The authors of this report are Nader Ammari, Gustaf Björksten, Peter Micek, and Deji Olukotun.
In the age of internet for many users, mobile devices provide the only way of going online. The devices serve as gateways to information, resources, and innovation, but they can also leak intimate details about the users themselves. In 2014, mobile carriers in the U.S. were secretly monitoring the web browsing habits of their users. Verizon Wireless and AT&T using so-called supercookies — special tracking headers that the carriers inject beyond the control of the user. These revelations led to several lawsuits. The problem is that tracking headers are still being used around the world, and important questions remain. In the next rows we will present a research and how to… for tracking cookies and list with mobile service provider telecom. All provided from Access.
To better understand tracking headers, Access built a tool at Amibeingtracked.com that allows users to test their devices to see if they are being tracked.This report presents results of nearly 180,000 tests conducted in the first six months, along with our major findings about the use of tracking headers worldwide, and it provides our recommendations for governments, carriers, websites, intergovernmental bodies, and researchers.
Evidence of widespread deployment
1. Carriers in 10 countries around the world, including Canada, China, India, Mexico, Morocco, Peru, the Netherlands, Spain, the United States, and Venezuela, are using tracking headers
2. The following mobile carriers are using tracking headers: AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Verizon, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain
3. 15.3% of those who used our tool were being tracked by tracking headers
4. Carriers around the world are using multiple types of tracking headers, all of which have distinct structures
Correlative evidence exists that tracking headers may have been used by carriers for more than a decade
We found information indicating the use of tracking headers dating back 15 years
Users cannot block tracking headers because they are injected by carriers beyond their control
1. Users cannot block tracking headers, because they are injected by carriers out of reach at the network level
2. “Do not track” tools in web browsers do not block the tracking headers.
3. Tracking header scan attach to the user even when roaming a cross international borders
4. Even if tracking headers are not used by the carrier itself to sell advertising, other firms can independently identify and use the tracking headers for advertising purposes
Encrypted connections to websites stop tracking headers from functioning
1. Tracking headers do not work when users visit websites that encrypt connections using Secure Socket Layer (SSL) or Transport Layer Security (TLS) (demarcated by “HTTPS” in a web address)
2. Tracking headers depend upon an HTTP, or unencrypted connection, to function, and may lead to fewer websites offering HTTPS
Tracking headers leak private information about users and make them vulnerable to criminal attacks or even government surveillance
1. Certain tracking headers leak important private information about the user in clear text, including phone numbers
2. Although we do not have evidence that criminal attacks have occurred, clear text leaks of phone numbers and other identifying information make tracking headers ripe for exploitation by criminals
3. Although we do not have evidence that government surveillance has taken place, the rich data profiles about users that tracking headers create make them prime targets for government legal requests or surveillance
Tracking headers raise troubling questions about privacy as new technologies are developed
1. Carriers have changed their behavior because of public pressure or because of changes in technology
2. Current trends suggest that tracking headers will grow in use or will be replaced by a new tracking technology
-Appropriate authorities, including data protection and consumer rights regulators, should investigate the use of tracking headers in every country
-Authorities should hold carriers accountable for false or misleading statements or practices regarding tracking headers
-Authorities should require carriers to provide affected users with an adequate remedy, and to make guarantees of non-repetition
-All carriers should publicly disclose their use of tracking headers and not enroll users by default for any reason, such as advertising
-Any use of tracking headers or similar tracking technology should require users to clearly, specifically, and explicitly opt-in, after being fully informed of the potential risks
-Carriers must provide a clear, easy-to-use opt out mechanism for users, regardless of whether they previously opted in.
-Carriers that commit to stopping the use of tracking headers in one country or region should commit to stop using them in other countries or regions where they have operations
-Industry associations like the GSM Association should study the harms that tracking headers present, and advise members to strictly circumscribe their use
-Carriers should utilize ‘Access’ Telco Action Plan for further guidance on how to respect the privacy of users
-Carriers should consider joining multistakeholder groups, such as the Global Network Initiative, that assess progress in meeting privacy and freedom of expression benchmarks based on international human rights laws and standards
Websites and Apps
-Websites and apps should use encrypted HTTPS connections by default
-United Nations experts, including special procedures mandate holders, should investigate the use of tracking headers as a threat to user right
-Governments in the Freedom Online Coalition should take steps to ensure that carriers in their countries do not inject tracking headers
-Technical standards bodies should ensure that existing and future standards do not enable tracking headers or similar technologies that may threaten user privacy
-To identify more carriers using tracking headers, larger data samples are needed from around the world
-Researchers should consider means of collecting data other than a standalone site, such as developing code for individual website owners to install, with appropriate privacy and anonymity protections built in
-Researchers should seek to uncover the form and structure of new tracking mechanisms that may replace tracking headers
Mobile broadband serves as a crucial means of accessing the internet for hundreds of millions of people around the globe. Sixty-four percent of adults in the U.S. owned smartphones in 2015. Many mobile phone users do not realize that when
they access the internet through their devices they are sharing copious amounts of information with carriers or third parties. As a result, this kind of connectivity raises important concerns about privacy. In October 2014, security researchers exposed a special code used by Verizon Wireless to track its users. Labeled by the media as “supercookies,” the code was special tracking headers that Verizon injected into every single HTTP web request that users made through their mobile devices. It was not immediately clear how Verizon was using the tracking headers, and the revelations raised important questions about their structure and deployment. Access is an international organization that defends and extends the digital rights of users
at risk around the world, and our work with telecoms began during the Arab Spring uprisings in 2011. What happened during that tumultuous period exposed the integral role that these corporations and their regulators play in connecting us to the internet, a tool that is now essential to the exercise of human rights in the 21st Century.
Governments struggle to maintain sufficient regulatory oversight in the face of rapidly adopted and fast-changing technology. But carriers must recognize that people are increasingly aware of and concerned about privacy and security issues. The legal, financial, and public relations fallout from invading privacy is growing, and movements to hold corporations accountable for infringing human rights are gaining steam around the world. It is in the best interest of carriers, both in the short and long term, to stop tracking and exploiting people’s information without their knowledge or consent, whether or not current
regulations ban the practice. There are more ethical ways to gather information, such as giving customers a true opt-in after informed consent. Using tracking headers also raises concerns related to data retention. When “honey pots” of sensitive information, such as data on browsing, location, and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike.
Tracking headers are not cookies
Although tracking headers are popularly called “supercookies,” “zombie cookies,” or “perma-cookies,” these terms are inaccurate. Cookies are injected locally and can be manipulated by end users in a web browser. Tracking headers are in fact not cookies at all because they are injected at the network level, out of the reach of the user. A more accurate term would be Carrier-Injected HTTP Header. For the sake of simplicity, and to avoid creating yet another acronym, we will refer to “Carrier-Injected HTTP Headers” as simply “tracking headers” throughout this report.
How they work: users cannot block tracking headers because they are injected by carriers beyond their control
Headers are an essential part of internet communications. When you use the internet on a mobile device, you normally
transmit one or more unique identifiers — including IMEI, IMSI, and ICCID identities — that include information about who you are and where you are located. But tracking headers go beyond such normal data sharing. To explain how they function, we’ll use the example of a hypothetical character named Kavita:
Evidence of tracking headers dates back to 2000
Our research conducted online confirms the existence and use of tracking headers as early as 2000. Our research
shows that tracking headers were associated with Sprint in February of 2000, and discussions at the time indicate that they were also used by the carrier O2 in the United Kingdom. In 2006, there was discussion about x-up-subno, a particular type of tracking header that is used by Bell Canada. Four years later, in March 2010, the researcher Collin Mulliner discussed his research on tracking headers in a paper announced at the CanSecWest conference in Vancouver, Canada. However, as we mentioned earlier, tracking headers began drawing widespread popular attention only after an article published in Wired
in October 2014 revealed that Verizon Wireless had begun to use Unique Identifier Headers (UIDH).
After Verizon Wireless’s use of tracking headers was revealed in 2014, Access mobilized its members, urging them to sign a petition asking both the U.S. Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to investigate how tracking headers are being used. In February of 2015, we delivered nearly 3,000 signatures to both agencies, along with a formal letter detailing our concerns (see Appendix 1). In addition, our technology team built a tool that lets people quickly test to see if their carriers are tracking them (see Amibeingtracked.com). At the same time, public officials began to express their concerns. In February, U.S. Senators Bill Nelson, Edward Markey, and Richard Blumenthal sent a joint letter asking the FTC and FCC to investigate the practices. In April 2015, the FCC confirmed that it has launched an investigation of Verizon’s use of tracking headers.
How Amibeingtracked.com works
The Am I Being Tracked website performs several simple tests to determine whether users are being tracked. The site first determines whether the device making the request is a mobile device operating on a 3G, 4G, or LTE carrier network. If the device is operating on a carrier network, the test extracts the user’s IP address from the normal HTTP header (not the injected header) and looks up the IP address in an IP geolocation database, matching the IP address with publicly available information about where the IP range is located. The system then looks for any unusual or custom headers in the HTTP request and, if found, it logs them. Finally, the site returns the results of the test to the user stating whether the user is being tracked or not. We never disclose the personally identifying information of people who take our test.
The Amibeingtracked.com tool not only allows users to test for known tracking headers, but also allows us to learn from the results, specifically enabling us to identify new headers and make the test more robust. This has allowed us to improve the test’s reporting accuracy over time. We have also improved accuracy by scrubbing inaccurate data, including tests run by malicious attackers (attackers typically have used Denial of Service attacks, attempted code injections, or automated scripts).
To encourage more people to take the test, we have shared links to Ambeingtracked.com in our newsletter, as well as in several email petitions. In addition, we have promoted the tool using our social media accounts. Media coverage and discussions in online fora such as Reddit.com have also generated attention and garnered further test results for analysis.
In the first six months, our Amibeingtracked.com tool returned nearly 180,000 results. This included 93,941 conclusive results and 80,156 inconclusive results. “Conclusive” means that our tool accurately identified the type of connection being used (3G, 4G, or LTE) and the carrier. “Inconclusive” means that our tool could not identify the carrier or the type of connection. We separate the two types of results below for accuracy and transparency. Users who took the test have different demographic profiles and came through multiple referral sites, meaning that this is not a random statistical sample.
Evidence of widespread deployment
Among the people who took our test, the most tracking occurred in the USA, Spain, and the Netherlands. It is interesting to compare the Netherlands to Canada, because while more people in Canada tested their phones at Amibeingtracked.com, more people had tracking headers in the Netherlands. (We also detected tracking in Mexico, Venezuela, and Morocco. However, in each of these countries we had only one conclusive case of tracking.)
Verizon had the most number of users with tracking headers amongst the people who took our test, followed by AT&T. AT&T vowed to stop using heading trackers in November of 2014, and we found that the number of users being tracked by AT&T dwindled to near zero after 17 weeks of running our test. Viettel Peru, which recently began operating in Peru, is also tracking users. The carrier is a subsidiary of Viettel, a Vietnamese carrier wholly owned by the government of Vietnam and operated by the Vietnamese military. We do not have tests from Vietnamese users to determine whether Viettel uses tracking headers in Vietnam, but it is worth further investigation to understand why a military operator would wish to use tracking headers. Results from two Vodafone subsidiaries varied greatly. A high percentage of Vodafone NL users were tracked, while Vodafone
Spain tracked very few users overall, despite a higher number of tests. This demonstrates the need for more testing and investigation on a country-by-country basis, and for greater oversight and governance by senior-level corporate directors over national-level entities. We also found conclusive results of tracking headers by people using Chinanet (China), Bharti Airtel (India), Cricket (USA), Iusacell (Mexico), Rogers (Canada), and Telcel (Venezuela). However, we had less than ten conclusive
results of tracking for each of these carriers.
DIFFERENT TYPES OF HEADERS
They leak private information about users and make them vulnerable to criminal attacks or government surveillance
The various tracking headers raise several interrelated issues. First, encrypted headers make it impossible to know what types of data are being collected or how the data are being used. Conversely, headers sent in clear text raise privacy concerns. Such headers compromise user security and make users vulnerable to exploitation by criminals, who can take advantage of an individual user based on the header (although we found no evidence of this occurring to date). Governments could, in theory, surveil users by following individual headers or by requesting data from carriers that use the headers to assemble profiles.
ENCRYPTED CONNECTIONS THWART TRACKING HEADERS
Websites with Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption prevent carriers from being able to insert tracking headers into users web browsing. Such sites are identifiable because the web address contains “HTTPS” instead of “HTTP.” HTTPS stops carriers from identifying the exact resource requested by the user from a website. Although the carrier can view the base domain, such as Amibeingtracked.com, the carrier cannot identify the path to a particular page or resource on the site. Encrypted connections therefore improve privacy.
Unfortunately, the ability of HTTPS to block tracking headers may discourage websites from offering HTTPS connections. Carriers make money by selling user profiles, and websites make money from ad sales targeted at users. It may be worth further investigation to see whether apps or services on a carrier tend to favor one type of connection over another. There are competing incentives for websites that could drive them to make different choices. Suffice it to say, a secure HTTPS website could not use a carrier’s profiling service if it relies upon tracking headers.
TROUBLING QUESTIONS ABOUT PRIVACY AND NEW TECHNOLOGY
Since various groups began applying public pressure to carriers utilizing tracking headers, two have changed their practices: AT&T and Verizon. AT&T pledged to end its use of tracking headers in November 2014, and our tests suggest that the tracking has indeed stopped. Verizon Wireless allowed a user to opt out of its Relevant Advertising prior to press coverage in October 2014, and opting out meant that Verizon would stop populating profiles about the user’s web browsing. But opting out did not seem to stop Verizon Wireless from injecting the tracking headers — they just weren’t used by Verizon for advertising.
Third parties could still track the headers and use them for their own purposes. Indeed, the advertiser Turn appears to have accomplished this very feat, using Verizon’s tracking header to create local cookies stored in users’ web browsers. In March of 2015, Verizon Wireless promised to allow a true-opt out for users so that Verizon would stop injecting tracking headers entirely. In response to media coverage, Turn stated that it would suspend the use of Verizon’s specific tracking headers to sell advertisements, pending further review.
Both Turn and Verizon Wireless are embroiled in litigation related to tracking headers at the time of this writing.
Thus far, carriers have in general not been transparent or demonstrated accountability with regard to their use of tracking headers. In addition, government investigation of the practice has been inadequate to date. The public policy implications of this practice demand greater attention.
The tracking activity revealed in this report takes place within a context of massively increased government surveillance capabilities that span the globe. International human rights experts have extolled anonymity as an important facilitator of the rights to freedom of expression and privacy online, yet users who wish to express themselves and receive and impart information without revealing their identity can face extreme difficulty.
Intelligence agencies, malicious users, and other actors can exploit this power imbalance to unlawfully collect personal data, build profiles, and monitor marginalized communities. Far from hypothetical, recent reports about a secret British and Canadian
surveillance program show that it “mines as much valuable information from leaky smartphone apps as possible,” including unique tracking identifiers.
TRACKING HEADERS MAY BE JUST THE BEGINNING
The promised changes by AT&T and Verizon Wireless around the use of tracking headers are positive steps, but this does not mean that all tracking will stop. Carriers may simply have more effective tracking mechanisms waiting in the wings. AT&T has already demonstrated that it intends to use advertising programs in its roll-out of new broadband fiber in the U.S. The company charges a premium for people who do not wish to be tracked. When Verizon announced its purchase of AOL in May of 2015, tech journalists trumpeted AOL’s ability to deliver new forms of mobile advertising to Verizon customers. These advertising mechanisms may utilize new tracking technologies instead of tracking headers.
Tracking headers are a global phenomenon — we have determined that they are being used in numerous countries in various formats among a variety of carriers. But not all carriers track their users, and those that respect user privacy deserve our
support. Telecommunications companies occupy a central role in providing access to the internet, enhancing the communications capabilities of billions of people.
By delivering open access, networks, and services, telcos can serve not just as internet service providers, but also as “freedom providers.” Our Telco Action Plan offers proactive steps for any carrier to better respect human rights in policy and practice, and provides guidelines for safeguarding users’ right to privacy.
Injecting tracking headers out of the control of users, without their informed consent, may abuse the privileged position that telcos occupy. End User License Agreements are typically complex and most people do not read them when purchasing a mobile internet plan. The use of tracking headers dates back to at least 2000, which means that it took 15 years for U.S. regulatory agencies to investigate how they are being used. And it is entirely possible that new, undiscovered tracking mechanisms are already being deployed.
In many ways, our research raises more questions about the use of tracking headers than it answers. We believe that further research is necessary to uncover what is happening so that we can develop policy and practices to address the privacy issues
that are implicated by this form of tracking.
We offer the following recommendations to address the use of tracking headers and take action to respect user privacy. Although we present specific responses, any regulatory action should address the problem as we know it today while also considering the privacy-invading technologies of the future.