How Phone Companies Used 'Supercookies' to Track Customers' Web Browsing

AT&T and Verizon continued tracking users' unencrypted traffic for months after backlash over the practice erupted in November 2014, researchers found.

The Verizon logo is seen at the headquarters for Northern Virginia on January 2, 2015 in Ashburn, Virginia. (PAUL J. RICHARDS/AFP/Getty Images)

Tenacious "supercookies" allowed mobile broadband providers to follow their customers' activity—both in the U.S. and abroad—for over a decade, until the practice was discovered and publicized late last year and companies began to roll back the cookies.

But for months after the revelations prompted heightened scrutiny of AT&T's and Verizon's tracking programs, the companies continued keeping tabs on their customers, according to data gathered over the course of six months by Access, an international digital human rights organization, and released in a report Monday.

AT&T and Verizon were able to track their customers—even when users were roaming internationally or activated private browsing modes—by injecting code called tracking headers into the data sent from users' devices.

When a user requests a website from a mobile carrier that uses tracking headers, the carrier intercepts the request on the way to its intended target (e.g. a website on the Internet), and inserts a unique identifier tied to that user.

If the website that receives the modified request has paid the carrier for access to the user's unique identifier, the website can access information about the user—his or her Web-browsing history or shopping preferences, for example—in order to serve targeted advertising.

For six months starting in November 2014, nearly 180,000 people ran an online test on their mobile devices to determine whether companies were tracking their mobile activity, and shared the results with Access. Of those tests, which originated from 164 countries, more than 15 percent revealed the presence of tracking headers, according to the report.

Because carriers insert the headers into Internet requests after they have left a user's device, it is almost impossible for a user to prevent their use—or even to know that his or her information is being shared with advertisers. Access researchers note, however, that encrypted Web traffic sent over the HTTPS protocol cannot be tracked by carriers.

Telecom companies have been using versions of tracking headers since at least 2000, when privacy researchers discovered that Sprint was injecting mobile users' phone numbers in their Web requests. Verizon began its far more sophisticated tracking program in 2012, according to the company.

After media reports about the tracking practices intensified in late 2014, the telecom companies took steps to phase out their programs—but took months to do so completely.

AT&T said it stopped using the headers in November 2014, but user data submitted to Access starting that month showed AT&T users still had tracking headers injected into their Web traffic for 17 weeks after the tests began.

AT&T did not immediately reply to requests for comment on the timing of its tracking program.

Verizon, which had a more robust tracking system in place, took until January to announce that it would offer its customers an option to opt out from its program completely. Customers already could ask to be removed from Verizon's marketing program, but their unique identifiers continued to be injected into their Web requests. The change was not made until March, when Verizon said its system had been modified to stop inserting the tracking headers for customers who had opted out.

According to Deji Olukotun, the Access report's lead author, the data on the effectiveness of Verizon's opt-out program is "inconclusive." A Verizon spokesman said Monday that the carrier "provides clear notice and opt out choices for participation in our advertising programs," and pointed to the company's FAQ pages about headers and advertising.

Between November 2014 and April 2015, nearly 18,900 Verizon users and about 5,700 AT&T users who took the Access tracking-header test found they were being tracked by their carriers. (The sample was not representative of the world's mobile user population.)

After they were widely reported last year, the carriers' tracking practices earned them the attention of privacy-oriented lawmakers and federal regulators.

A group of Democratic senators wrote to the Federal Communications Commission and Federal Trade Commission in February to ask for an investigation of Verizon's tracking practices.

Sen. Bill Nelson, who signed the letter along with Sens. Edward Markey and Richard Blumenthal, said in a statement that the "whole supercookie business raises the specter of corporations being able to peek into the habits of Americans without their knowledge or consent," and he said he was considering introducing legislation around the tracking practices.

The FCC said in March it would review whether carriers' tracking practices violated any consumer security or privacy rules.

Although mobile tracking using tracking headers began dropping off this year, after backlash from consumers and the government, Access researchers note that there could be countless other ways Internet providers can silently track users.

Their testing, for example, did not touch on broadband providers' tracking practices, but broadband users can be tracked in much the same way as mobile users. AT&T's "GigaPower" fiber broadband service allows customers to opt out of tracking-based marketing—as long as they're willing to pay an extra $29 a month.

The broadband tracking program "works independently of your browser's privacy settings regarding cookies, do-not-track, and private browsing," according to the company.

Libby Isenstein (Graphics) contributed to this article