This week, researchers discovered that smartphone carriers have started inserting a unique code into their customers' network activity so that their customers can be tracked as they browse the Web and use smartphone apps; Verizon uses a customer's unique tag to deliver personalized ads to users, and
"Putting public beacons on every user for every website that makes them trackable is a terrible idea," said Kenn White, a security consultant who built a website so people could find out whether they're being tracked this way. It's gotten over a million visits in the last 4 days. "For a lot of people, their smartphone carrier is their data provider. This is their ISP. I’m amazed we’re not seeing more of a response from the enterprise world. This is happening to their accounts."
I spoke with Verizon's senior privacy officer, Kathy Zanowic, and to AT&T spokesperson Mark Siegel about the two carriers' tracking treatment. Unsurprisingly, they don't think this is a big deal, and don't think it violates their paying customers' privacy. Here's Verizon vs. AT&T:
How long have they been tagging their users this way?
Verizon: Two years. Given how long Verizon has been doing it, Kasowic said she was "surprised" by the attention this week.
AT&T: "A little while." AT&T is just "testing it" at this point.
Why are they tagging customers this way?
Verizon: To deliver ads, to authenticate users and allow them to avoid filling out forms, and for fraud prevention.
AT&T: To deliver ads.
Is there any privacy protection built in?
Verizon: The code is "dynamic" and will change on a "regular basis" -- at least once per week.
AT&T: The code is dynamic and will change daily.
Objection from security consultant Kenn White who has been analyzing the codes: White has been tracked for the past 6 days across 550 miles with a persistent code from both Verizon and AT&T. He has a smartphone with Verizon service and a hotspot with AT&T service. In AT&T's case, the code has four parts; only one part changes, he says. "It's like if you were identified by a birth month, a birth year, a birth day, and a zip code, and they remove one of those things," said White. You'd still be able to reasonably track that person with the other three. Verizon's code meanwhile hasn't changed for him, and it's been almost a week.
Can their customers get rid of the unique code?
Verizon: You can't remove it.
AT&T: You can't remove it during the 'test' period, but customers will be able to opt out and have it removed when AT&T rolls out its "Relevant Ad Program."
(Siegel had previously sent me an opt-out website AT&T customers could use but security researchers quickly learned it didn't work. I'm sure researchers will be testing again when the opt-out is real.)
“If you opt out, we won’t send you ads and won’t add the code”—ATT Opted out, rebooted device, new IP, same 6 day UID pic.twitter.com/X4rZAxqaMZ
— Kenn White (@kennwhite) October 29, 2014
Can they opt out of anything?
Verizon: Customers can't opt out of the header code being sent "because it’s used for multiple purposes," says Kasowic. But they can opt out of it being used to show them relevant ads. "When it’s used for the advertising program, there’s a place where information is tied to the UIDH (Unique Identifier Header) -- such as 'Females in Alexandria, VA. between the ages of 25 and 50," said Kasowic. "It's just segments that other people wouldn’t understand. There's no personal identification. If you opt out, there’s no information stored there." But the tracking code remains.
AT&T: Siegel says customers will be able to opt out of ad delivery and tracking.
Is it happening to you now?
