Wired and Forbes reported earlier this week that the two largest cellphone carriers in the United States, Verizon and AT&T, are adding a tracking number to their subscribers' Internet activity, even when users opt out.
The data can be used by any site — even those with no relationship to the telecoms — to build a dossier about a person's behavior on mobile devices — including which apps they use, what sites they visit and for how long.
ProPublica reports that MoPub ("the world's largest mobile ad exchange"), acquired by Twitter in 2013, uses Verizon's tag to track and target cellphone users for ads and that AT&T and Vodaphone are also testing the waters with similar tracking IDs.
Related Stories
Wired and others report that ProPublica has become the first "major" news outlet to launch a version of the site using Tor:
On Wednesday, ProPublica became the first known major media outlet to launch a version of its site that runs as a "hidden service" on the Tor network, the anonymity system that powers the thousands of untraceable websites that are sometimes known as the darknet or dark web. The move, ProPublica says, is designed to offer the best possible privacy protections for its visitors seeking to read the site's news with their anonymity fully intact. Unlike mere SSL encryption, which hides the content of the site a web visitor is accessing, the Tor hidden service would ensure that even the fact that the reader visited ProPublica's website would be hidden from an eavesdropper or Internet service provider.
"Everyone should have the ability to decide what types of metadata they leave behind," says Mike Tigas, ProPublica's developer who worked on the Tor hidden service. "We don't want anyone to know that you came to us or what you read."
ProPublica accepts news tips using a SecureDrop hidden service. The recent move to include a Tor hidden site was motivated by concerns that Chinese readers could be put at risk by reading reports about the country's Web censorship.
The site can be reached at: propub3r6espa33w.onion
ProPublica often collaborates with The New York Times, NPR, PBS, The Intercept and others to publish stories. Here are a few ProPublica stories that have made it to our front page:
Somebody's Already Using Verizon's ID to Track Users
Fines Remain Rare as Health Data Breaches Multiply
NSA Monitors Americans' International Internet Traffic to Hunt Hackers for FBI
Fairview: AT&T's Collaborative Relationship with NSA Revealed
Psychology Practice Revealed Patients' Mental Disorders in Debt Lawsuits
(Score: 1) by zzw30 on Friday October 31 2014, @05:49PM
Is there anything that can be done about this outside of not using AT&T/Verizon services? For myself, and I assume many others, boycotting is not an option; in my case I just re-upped a 2 year contract.
(Score: 2) by Nerdfest on Friday October 31 2014, @06:08PM
In Canada we have a Privacy Commissioner. Is there something similar in the US? If so, file a complaint.
(Score: 2) by Snow on Friday October 31 2014, @06:20PM
Just make sure you fill out the form in triplicate, on legal sized paper. Have it notorized, signed by the lieutenant governor, and initialed by the Queen. Then wait the manditory 4-6 months. They'll contact you if they need anything else.
(Score: 2) by Nerdfest on Friday October 31 2014, @06:42PM
It may not be that bad. I filed a CRTC complaint against Rogers Communications, and it was followed up on, just from filling in an online form. I think too many people think the processes are too onerous. If nobody complains these weasels get away with their unscrupulous behaviour for way too long.
(Score: 1) by Buck Feta on Friday October 31 2014, @06:45PM
> Rogers Communications
Apparently rogers is a verb.
- fractious political commentary goes here -
(Score: 2) by Nerdfest on Friday October 31 2014, @09:09PM
That's certainly their opinion.
(Score: 2) by FatPhil on Saturday November 01 2014, @12:48PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by art guerrilla on Friday October 31 2014, @07:27PM
oh sure, we have a 'privacy commissioner' too, he's called 'Director of the NSA'...
just type your complaint into your computer, and he'll see it...
(Score: 0) by Anonymous Coward on Friday October 31 2014, @07:59PM
Yawn.
Do you always have to be "on"?
(Score: 2) by tangomargarine on Tuesday November 04 2014, @07:58PM
Evil never sleeps ;)
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by ddtmm on Friday October 31 2014, @06:14PM
I am curious to know if using a vpn on your cell device would be an effective work-around. I have a vyprvpn account and it works well in the iPhone. Anyone know if that circumvents the ID thing?
(Score: 3, Interesting) by Snow on Friday October 31 2014, @06:24PM
Interesting question, futher to that, would https connections also be immune, or would they be MITMing the connection with forged certs to insert the ID. Or is the ID embedded into the phone, and it's the phone that adds the ID, and not verizon directly. I coudn't find any technical details in the article.
(Score: 1, Informative) by Anonymous Coward on Friday October 31 2014, @06:29PM
Just loaded the test site (http://lessonslearned.org/sniff) on my AT&T phone with VPN enabled and I'm pleased to report that that circumvents the UID broadcast (I tested earlier without VPN and a UID was present). I'd just recently signed up with FrootVPN (https://www.frootvpn.com/) when I saw the Wired article. Kinda wishing I'd done it sooner, now.
(Score: 1) by ddtmm on Friday October 31 2014, @06:31PM
awesome. thx
(Score: 2) by urza9814 on Tuesday November 04 2014, @02:00PM
Tor (Orbot on Andoid) blocks it too if anyone is wondering.
(Score: 1) by WillAdams on Friday October 31 2014, @06:32PM
Change your useragent so that it's a contract enforcing a charge for tracking and take anyone you find doing so to small claims court?
(Score: 3, Interesting) by edIII on Friday October 31 2014, @08:09PM
I like the cut of your jib. Unfortunately that will never work.
The useragent is from the client. It's the server that is contacted and dictates the legal terms of the interaction with TOS or policy messages, that are also governed by any applicable state laws and constraints.
You propose to surreptitiously amend an existing relationship with another contract. Quite likely it would also eliminate legal language beneficial to the other side. I'm 99% sure that is prohibited by most contract law as the principle is that neither side has unilateral control over amendments. Since you initiated the contact, you always had the option of not going to the website. In order for you to proceed you need to consider the legal language in the contracts between two or more parties, out all of those involved. Verizon is making money of this with advertising revenue, so some of the websites are certainly covered by that TOS. According to the article though, it's data leakage on a massive scale, meaning that it's also quite likely that other major ad networks already had that tracking place for free both legally and financially.
A lawyer could correct me. I think a financing analogy is that equity loan you lent is 6th in line, and not worth a dime.
What's sad is that you shouldn't need to sue anyone with such tactics. It should be a violation of your civil rights when a corporation removes privacy that could be reasonably argued to be expected. Don't know about you, but I was not expecting Verizon to be using DPI and hijacking for all web requests, and then completely remove your privacy utterly from the biggest actors in the whole privacy game.
The tracking is intended to be anonymous, but it also fails with that as well. The largest offenders out there only need a single identifying data point to permanently associate an ostensibly anonymous tracking number, with an actual connection to profile information. Probably from one of the major providers like Lexus Nexus or others.
So the reality is that Verizon created a massive database of all of your activities, visit durations, etc. and then effectively anonymized it with a single identifier. Great. Well, it only needs to be cracked once and then the major players now know all the stuff you do. Nice. I can pay a few thousand dollars, fake some crap, and then in addition to a full credit report, background check, and god knows what else, I get a full listing of all the websites you visited from your phone or Verizon Wireless enabled device.
Now a prospective employer knows I spent 43 minutes on Young Asian Cheerleaders With Tight Asses at Pornhub on a Wednesday at 11am while I probably should have been "servicing the shareholder's penis instead".
Maybe Verizon should have said something when their actions effectively acted to unilaterally amend an existing contract with their subscribers in such a way as to be obscured and hidden, while also likely being highly objectionable when adequately explained.
Verizon cannot claim ignorance of the objectionable amendment either, as they are self-proclaimed to be in the "Internet Advertising Business" as well as an ISP. They full well have sophisticated knowledge of consumer preferences and habits, as well as usage on many advertising blocking Apps and plugins.
I would initiate a class action lawsuit against Verizon Wireless arguing they violated your reasonable rights and expectation to privacy, they are in breach of contract, unreasonably interfered with likely attempts by plaintiffs to secure privacy through other paid for services acting to interfere in those contracts, and that plaintiffs are deserving of remedy including punitive damages.
Then when Verizon fights, we end up getting them to stop and give all affected people complementary VPN service from participating providers. After 4 years while their program is still running. Which is because we are talking a legal defense which is quite like a fly trying to kill a lion at this point.
Best we can do is to force Verizon Wireless into being a dumb pipe. Just get a VPN. If they try and stop that, then just stop paying them for it . With the way everything is going anyways, you have to assume all of your packets are monitored and progressively interfered with for tracking and advertising purposes.
(Score: 2) by pendorbound on Friday October 31 2014, @07:01PM
1) Use SSL.
2) VPN your traffic somewhere sane.
They can’t inject in SSL connections, so that’s a partial fix. I also run OpenVPN back to my router at home from ALL of my devices (phone, tablet, laptop), so that works at least until TimeWarner gets stupid. After that, third party VPN service so I look like a complete drug dealer….
(Score: 0) by Anonymous Coward on Friday October 31 2014, @07:07PM
Use Tor? It's available on Android.
(Score: 2) by Fnord666 on Saturday November 01 2014, @04:09AM
Use a VPN for all traffic to and from your phone.
(Score: 2) by Kromagv0 on Friday October 31 2014, @07:25PM
Another win for having a dumb phone.
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 3, Interesting) by c0lo on Friday October 31 2014, @08:34PM
(ducks for cover)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Friday October 31 2014, @09:44PM
The cell company tracks you instead of some anonymous website?
I have seen the radius feeds. They have everything in them to track exactly what you do. I watched one dude work out where his phone was down to about 50 feet, without gps. You can usually 'see' 2-3 towers and they record it all. GPS makes it simple for you to know where you are at. The phone company already knows. It has to, so it can do the tower handoff.
(Score: 0) by Anonymous Coward on Saturday November 01 2014, @07:01AM
Or you could just turn the GPS off when you're not using it, and not install software on that forces tracking, like Facebook's app, instead visiting their website from Firefox mobile w/ Ghostery, etc. And not use shitty, expensive, stalker carriers like Verizon and ATT in the first place, which is the only way to not be at risk of being tracked by them through the methods mentioned in this article.
The only reason people's smartphones get used for tracking is because the users enable all the options that allow them to be tracked. You can't be tracked via GPS if you don't leave it on all the time, and location-by-tower works exactly the same with dumbphones.