Several weeks ago, researchers made the disturbing discovery that smartphone carriers AT&T and Verizon have been using hidden codes to track users’ network activity. AT&T has since put this practice on hold, but Verizon does not apparently plan to follow suit.
Use of tracking technology is not itself a new phenomenon. Location tracking, which allows law enforcement agencies to collect information about individuals, has been around for a while. Similarly, Facebook, Google, and other large web companies that compile and sell user data to advertisers have long since adopted the practice of monitoring online activity. Verizon reportedly undertook the tracking program at issue in 2012, but it was not until late last month that this type of tracking activity by carriers received widespread attention.
As a means of collecting user data to offer to advertisers, AT&T and Verizon insert unique tracking codes into users’ Internet activity. The codes, which can be thought of as “supercookies,” operate as temporary IDs which are sent to every unencrypted website that a user visits from his or her mobile device. In this fashion, AT&T and Verizon can monitor each person’s app usage and site visits, which allows advertisers to better tailor ads to individuals. The practice essentially creates a permanent and highly personalized profile for each user.
In the last week, AT&T reported that it has ceased use of the tracking codes, having completed what was only a “test” program. Verizon, though, intends to continue its program, while offering users the choice of opting out. However, opting out only prevents Verizon from sharing a user’s information with advertisers—it does not remove the tracking code.
Privacy advocates reacted strongly to the tracking activity, pointing out that the code’s insidious characteristics raise serious security concerns. The tracking code essentially functions as a “public beacon”: it is accessible by the carrier as well as websites visited by the user, third parties on the site, and anyone else who can intercept the code. The code is difficult to detect and cannot be turned off or deleted. It also bypasses privacy features such as Google Chrome’s Incognito Mode or Firefox’s Do Not Track, as well as user actions such as clearing cookies. Even more troublingly, the programs are imposed on users without their explicit consent.
Privacy advocates also point out that such programs potentially violate the Communications Act, which requires carriers to protect confidential customer information. Notably, Verizon has already gotten in trouble with the Federal Communications Commission for conducting marketing campaigns without providing users a means of opting out.
If Verizon elects to modify its program down the road to give more control to users, it may help to set the privacy standard for smartphone carriers in the face of further developments in tracking technology. Unfortunately, in the absence of legal action, we may be more likely to see the persistence and widespread adoption of controversial tracking practices. For one thing, AT&T has not completely abandoned the use of tracking codes: the test program may very well return in a more permanent form in the future.