Security

TECHNOLOGY LAW CORNER

No One Has Privacy Now, Thanks to Super Cookies

Does anyone really think that we have any privacy? Probably not. Between GPS tracking and our favorite app, most of us gave up on privacy long ago.

Some privacy advocates claim that cell carriers have not been transparent about what personal data they have been gathering and using, although we now know that in order to use a cellular device, we must agree to Terms of Service and privacy policies that permit the cell carriers to obtain a great deal of information about us.

EFF: Verizon Has Gone Over the Edge

Verizon is “silently modifying its users’ Web traffic on its network to inject a cookie-like tracker … sent to every unencrypted website a Verizon customer visits from a mobile device,” according to Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation.

Further, Verizon’s tracker “included in an HTTP header called ‘X-UIDH,'” he noted.

Following, according to Hoffman-Andrews, is an explanation of how the supercookies work:Like a cookie, this header uniquely identifies users to the websites they visit. Verizon adds the header at the network level, between the user’s device and the servers with which the user interacts.

Unlike a cookie, the header is tied to a data plan, so anyone who browses the Web through a hotspot, or shares a computer that uses cellular data, gets the same X-UIDH header as everyone else using that hotspot or computer.

That means advertisers may build a profile that reveals private browsing activity to coworkers, friends or family through targeted advertising.Hoffman-Andrews also claims that Verizon does not comply with its own ToS and Privacy Policy:Verizon does provide a sort of limited opt-out for individual customers, but it appears that the opt-out does not actually disable the header. Instead, it merely tells Verizon not to share detailed demographic information with advertisers who present a UIDH value. Meaningful protection from tracking by third parties would require Verizon to omit the header entirely.Verizon claims it has captured and used cell data consistently since 2012, so privacy issues brought to light by the EFF are not new. Although the EFF has complained to the Federal Trade Commission and threatened to file suit, nothing has happened to date.

What about AT&T?

AT&T also is testing super cookies, noted Kashmir Hill, a senior editor at Forbes, although company spokesperson Mark Siegel said it had “nothing ready to announce.”

While there may have been nothing ready to announce, that does not mean AT&T is not using super cookies.

Kenneth White, one of the researchers who discovered the tracking, claimed to have found three identifying codes being sent by AT&T, according to Hill, contradicting the company’s claim that it was not using super cookies.

Hill quoted an AT&T statement:AT&T does not currently have a mobile Relevant Advertising program. We are considering such a program, and any program we would offer would maintain our fundamental commitment to customer privacy … . For instance, we are testing a numeric code that changes every 24 hours on mobile devices to use in programs where we serve ads to the mobile device. This daily rotation on the numeric code would help protect the privacy of our customers. Customers also could opt out of any future AT&T program that might use this numeric code.It is difficult to understand exactly how AT&T’s comments address White’s claims, and perhaps AT&T’s use of the term “relevant advertising” suggests something different from what the EFF has alleged Verizon is doing with super cookies.

2011 Report on Carrier IQ Tracking

There was no consequence, fine or penalty following the revelation late in 2011 that Carrier IQ collected massive amounts of data from millions of cell users.

Carrier IQ “correlates and aggregates the data for near real-time system monitoring and business intelligence” for phone carriers and manufacturers ostensibly to improve quality, wrote David Kravets in a report in Wired.

“Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the operators provide optimal service efficiency,” Carrier IQ claimed in a December 2011 statement.

However, according to the Wired report, Carrier IQ collected the following information from users:

  • When they turned their phones on;
  • When they turned their phones off;
  • the phone numbers they dialed;
  • the contents of text messages they received;
  • the URLs of the websites they visited;
  • the contents of their online search queries — even when those searches were encrypted; and
  • the location of the customer using the smartphone — even when expressly denied permission for an app that was currently running to access the customer’s location.

Although members of Congress requested that the FTC investigate, that did not happen. Why? Probably because cell users allowed that information to be collected.

Does the NSA Really Track 5 Billion Cellphones?

In the aftermath of Edward Snowden’s revelations about NSA surveillance, Barton Gellman and Ashkan Soltani of The Washington Post in late 2013 reported the following: The National Security Agency is gathering nearly 5 billion records a day on the whereabouts of cellphones around the world, according to top-secret documents and interviews with U.S. intelligence officials, enabling the agency to track the movements of individuals — and map their relationships — in ways that would have been previously unimaginable.Americans’ locations are not particularly targeted, but they are incidentally included, given the wide coverage, the report goes on to say.

In Conclusion

Between the NSA, Carrier IQ and super cookies, it seems apparent that our private information is being catalogued and used by government and private industry, both with and without our knowledge.

This trend appears to be growing, even as those interested in privacy and transparency speak out. Only time will tell which direction this will go.

Peter S. Vogel

E-Commerce Times columnist Peter S. Vogel is a partner at Gardere Wynne Sewell, where he is Chair of the Internet, eCommerce & Technology Team. Peter tries lawsuits and negotiations contract dealing with IT and the Internet. Before practicing law, he was a mainframe programmer and received a Masters in computer science. His blog covers IT and Internet topics. You can connect with him on Google+.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Peter S. Vogel
More in Security

E-Commerce Times Channels