Does your mobile carrier track you online?

At least nine mobile carriers around the world are using “supercookies” to track users’ web browsing, a study by human rights organization Access has shown.

Supercookies are special tracking headers that the carriers inject into HTTP requests made by users through the company’s networks, and allow the carriers to compile data profiles about users that can be used to sell advertising.

Even worse, certain tracking headers can leak private information about users – often in clear text – and this fact can be misused by criminals.

“Although we do not have evidence that government surveillance has taken place, the rich data profiles about users that tracking headers create make them prime targets for government legal requests or surveillance,” the organization noted.

By setting up a website that tests the carriers’ use of these headers, Access researchers discovered that the following mobile carriers are / were doing so: AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Verizon, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain.

It was already known that AT&T and Vodafone used supercookies. After a general public outcry against the practice, AT&T stopped using them, and Verizon offered customers the option of opting out of them.

Tracking headers can’t be blocked by “Do Not Track” tools and can’t be deleted by users (they are not actual “cookies”), but don’t work on websites that use SSL or TLS to encrypt connections.

“The use of tracking headers dates back to at least 2000, which means that it took 15 years for US regulatory agencies to investigate how they are being used. And it is entirely possible that new, undiscovered tracking mechanisms are already being deployed,” the researchers noted.

“Injecting tracking headers out of the control of users, without their informed consent, may abuse the privileged position that telcos occupy. End User License Agreements are typically complex and most people do not read them when purchasing a mobile internet plan,” they pointed out, and recommended that carriers be transparent about the practice of using tracking hearders with its users, make the option explicitly opt-in, and offer easy-to-use opt-out mechanisms.

Website admins and app developers should use encrypted HTTPS connections by default, they added, and government authorities should investigate the use of tracking headers by carriers in their country.

Check out Access’ report for more information about the tracking headers used by the different carriers and about the data they collect.