back to article Anti-privacy unkillable super-cookies spreading around the world – study

At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study. A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks. They can't be stripped by the user: every time …

  1. gerdesj Silver badge

    There are other options

    You could use a VPN on your phone to back home and gateway via that. This assumes your home ISP doesn't do something similar, in which case you will need to add some other digital trickery.

    It's a lot of extra faff and almost no one will bother. Invariably, convenience trumps security *sigh*

    1. streaky Silver badge

      Re: There are other options

      in which case you will need to add some other digital trickery

      They'd have to break through the crypto to touch it so yes it is effective. Indeed it's why mobile VPN services are progressively becoming fairly big business.

      Regardless, it has the air of wake up and smell the lawsuit about it. Companies found doing this to their customers (and it's not exactly hard to test) will end up on the bad end of all sorts of privacy laws around the globe so on the off-chance any were reading this I'd tell them to how about stop.

    2. Jack of Shadows Silver badge

      Re: There are other options

      Yes, there are other options. VPN is good although there are on-phone (before encryption) methods have shown up time and again. I use VPN's just as baseline security. I do something a bit over the top.

      No cellphone. Zip, nada, none. Not a very effective solution for most, ergo that pesky tradeoff.

    3. Triggerfish

      Re: There are other options

      It's not always convenience trumps security its knowledge, on a tech website people understand your post, elsewhere people are going to go huh. The companies get away with tracking half the time because poeple don't really get it, or know what they could do about it.

    4. Anonymous Coward
      Anonymous Coward

      Re: There are other options

      "You could use a VPN on your phone to back home and gateway via that. This assumes your home ISP doesn't do something similar, in which case you will need to add some other digital trickery."

      And then you have countries like China that cripple VPNs. I'm still surprised they haven't outright restricted encrypted traffic of any sort (at least, any they don't already hold the key).

      1. Anonymous Coward
        Anonymous Coward

        Re: There are other options

        The Land of the Fee, Home of the Slave.

  2. Anonymous Coward
    Headmaster

    "the Land of the Free"

    Sir,

    Please note that "the Land of the Free" must always be enclosed in quotation marks as it is a quotation not a fact.

    1. Anonymous Coward
      Anonymous Coward

      Re: "the Land of the Free"

      Actually, "Free" in that phrase means "people who are given away".

      1. david 12 Bronze badge

        Re: "the Land of the Free"

        No, that's free as in Butterflies, not free as free beer.

        You're all up for sale / you've all been sold out.

      2. Anonymous Coward
        Anonymous Coward

        Re: "the Land of the Free"

        When you say "people who are given away", you obviously mean "people who are snitched-on by the Telco to the Stasi".

        1. Eddy Ito Silver badge

          Re: "the Land of the Free"

          That's probably why AT&T stopped with the cookie. They just leave the tracking to the NSA. I wonder if AT&T get a marketing basket with a nice big bow on it in return for all that data.

    2. Anonymous Coward
      Anonymous Coward

      Re: "the Land of the Free"

      Certainly free of any encumbrance of rights

    3. Fungus Bob Silver badge

      Re: "the Land of the Free"

      No, its the Land of the Free and priced about right: ain't worth a handful of sour owlshit.

  3. Anonymous Coward
    Anonymous Coward

    But what if - "A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks, except for requests to amibeingtracked.com"

    1. e^iπ+1=0

      But what if - "A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks, except for requests to amibeingtracked.com"

      More realistically, only injected for partner websites: I have my own website, check the logs, no super-cookie visible because I'm not a partner.

      Were I to approach the telco and get invited to join the partner program, only then would my site get to see the super cookie.

  4. trenchfoot

    "And there's nothing you can do about it"

    Tor? Plenty of good options (on Android at least) for mobile these days. I use Orbot which can act as a transparent proxy for a lot of HTTP using apps without rooting the device. Simple to install and use, even for a non-techie.

  5. Nigel 11

    Spain?

    Isn't this sort of invasion of privacy illegal in the EU? Don't EU rules say that a site has to have the user's permission even for the everyday sort of browser-clearable cookies. (That's click-OK permission, not something formatted white-on-white in paragraph 397 of the Ts&Cs).

    Can someone check up on the UK's networks?

    1. Adam 52 Silver badge

      Re: Spain?

      No. The EU rules are about storing data on the user's computer. They aren't about cookies, cookies are just one mechanism by which data can be stored. As I understand it this system doesn't store anything locally.

      There may be other privacy regulations this violates though. DPA is the obvious one (if the token is PII, which it would seem to be).

      1. Warm Braw Silver badge

        Re: Spain?

        > DPA is the obvious one

        And would not just apply to the Telecom provider, but to anyone who processes the information, including any website that made use of it, at least within the jurisdiction of the DPA...

      2. Martin 67

        Re: Spain?

        > No. The EU rules are about storing data on the user's computer.

        European Directive 2002/58/EC - they cover "cookies and similar technologies". No mention on the ICO's site (under The Privacy and Electronic Communications (EC Directive) Regulations 2003, which implements said Directive) about a requirement for data to be stored on the end-user's PC. I would imagine the right to object to automated processing for advertising (DPA) would be covered, which is itself and EU Directive ...

        1. Adam 52 Silver badge

          Re: Spain?

          Read beyond the first paragraph!

          https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies

  6. Little Mouse

    "limit your web browsing to HTTPS sites only"

    Come on, El Reg. We're still waiting...

  7. Anonymous Coward
    Anonymous Coward

    Mobile data so limited anyway...

    Mobile Data plans have been tightened up. No longer generous. So only a tiny sliver of our on-line activity might be so tagged.

    At home, with a fast fiber connection, the whole diverse family comes though the same pipeline. Good luck trying to make sense of that.

    1. This post has been deleted by its author

  8. clanger9

    They put the phone number in the header??

    Good God, that's a spectacularly clueless idea. I'd like to know which mobile providers actually do that. Anyone able to name names?

  9. zedee

    Suspected of being O2...

    http://www.theregister.co.uk/2012/01/25/o2_hands_out_phone_numbers_to_websites/

  10. teknopaul Bronze badge

    opera mini browser bypasses this

    Mind you, opera are doing something very similar Already.

  11. Adam 1 Silver badge

    Cudos to Vodafone AU

    /hey, how often does one get to write that.

    //still using a VPN though.

  12. Anonymous Coward
    Anonymous Coward

    And the article only covers mobile ISP cookies. Websites themselves are increasingly using other forms of GUID that can't be scrubbed because they're server-side. One idea I wonder if they're using or not combines such as using HTML-low-version-compliant browser fingerprinting (as in try to break them and you break compliance and get broken pages) combined with unique-per-user virtual folders (so that they can't be removed or changed without ending up with 404's).

  13. John Crisp

    Seems Telefonica / Movistar in Spain are up to it from the looks of things.

    Ok on Wifi, and my new little VPN proxy :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019