AT&T ends controversial use of perma-cookies to track users

Michael Kassner
Updated
In the wake of the Sony Pictures hack, many in IT are suggesting that trends to "liberalize" access to external technologies is partially to blame. Should IT go back to being the "department of no?"

Last week's column was about Verizon's PrecisionID, X-UIDH, or perma-cookie. At deadline, researchers were unsure if other mobile telco providers were using perma-cookies. A few days went by, and it became official; AT&T inserted their version of a unique UID header into HTTP requests -- part of the AT&T AdWorks Relevant Advertising program.

Apparently, AT&T was just testing. Kashmir Hill, a Forbes contributor in this post, quotes an AT&T statement: "AT&T does not currently have a mobile Relevant Advertising program. We are considering such a program, and any program we would offer would maintain our fundamental commitment to customer privacy."

The statement continues, "For instance, we are testing a numeric code that changes every 24 hours on mobile devices to use in programs where we serve ads to the mobile device. This daily rotation on the numeric code would help protect the privacy of our customers. Customers also could opt out of any future AT&T program that might use this numeric code."

Verizon has an opt-out, but privacy pundits say it is not what it seems. To their credit, AT&T offers a full opt-out.

AT&T stopped their testing

That was the story. Today, ProPublica's Julia Angwin writes in this post that AT&T, to their credit, shut down the numeric-code (perma-cookie) test program. In the post, Emily J. Edmonds, an AT&T spokeswoman, is quoted as saying, "It has been phased off our network."

Rather not take anyone's word? It is possible to independently verify whether a mobile telco-provider is injecting a permanent UID header (perma-cookie) into the HTTP Request. Using the mobile device in question, visit the website lessonslearned.org created by Kenn White, a well-regarded security researcher who co-founded the TrueCrypt audit project with Matthew Green: then follow White's instructions:

● Please ensure that you're connecting via LTE/4G/3G, and not over Wi-Fi. (If re-checking, refresh the page, or wait a few minutes to test again).

● If there is a label X-ACR or X-UIDH in the Broadcast UID field at the top of this page, your carrier is sending tracking beacons to every website you visit and every app you use that communicate via HTTP.

● If there are other values in the UID field, it is possible unique identifiers are present (I'm currently searching for over a dozen wireless carriers signatures).

● Note: Viewing this page with Google Mobile Chrome, Opera Mini, or inside of apps like Flipboard can mask tracking beacons (meaning they wouldn't be detected, even though they are present).

"I think we've struck a nerve here," mentions White in a recent update to the site. "Nearly 1.4 million sniff tests on the site so far, and over 40,000 AT&T and Verizon UIDs were detected in the past two weeks."

Why this is an issue

When developing their advertising programs, both AT&T and Verizon spoke to user privacy. However, the use of perma-cookies goes beyond AT&T and Verizon. What happens when third-party vendors decide to use perma-cookies to track and profile individuals? Do they feel the same way?

A question that is now relevant. According to this ProPublica post, "MoPub, acquired by Twitter in 2013, bills itself as the 'world's largest mobile ad exchange.' It uses Verizon's tag (perma-cookie) to track and target cellphone users for ads, according to instructions for software developers posted on its website."

Some questions

After researching this subject for nigh on two weeks, I've been unable to answer several questions that seem important. I'm hoping someone knows the answers to the following:

● If the programs were/are above board, why weren't the people informed?

● Even individuals who are not members of Verizon or AT&T received a perma-cookie just from attaching to a cell tower controlled by either AT&T or Verizon, how were they informed?

● Now that AT&T has stopped testing their unique-identifier system does that mean the perma-cookie is no longer permanent?

● Users are willing to part with certain personally-identifying information as payment for free services. However, mobile telco service is not free and regulated by a legal contract: have users (knowingly or not) given providers, via the contract, permission to use their identifying information?