back to article Anti-privacy unkillable super-cookies spreading around the world – study

At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study. A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks. They can't be stripped by the user: every time …

Silver badge

There are other options

You could use a VPN on your phone to back home and gateway via that. This assumes your home ISP doesn't do something similar, in which case you will need to add some other digital trickery.

It's a lot of extra faff and almost no one will bother. Invariably, convenience trumps security *sigh*

15
0
Silver badge

Re: There are other options

in which case you will need to add some other digital trickery

They'd have to break through the crypto to touch it so yes it is effective. Indeed it's why mobile VPN services are progressively becoming fairly big business.

Regardless, it has the air of wake up and smell the lawsuit about it. Companies found doing this to their customers (and it's not exactly hard to test) will end up on the bad end of all sorts of privacy laws around the globe so on the off-chance any were reading this I'd tell them to how about stop.

4
0
Silver badge

Re: There are other options

Yes, there are other options. VPN is good although there are on-phone (before encryption) methods have shown up time and again. I use VPN's just as baseline security. I do something a bit over the top.

No cellphone. Zip, nada, none. Not a very effective solution for most, ergo that pesky tradeoff.

0
0
Silver badge

Re: There are other options

It's not always convenience trumps security its knowledge, on a tech website people understand your post, elsewhere people are going to go huh. The companies get away with tracking half the time because poeple don't really get it, or know what they could do about it.

1
0
Anonymous Coward

Re: There are other options

"You could use a VPN on your phone to back home and gateway via that. This assumes your home ISP doesn't do something similar, in which case you will need to add some other digital trickery."

And then you have countries like China that cripple VPNs. I'm still surprised they haven't outright restricted encrypted traffic of any sort (at least, any they don't already hold the key).

0
0
Anonymous Coward

Re: There are other options

The Land of the Fee, Home of the Slave.

1
0
Headmaster

"the Land of the Free"

Sir,

Please note that "the Land of the Free" must always be enclosed in quotation marks as it is a quotation not a fact.

35
1
Anonymous Coward

Re: "the Land of the Free"

Actually, "Free" in that phrase means "people who are given away".

26
0
Bronze badge

Re: "the Land of the Free"

No, that's free as in Butterflies, not free as free beer.

You're all up for sale / you've all been sold out.

1
0
Anonymous Coward

Re: "the Land of the Free"

Certainly free of any encumbrance of rights

5
0
Anonymous Coward

Re: "the Land of the Free"

When you say "people who are given away", you obviously mean "people who are snitched-on by the Telco to the Stasi".

2
0
Silver badge

Re: "the Land of the Free"

That's probably why AT&T stopped with the cookie. They just leave the tracking to the NSA. I wonder if AT&T get a marketing basket with a nice big bow on it in return for all that data.

1
0
Bronze badge

Re: "the Land of the Free"

No, its the Land of the Free and priced about right: ain't worth a handful of sour owlshit.

1
0
Anonymous Coward

But what if - "A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks, except for requests to amibeingtracked.com"

13
0

But what if - "A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks, except for requests to amibeingtracked.com"

More realistically, only injected for partner websites: I have my own website, check the logs, no super-cookie visible because I'm not a partner.

Were I to approach the telco and get invited to join the partner program, only then would my site get to see the super cookie.

0
0

"And there's nothing you can do about it"

Tor? Plenty of good options (on Android at least) for mobile these days. I use Orbot which can act as a transparent proxy for a lot of HTTP using apps without rooting the device. Simple to install and use, even for a non-techie.

4
0
Silver badge

Spain?

Isn't this sort of invasion of privacy illegal in the EU? Don't EU rules say that a site has to have the user's permission even for the everyday sort of browser-clearable cookies. (That's click-OK permission, not something formatted white-on-white in paragraph 397 of the Ts&Cs).

Can someone check up on the UK's networks?

5
0
Silver badge

Re: Spain?

No. The EU rules are about storing data on the user's computer. They aren't about cookies, cookies are just one mechanism by which data can be stored. As I understand it this system doesn't store anything locally.

There may be other privacy regulations this violates though. DPA is the obvious one (if the token is PII, which it would seem to be).

2
0
Silver badge

Re: Spain?

> DPA is the obvious one

And would not just apply to the Telecom provider, but to anyone who processes the information, including any website that made use of it, at least within the jurisdiction of the DPA...

2
0

Re: Spain?

> No. The EU rules are about storing data on the user's computer.

European Directive 2002/58/EC - they cover "cookies and similar technologies". No mention on the ICO's site (under The Privacy and Electronic Communications (EC Directive) Regulations 2003, which implements said Directive) about a requirement for data to be stored on the end-user's PC. I would imagine the right to object to automated processing for advertising (DPA) would be covered, which is itself and EU Directive ...

1
0
Silver badge

Re: Spain?

Read beyond the first paragraph!

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies

0
0
Silver badge

"limit your web browsing to HTTPS sites only"

Come on, El Reg. We're still waiting...

9
0
Anonymous Coward

Mobile data so limited anyway...

Mobile Data plans have been tightened up. No longer generous. So only a tiny sliver of our on-line activity might be so tagged.

At home, with a fast fiber connection, the whole diverse family comes though the same pipeline. Good luck trying to make sense of that.

1
1

This post has been deleted by its author

They put the phone number in the header??

Good God, that's a spectacularly clueless idea. I'd like to know which mobile providers actually do that. Anyone able to name names?

3
0

Suspected of being O2...

http://www.theregister.co.uk/2012/01/25/o2_hands_out_phone_numbers_to_websites/

1
0

opera mini browser bypasses this

Mind you, opera are doing something very similar Already.

0
0
Silver badge

Cudos to Vodafone AU

/hey, how often does one get to write that.

//still using a VPN though.

1
0
Anonymous Coward

And the article only covers mobile ISP cookies. Websites themselves are increasingly using other forms of GUID that can't be scrubbed because they're server-side. One idea I wonder if they're using or not combines such as using HTML-low-version-compliant browser fingerprinting (as in try to break them and you break compliance and get broken pages) combined with unique-per-user virtual folders (so that they can't be removed or changed without ending up with 404's).

0
0

Seems Telefonica / Movistar in Spain are up to it from the looks of things.

Ok on Wifi, and my new little VPN proxy :-)

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017