Privacy

by Karl Bode


Filed Under:
privacy, trackers, uidh, wireless, zombie cookies



Study: 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies'

from the utterly-unaccountable dept

Earlier this year AT&T and Verizon were caught modifying wireless user traffic to inject unique identifier headers (UIDH). This allowed the carriers to ignore a user's privacy preferences on the browser level and track all online behavior. In Verizon's case, the practice wasn't discovered for two years after implementation, and the carrier only integrated a working opt out mechanism only after another six months of public criticism. Verizon and AT&T of course denied that these headers could be abused by third parties. Shortly thereafter it was illustrated that it was relatively easy for these headers to be abused by third parties.

While the fracas over these "stealth" or "zombie" cookies has quieted down since, a new study suggests use of such stealth tracking is increasing around the world as carriers push to nab their share of the advertising pie. Consumer advocacy group Access has been running a website called AmiBeingTracked.com, which analyzes user traffic to determine whether or not carriers are fiddling with their packets to track online behavior. According to a new study from the group (pdf) examining around 200,000 such tests, about 15% of site visitors were being tracked by the carriers in this fashion all over the globe:
Globally, the report notes that AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Verizon, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain are all now using stealth headers. In many of these instances there's no opt-out mechanisms in place for users, or the opt-in mechanisms that exist don't actually work. Most regulators meanwhile don't even realize this technology exists, much less have any plan to protect user privacy via hard opt-out requirements. The practice itself, and the stored data, the group's authors note, makes a delicious target for hackers and the intelligence community alike:
"Using tracking headers also raises concerns related to data retention. When “honey pots” of sensitive information, such as data on browsing, location, and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike."
The W3C Consortium recently agreed, noting that stealth carrier tracking header injection is basically a privacy nightmare in the making that undermines user trust in the entire Internet:
"The aggregate effect of unsanctioned tracking is to undermine user trust in the Web itself. Moreover, if browsers cannot isolate activity between sites and offer users control over their data, they are unable to act as trusted agents for the user. Notably, unsanctioned tracking can be harmful even if non-identifying data is shared, because it provides the linkage among disparate information streams across contextual boundaries. For example the sharing of an opaque fingerprint among a set of unrelated online purchases can provide enough information to enable advertisers to determine that user of that browser is pregnant — and hence to target her with pregnancy-specific advertisements even before she has disclosed her pregnancy.
This is what has been happening while the marketing, tech and telecom industries bickered, prattled and grandstanded over do not track protections -- that this technology makes irrelevant anyway. And while companies like Verizon have repeatedly claimed that no privacy or transparency guidelines are necessary because "public shame" will keep them honest, keep in mind that it took security researchers two years before they even realized that the telco was doing this. It took another six months of pressure for Verizon to heed calls for basic opt-out mechanisms most Verizon users don't know exist. It makes you wonder: just how long will it take the press and public to realize future iterations of stealth tracking technology are being used?

Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 27 Aug 2015 @ 4:59am

    If a phone company modified the conversation between two people they would be in serious trouble, so why are they allowed to modify a digital conversataion?

    reply to this | link to this | view in thread ]

  2. icon
    DannyB (profile), 27 Aug 2015 @ 5:51am

    Not if you're using HTTPS

    This is why everyone needs to be using encryption by default.

    The fact that intermediaries can inject anything into your traffic is a huge security hole. Within the last few daze there is news of AT&T injecting ads into HTTP traffic, and actually modifying the HTML markup. This demonstrates an ability to also insert any arbitrary JavaScript executable code. Or Flash objects if your browser might be so equipped. (Or ActiveX, or Silverblight, or Java) They could inject Javascript code that probes for vulnerabilities of your browser so that your next HTTP connection can then have a more targeted payload injected.

    The really nice thing about this technique is that AT&T wouldn't even have to make your browser make strange unexpected connections to the mothership that your network monitoring aparatus (if any) might detect. They can inject 'outbound' traffic right into your next HTTP request to anywhere. Then remove it in transit so that your target site like TechDirt doesn't see any extra content or HTTP Headers. But AT&T's injection systems would see them as it removes them. Nice neat invisible two-way communication with code running in your browser, and no unexpected connections.

    This potential has always existed with HTTP. It's just that now network equipment has become powerful enough to do this kind of despicable evil, which is even worse than advertising itself, on a massive scale.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 27 Aug 2015 @ 6:05am

    But, but the market is self regulating ... not.

    With regulatory capture well established, government oversight apparently is hobbled to the point where they are ineffectual. This does not however mean said regulations should be abolished, it means they need to be enforced.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 27 Aug 2015 @ 6:17am

    Re:

    It's 'on a computer'.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 27 Aug 2015 @ 6:39am

    Bring back the rope. Friday night lynching would solve these kind of problems with shady cunts exploiting everything for minimal gains, not caring about the damage they cause.

    reply to this | link to this | view in thread ]

  6. icon
    OldMugwump (profile), 27 Aug 2015 @ 7:05am

    Re: market is self regulating

    This has nothing to do with markets.

    The telecom industry is heavily regulated. Thanks to regulatory capture (as you note), the regulations serve to keep out competitors.

    Once firms don't have to worry about competition, they are free to abuse their customers.

    The solution is to open the market to free competition. Once you do that, the market *will* punish bad actors.

    But not until.

    reply to this | link to this | view in thread ]

  7. icon
    OldMugwump (profile), 27 Aug 2015 @ 7:10am

    Re: Friday night lynching

    I share the sentiment, but that is a horrible idea.

    I know it's fun to vent. But fundaments of civilization rely on regulation of violence.

    Make clear rules, have a fair and impartial method of judging if people have violated them, have reasonable punishments set for those found guilty.

    Keep your torches and nooses at home. That is the way to barbarism.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 27 Aug 2015 @ 8:22am

    Re: Re: market is self regulating

    hahaha ... oh wait, you're serious?

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 27 Aug 2015 @ 9:24am

    Re: Re: Friday night lynching

    But fundaments of civilization rely on regulation of violence.

    More like governments giving themselves a monopoly on violence, and using that monopoly to preserve their power.

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 27 Aug 2015 @ 9:41am

    Re: Re: Re: market is self regulating

    but its true,

    Any provider that offered true privacy would be able to build its business so damn fast it would be almost scary.

    There is no such thing as a free market in America at the moment, we are far too regulated for that now.

    You can't even open a lemonade stand in your front yard without risk of the police coming by and shutting it down.

    reply to this | link to this | view in thread ]

  11. icon
    Derek Kerton (profile), 27 Aug 2015 @ 9:43am

    This Is Awful

    This is shortsighted for the operators. In an age of Over The Top competition, new competition from wifi only phones, etc, carriers can ill-affort to generate a pool of latent hate from the customers.

    reply to this | link to this | view in thread ]

  12. icon
    Derek Kerton (profile), 27 Aug 2015 @ 9:46am

    Question On How To Test

    If we visit the test site, will it reveal the results correctly if:

    - one is currently using a carrier-provided femtocell that backhauls on the customer's DSL or cable?
    - one is currently using a wifi connection?
    - one is using HTTPS?

    I'm concerned that if people run the test, at home, they may get a negative result over their wifi, but if they left home, they'd be spy fodder.

    reply to this | link to this | view in thread ]

  13. icon
    Derek Kerton (profile), 27 Aug 2015 @ 9:48am

    Re: Question On How To Test

    Sorry. Got my own answer:

    Be sure to turn off wifi when testing.

    Also, probably a good idea to try it both on and away from a femtocell if you use one.

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 27 Aug 2015 @ 11:11am

    Re: Re: Re: Re: market is self regulating

    And who controls the police?

    You really think that in today's world you would be allowed to start a company that provides customer service devoid of all surveillance?

    Gulla-Bull

    reply to this | link to this | view in thread ]

  15. identicon
    Andrew D. Todd, 27 Aug 2015 @ 11:55am

    Re: Not if you're using HTTPS

    Actually, Virtual Private Networks are a better choice. You pay one party, your VPN provider, in the here and now, and you don't have to get the whole world to switch over. I seem to recall that Techdirt was recently offering a sponsored deal for a VPN provider.

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, 27 Aug 2015 @ 1:31pm

    Re: Re: Not if you're using HTTPS

    VPN only encrypts your data between you and your VPN provider - if you dont use HTTPS - everything is still unencrypted between the VPN provider and the target web site

    reply to this | link to this | view in thread ]

  17. icon
    nasch (profile), 27 Aug 2015 @ 6:55pm

    Re: Re: Re: Re: market is self regulating

    There is no such thing as a free market in America at the moment, we are far too regulated for that now.

    The problem is not over-regulation, it's regulatory capture.

    reply to this | link to this | view in thread ]

  18. icon
    nasch (profile), 27 Aug 2015 @ 7:26pm

    Selection bias

    Not to say that this whole thing isn't a problem, but that survey should not be taken as having any bearing on how many people are affected by this due to the potential self-selection bias.

    reply to this | link to this | view in thread ]

  19. identicon
    Andrew D. Todd, 27 Aug 2015 @ 8:01pm

    Re: Re: Re: Not if you're using HTTPS

    Quite right, and I believe you can used HTTPS on top of Virtual Private Networks-- if the website you are connecting to supports HTTPS, which it may not.

    reply to this | link to this | view in thread ]

  20. icon
    OldMugwump (profile), 28 Aug 2015 @ 7:26am

    Re: Re: Re: Friday night lynching

    Yes, that is often a side-effect.

    Still, it's better than the alternative. Usually.

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, 28 Aug 2015 @ 7:29am

    Re: This Is Awful

    Latent heat over abuse? Apparently you aren't familiar with the epidemic of career politicians comfortably relying on their victims to keep voting for them.

    reply to this | link to this | view in thread ]

  22. identicon
    GEMont, 28 Aug 2015 @ 1:39pm

    Musical Chairs

    "...just how long will it take the press and public to realize future iterations of stealth tracking technology are being used?"

    More to the point, how long before this sort of criminal activity is perceived and treated as criminal activity by the so called Department of Justice, and Law Enforcement?

    As for the public, by the time it becomes aware of the exploits being used against it today, a whole new array of exploits will have already been developed and injected into the system.

    This is all mainly because the authorities do not consider economic attacks on the public by government and business as crimes and do nothing to end the practice until years after its been replaced by another exploit process and even then, do not actually punish the perpetrators for their crimes in any meaningful way.

    This lack of concern and reaction by authority coupled with the lack of consequences for the perpetrators, absolutely guarantees repetition and improvement of the exploitation processes being used against the public.

    ---

    reply to this | link to this | view in thread ]

  23. identicon
    GEMont, 28 Aug 2015 @ 1:58pm

    Re: Re:

    I can't help but wonder if perhaps Win10 has been designed to make all of these surveillance exploits easier for the bad guys to run.

    It would explain the Free Install.
    Most exploits are also Free Install.
    They're just not advertised as such.

    On a Win 10 machine, all internal communications between your computer and the Mother Ship take place in the background, completely beyond the user's control and awareness.

    This strikes me as being the perfect OS for third party exploits which would then use the built in secret background communications ability to run their data mining processes without leaving a trace behind by utilizing the same "trace" remover process MS uses to "clean up" its own proprietary data mining traces.

    ---

    reply to this | link to this | view in thread ]

  24. identicon
    Socrates, 28 Aug 2015 @ 4:22pm

    Windows 10

    On a Win 10 machine, all internal communications between your computer and the Mother Ship take place in the background, completely beyond the user's control and awareness.
    Microsoft copied browser search data verbatim even years ago. This were verified by synthetic search strings (random letter and numbers). This were how Googles responses to these strings ended up in Bing.

    With Windows 10, Microsoft have a tunnel directly into your computer wherever you are, wherever you go!

    reply to this | link to this | view in thread ]

  25. identicon
    Socrates, 28 Aug 2015 @ 4:49pm

    NoScript

    That browsers basically run any and all code, from any web page, by default, is actually quite mad.

    NoScript help a lot. But it is only a add-on. But a highly recommended one! Protecting the data in transit is important too, with https, VPN, Tor and so on. Untrustworthy VPN is worse than no VPN though!

    reply to this | link to this | view in thread ]

  26. identicon
    Socrates, 28 Aug 2015 @ 5:41pm

    Beware! Don't believe that for a second!

    The solution is to open the market to free competition. Once you do that, the market *will* punish bad actors.
    Sadly no, it will not!

    Giving bullies free reign, give bullies the reign.

    This will never change.


    When affordable efficient and low-polluting transportation were eradicated, the bad actors profit soared. Because when the citizens no longer have a choice they can be forced. This will always be worth more to the bad actor than the cost to eradicate good solutions, because the bad actor can always abuse more. Destroying electric trams is a good example of this.

    When infrastructure is taken over by bad actors, as in Bolivia when they took over the water supply, they can really harm entire populations. This were a wet dream come true for the IMF (pun intended). How bad did it get? Read up on the water wars. Where the infrastructure cheep? Yes of course, it is a chore for a good actor to supply service and limited profit. This nastiness is spreading.

    What about Facebook and its "benign" Internet project in India? It would be a lot more difficult to establish Internet infrastructure if they had been allowed to proceed.


    Transparent, democratic, firm rules; gives a good and stable foundation free competition that serve the citizens and harm bad actors. This is exactly why ISDS is negotiated in secret! It is meant to be above governments, our goverments.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Home Cooking Is Killing Restaurants
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.