that intermediaries can inject anything into your traffic is a huge security hole. Within the last few daze there is news of AT&T injecting ads into HTTP traffic, and actually modifying the HTML markup. This demonstrates an ability to also insert any arbitrary JavaScript executable code. Or Flash objects if your browser might be so equipped. (Or ActiveX, or Silverblight, or Java) They could inject Javascript code that probes for vulnerabilities of your browser so that your next HTTP connection can then have a more targeted payload injected.
The really nice thing about this technique is that AT&T wouldn’t even have to make your browser make strange unexpected connections to the mothership that your network monitoring aparatus (if any) might detect. They can inject ‘outbound’ traffic right into your next HTTP request to anywhere. Then remove it in transit so that your target site like TechDirt doesn’t see any extra content or HTTP Headers. But AT&T’s injection systems would see them as it removes them. Nice neat invisible two-way communication with code running in your browser, and no unexpected connections.
This potential has always existed with HTTP. It’s just that now network equipment has become powerful enough to do this kind of despicable evil, which is even worse than advertising itself, on a massive scale.
Re: Not if you're using HTTPS
Actually, Virtual Private Networks are a better choice. You pay one party, your VPN provider, in the here and now, and you don’t have to get the whole world to switch over. I seem to recall that Techdirt was recently offering a sponsored deal for a VPN provider.
Re: Re: Not if you're using HTTPS
VPN only encrypts your data between you and your VPN provider – if you dont use HTTPS – everything is still unencrypted between the VPN provider and the target web site
Re: Re: Re: Not if you're using HTTPS
Quite right, and I believe you can used HTTPS on top of Virtual Private Networks– if the website you are connecting to supports HTTPS, which it may not.
Re: NoScript
That browsers basically run any and all code, from any web page, by default, is actually quite mad.
NoScript help a lot. But it is only a add-on. But a highly recommended one! Protecting the data in transit is important too, with https, VPN, Tor and so on. Untrustworthy VPN is worse than no VPN though!
But, but the market is self regulating … not.
With regulatory capture well established, government oversight apparently is hobbled to the point where they are ineffectual. This does not however mean said regulations should be abolished, it means they need to be enforced.
Re: market is self regulating
This has nothing to do with markets.
The telecom industry is heavily regulated. Thanks to regulatory capture (as you note), the regulations serve to keep out competitors.
Once firms don’t have to worry about competition, they are free to abuse their customers.
The solution is to open the market to free competition. Once you do that, the market will punish bad actors.
But not until.
Re: Re: market is self regulating
hahaha … oh wait, you’re serious?
Re: Re: Re: market is self regulating
but its true,
Any provider that offered true privacy would be able to build its business so damn fast it would be almost scary.
There is no such thing as a free market in America at the moment, we are far too regulated for that now.
You can’t even open a lemonade stand in your front yard without risk of the police coming by and shutting it down.
Re: Re: Re:2 market is self regulating
And who controls the police?
You really think that in today’s world you would be allowed to start a company that provides customer service devoid of all surveillance?
Gulla-Bull
Re: Re: Re:2 market is self regulating
There is no such thing as a free market in America at the moment, we are far too regulated for that now.
The problem is not over-regulation, it’s regulatory capture.
Re: Re: Beware! Don't believe that for a second!
Sadly no, it will not!
Giving bullies free reign, give bullies the reign.
This will never change.
When affordable efficient and low-polluting transportation were eradicated, the bad actors profit soared. Because when the citizens no longer have a choice they can be forced. This will always be worth more to the bad actor than the cost to eradicate good solutions, because the bad actor can always abuse more. Destroying electric trams is a good example of this.
When infrastructure is taken over by bad actors, as in Bolivia when they took over the water supply, they can really harm entire populations. This were a wet dream come true for the IMF (pun intended). How bad did it get? Read up on the water wars. Where the infrastructure cheep? Yes of course, it is a chore for a good actor to supply service and limited profit. This nastiness is spreading.
What about Facebook and its “benign” Internet project in India? It would be a lot more difficult to establish Internet infrastructure if they had been allowed to proceed.
Transparent, democratic, firm rules; gives a good and stable foundation free competition that serve the citizens and harm bad actors. This is exactly why ISDS is negotiated in secret! It is meant to be above governments, our goverments.
Bring back the rope. Friday night lynching would solve these kind of problems with shady cunts exploiting everything for minimal gains, not caring about the damage they cause.
Re: Friday night lynching
I share the sentiment, but that is a horrible idea.
I know it’s fun to vent. But fundaments of civilization rely on regulation of violence.
Make clear rules, have a fair and impartial method of judging if people have violated them, have reasonable punishments set for those found guilty.
Keep your torches and nooses at home. That is the way to barbarism.
Re: Re: Friday night lynching
More like governments giving themselves a monopoly on violence, and using that monopoly to preserve their power.
Re: Re: Re: Friday night lynching
Yes, that is often a side-effect.
Still, it’s better than the alternative. Usually.
This Is Awful
This is shortsighted for the operators. In an age of Over The Top competition, new competition from wifi only phones, etc, carriers can ill-affort to generate a pool of latent hate from the customers.
Re: This Is Awful
Latent heat over abuse? Apparently you aren’t familiar with the epidemic of career politicians comfortably relying on their victims to keep voting for them.
Question On How To Test
If we visit the test site, will it reveal the results correctly if:
– one is currently using a carrier-provided femtocell that backhauls on the customer’s DSL or cable?
– one is currently using a wifi connection?
– one is using HTTPS?
I’m concerned that if people run the test, at home, they may get a negative result over their wifi, but if they left home, they’d be spy fodder.
Re: Question On How To Test
Sorry. Got my own answer:
Be sure to turn off wifi when testing.
Also, probably a good idea to try it both on and away from a femtocell if you use one.
Selection bias
Not to say that this whole thing isn’t a problem, but that survey should not be taken as having any bearing on how many people are affected by this due to the potential self-selection bias.
Musical Chairs
“…just how long will it take the press and public to realize future iterations of stealth tracking technology are being used?“
More to the point, how long before this sort of criminal activity is perceived and treated as criminal activity by the so called Department of Justice, and Law Enforcement?
As for the public, by the time it becomes aware of the exploits being used against it today, a whole new array of exploits will have already been developed and injected into the system.
This is all mainly because the authorities do not consider economic attacks on the public by government and business as crimes and do nothing to end the practice until years after its been replaced by another exploit process and even then, do not actually punish the perpetrators for their crimes in any meaningful way.
This lack of concern and reaction by authority coupled with the lack of consequences for the perpetrators, absolutely guarantees repetition and improvement of the exploitation processes being used against the public.
—