New reports reveal that both AT&T and Verizon have been using unique identifying information to track web activity for their respective mobile customers. According to Wired, Verizon has been “subtly altering” web traffic from its wireless customers for the past two years in order to insert a unique identifier header, or UIDH, that allows the company to identify users on the web and target its Internet advertising. This “perma-cookie” — as termed by Jacob Hoffman-Andrews of the Electronic Frontier Foundation — allows any web server to build a profile of a user’s Internet habits. Since Verizon is able to take advantage of its unique position as the Internet Service Provider to actually modify traffic midstream, this method also has the potential to circumvent existing privacy tools such as private browsing sessions and “do not track” restrictions. At this time, there is no way to turn off this UIDH feature, according to a Verizon spokesperson. The company notes that it does not use the feature to create customer profiles, but only targeted ads for those users who have not opted out of the company’s Relevant Mobile Advertising program. Verizon customers can choose to opt out by visiting https://www.vzw.com/myprivacy, however Hoffman-Andrews points out that because the UIDH is broadcast to every web site that a Verizon user visits, other ad networks could begin leveraging the identifier themselves to profile Verizon users’ web activity even without the company’s involvement.
AT&T also appears to have begun testing its own unique mobile tracking solution, according to another report from Forbes. While AT&T claims to only be “testing” the system for now, the company claims to be building in its own privacy measures by rotating the unique identifier every 24 hours. However, the security researcher who discovered the tracking, Kenneth White, states that this is “categorically untrue,” noting that he has found three identifying codes sent by AT&T that were persistent. An AT&T spokesperson declined to reveal how long the test had been running, saying only that it has been a “little while” and claims that customers will be able to opt out of any future AT&T programs that might use this code, noting that unlike Verizon, AT&T will not include the code at all for customers who have chosen to opt out. Users can see if they’re affected by visiting http://220.127.116.11/mobileoptout/ using a cellular data connection from their AT&T mobile device.
In either case, users can check to see if their devices are broadcasting a mobile identifier by visiting http://lessonslearned.org/sniff, a site setup by Kenneth White, the security researcher who discovered the tracking. [via MacRumors]