Study: 15% Of Wireless Users Now Tracked By Stealth Headers, Or 'Zombie Cookies'
from the utterly-unaccountable dept
Earlier this year AT&T and Verizon were caught modifying wireless user traffic to inject unique identifier headers (UIDH). This allowed the carriers to ignore a user's privacy preferences on the browser level and track all online behavior. In Verizon's case, the practice wasn't discovered for two years after implementation, and the carrier only integrated a working opt out mechanism only after another six months of public criticism. Verizon and AT&T of course denied that these headers could be abused by third parties. Shortly thereafter it was illustrated that it was relatively easy for these headers to be abused by third parties.While the fracas over these "stealth" or "zombie" cookies has quieted down since, a new study suggests use of such stealth tracking is increasing around the world as carriers push to nab their share of the advertising pie. Consumer advocacy group Access has been running a website called AmiBeingTracked.com, which analyzes user traffic to determine whether or not carriers are fiddling with their packets to track online behavior. According to a new study from the group (pdf) examining around 200,000 such tests, about 15% of site visitors were being tracked by the carriers in this fashion all over the globe:
"Using tracking headers also raises concerns related to data retention. When “honey pots” of sensitive information, such as data on browsing, location, and phone numbers, are collected and stored, they attract malicious hacking and government surveillance. This kind of collection and retention of user data is unsustainable and unwise, and creates unmanageable risks for businesses and customers alike."The W3C Consortium recently agreed, noting that stealth carrier tracking header injection is basically a privacy nightmare in the making that undermines user trust in the entire Internet:
"The aggregate effect of unsanctioned tracking is to undermine user trust in the Web itself. Moreover, if browsers cannot isolate activity between sites and offer users control over their data, they are unable to act as trusted agents for the user. Notably, unsanctioned tracking can be harmful even if non-identifying data is shared, because it provides the linkage among disparate information streams across contextual boundaries. For example the sharing of an opaque fingerprint among a set of unrelated online purchases can provide enough information to enable advertisers to determine that user of that browser is pregnant — and hence to target her with pregnancy-specific advertisements even before she has disclosed her pregnancy.This is what has been happening while the marketing, tech and telecom industries bickered, prattled and grandstanded over do not track protections -- that this technology makes irrelevant anyway. And while companies like Verizon have repeatedly claimed that no privacy or transparency guidelines are necessary because "public shame" will keep them honest, keep in mind that it took security researchers two years before they even realized that the telco was doing this. It took another six months of pressure for Verizon to heed calls for basic opt-out mechanisms most Verizon users don't know exist. It makes you wonder: just how long will it take the press and public to realize future iterations of stealth tracking technology are being used?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: privacy, trackers, uidh, wireless, zombie cookies
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It would explain the Free Install.
Most exploits are also Free Install.
They're just not advertised as such.
On a Win 10 machine, all internal communications between your computer and the Mother Ship take place in the background, completely beyond the user's control and awareness.
This strikes me as being the perfect OS for third party exploits which would then use the built in secret background communications ability to run their data mining processes without leaving a trace behind by utilizing the same "trace" remover process MS uses to "clean up" its own proprietary data mining traces.
---
[ link to this | view in chronology ]
Windows 10
With Windows 10, Microsoft have a tunnel directly into your computer wherever you are, wherever you go!
[ link to this | view in chronology ]
Not if you're using HTTPS
The fact that intermediaries can inject anything into your traffic is a huge security hole. Within the last few daze there is news of AT&T injecting ads into HTTP traffic, and actually modifying the HTML markup. This demonstrates an ability to also insert any arbitrary JavaScript executable code. Or Flash objects if your browser might be so equipped. (Or ActiveX, or Silverblight, or Java) They could inject Javascript code that probes for vulnerabilities of your browser so that your next HTTP connection can then have a more targeted payload injected.
The really nice thing about this technique is that AT&T wouldn't even have to make your browser make strange unexpected connections to the mothership that your network monitoring aparatus (if any) might detect. They can inject 'outbound' traffic right into your next HTTP request to anywhere. Then remove it in transit so that your target site like TechDirt doesn't see any extra content or HTTP Headers. But AT&T's injection systems would see them as it removes them. Nice neat invisible two-way communication with code running in your browser, and no unexpected connections.
This potential has always existed with HTTP. It's just that now network equipment has become powerful enough to do this kind of despicable evil, which is even worse than advertising itself, on a massive scale.
[ link to this | view in chronology ]
Re: Not if you're using HTTPS
[ link to this | view in chronology ]
Re: Re: Not if you're using HTTPS
[ link to this | view in chronology ]
Re: Re: Re: Not if you're using HTTPS
[ link to this | view in chronology ]
NoScript
NoScript help a lot. But it is only a add-on. But a highly recommended one! Protecting the data in transit is important too, with https, VPN, Tor and so on. Untrustworthy VPN is worse than no VPN though!
[ link to this | view in chronology ]
With regulatory capture well established, government oversight apparently is hobbled to the point where they are ineffectual. This does not however mean said regulations should be abolished, it means they need to be enforced.
[ link to this | view in chronology ]
Re: market is self regulating
The telecom industry is heavily regulated. Thanks to regulatory capture (as you note), the regulations serve to keep out competitors.
Once firms don't have to worry about competition, they are free to abuse their customers.
The solution is to open the market to free competition. Once you do that, the market *will* punish bad actors.
But not until.
[ link to this | view in chronology ]
Re: Re: market is self regulating
[ link to this | view in chronology ]
Re: Re: Re: market is self regulating
Any provider that offered true privacy would be able to build its business so damn fast it would be almost scary.
There is no such thing as a free market in America at the moment, we are far too regulated for that now.
You can't even open a lemonade stand in your front yard without risk of the police coming by and shutting it down.
[ link to this | view in chronology ]
Re: Re: Re: Re: market is self regulating
You really think that in today's world you would be allowed to start a company that provides customer service devoid of all surveillance?
Gulla-Bull
[ link to this | view in chronology ]
Re: Re: Re: Re: market is self regulating
The problem is not over-regulation, it's regulatory capture.
[ link to this | view in chronology ]
Beware! Don't believe that for a second!
Giving bullies free reign, give bullies the reign.
This will never change.
When affordable efficient and low-polluting transportation were eradicated, the bad actors profit soared. Because when the citizens no longer have a choice they can be forced. This will always be worth more to the bad actor than the cost to eradicate good solutions, because the bad actor can always abuse more. Destroying electric trams is a good example of this.
When infrastructure is taken over by bad actors, as in Bolivia when they took over the water supply, they can really harm entire populations. This were a wet dream come true for the IMF (pun intended). How bad did it get? Read up on the water wars. Where the infrastructure cheep? Yes of course, it is a chore for a good actor to supply service and limited profit. This nastiness is spreading.
What about Facebook and its "benign" Internet project in India? It would be a lot more difficult to establish Internet infrastructure if they had been allowed to proceed.
Transparent, democratic, firm rules; gives a good and stable foundation free competition that serve the citizens and harm bad actors. This is exactly why ISDS is negotiated in secret! It is meant to be above governments, our goverments.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Friday night lynching
I know it's fun to vent. But fundaments of civilization rely on regulation of violence.
Make clear rules, have a fair and impartial method of judging if people have violated them, have reasonable punishments set for those found guilty.
Keep your torches and nooses at home. That is the way to barbarism.
[ link to this | view in chronology ]
Re: Re: Friday night lynching
More like governments giving themselves a monopoly on violence, and using that monopoly to preserve their power.
[ link to this | view in chronology ]
Re: Re: Re: Friday night lynching
Still, it's better than the alternative. Usually.
[ link to this | view in chronology ]
This Is Awful
[ link to this | view in chronology ]
Re: This Is Awful
[ link to this | view in chronology ]
Question On How To Test
- one is currently using a carrier-provided femtocell that backhauls on the customer's DSL or cable?
- one is currently using a wifi connection?
- one is using HTTPS?
I'm concerned that if people run the test, at home, they may get a negative result over their wifi, but if they left home, they'd be spy fodder.
[ link to this | view in chronology ]
Re: Question On How To Test
Be sure to turn off wifi when testing.
Also, probably a good idea to try it both on and away from a femtocell if you use one.
[ link to this | view in chronology ]
Selection bias
[ link to this | view in chronology ]
Musical Chairs
More to the point, how long before this sort of criminal activity is perceived and treated as criminal activity by the so called Department of Justice, and Law Enforcement?
As for the public, by the time it becomes aware of the exploits being used against it today, a whole new array of exploits will have already been developed and injected into the system.
This is all mainly because the authorities do not consider economic attacks on the public by government and business as crimes and do nothing to end the practice until years after its been replaced by another exploit process and even then, do not actually punish the perpetrators for their crimes in any meaningful way.
This lack of concern and reaction by authority coupled with the lack of consequences for the perpetrators, absolutely guarantees repetition and improvement of the exploitation processes being used against the public.
---
[ link to this | view in chronology ]