The Internet browsing history of more than 100 million Verizon and AT&T smartphone customers has been made trackable.
That's the upshot of the recent revelation that both companies have been running advertising programs that use "supercookies" that can't be evaded by any of the means available for ordinary cookies.
But to understand these "supercookies," it's helpful to start with the old-fashioned kind.
"For nearly twenty years now, the cookie has become the standard way to track people online, for better or worse" says Jacob Hoffman-Andrews, the senior staff technologist at the Electronic Frontier Foundation who first brought attention to the Verizon program.
"The metaphor I use when I teach is I say a cookie is like a name tag," he says.
Browsing a website is like entering a room and being handed a name tag. It might have a fake name or a series of digits written on it, but it's an identifying label that everyone in the room--each of the many entities that serve content on a given webpage--can see. If you leave it on, anyone watching--and there are many companies watching--can see where you go.
"But you also have the option to take off that name tag," says Hoffman-Andrews. "When you clear cookies in your browser that's like ripping off all your name tags."
"On mobile we don’t have the cookie," says Jenny Wise, mobile marketing analyst at Forrester. "And so the industry is sort of cobbling together all these different solutions."
Advertisers want to track users and target ads on the mobile Internet, and across multiple devices.
"That’s sort of the holy grail for advertisers," says Wise. "And ad tech is on the case."
Those solutions range from GPS data to Facebook log-ins to device ID numbers--but it's much more fragmented than following a single cookie. And Wise says most of them are opt-out. "That's one of the key things that Verizon and AT&T are running into," says Wise.
"Supercookie" is a generic term, which can refer to any of a number of ways of getting around the limitations of cookies. But Verizon and AT&T's version aren't easily evaded--in fact it's very difficult to tell that the tracking code is being applied in the first place.
Referring to Verizon's program, Hoffman-Andrews says: "The [supercookie] is inserted after it leaves your phone, so there’s nothing you could do on the phone to detect that it’s going on."
In Verizon's case, while users can opt out of the advertising program that makes use of the data Verizon collects, the company has said that there is no opting out of the supercookie itself, which security researchers say can be easily used by third parties.
"One possible analogy that comes to mind here is a license plate," says security researcher Jonathan Mayer. "It's a lot like throwing a license plate on your web browser. And Verizon's position is 'Hey we're the DMV, if anyone wants information about someone with that website they have to come to us.'"
"But that doesn't mean you can't follow a license plate around," he says.
"That’s a very good metaphor, but so much of our intellectual and political life takes place on the Internet now, it would amount to a license plate for your brain," says the EFF's Hoffman-Andrews. "Every question you have, every news article you read would be attached to this one identity."
Verizon says those "license plates" are changed "frequently," and that that their supercookies don't "provide any information beyond what [ad tech entities that have a presence on many websites] have by virtue of [other permanent and longer-term identifiers... already widely available] and other already existing IDs."
"What Verizon and AT&T are doing--and why they might have the leg up here, if there's no backlash from privacy concerns-- is that their network goes across devices," says Forrester's Wise. "So not only do you know what I'm doing when I use my mobile phone, I'm also using that same network when I'm on my tablet, or when I'm on my TV."
"That opens up the door."
For more "targeting" or more "tracking," depending on your perspective.