You may hear such tracking called by many names, such as by a carrier's use of supercookies, perma-cookies and zombie cookies, but Access researchers say those are "inaccurate" terms; instead "tracking header" best describes the header injected by carriers out of the control of the user. Below is the breakdown of tracking by country.
The data provided by Access shows Verizon as the top offender in regards to monitoring its users with tracking headers, followed by AT&T. AT&T agreed to stop using such tracking methods in November 2014; it wasn't until 17 weeks later that AT&T stopped injecting tracking headers and stopped showing up on Amibeingtracked. Access also noted that Cricket was monitoring U.S. users with tracking headers, but there needs to be a bigger pool of data as it was tested less than 10 times.
About 18,900 Verizon users and approximately 5,700 AT&T users who tried the Amibeingtracked tool between November 2014 and April 2015 were being tracked by their carriers. Verizon is still showing up on the chart because users are opted-in by default, meaning it's on the user to take responsibility and follow the necessary steps if they want to opt-out.
Yet a different breakdown of the data shows the highest percentage of tracking by carrier.
Other key findings in the Access report include:
- Even if tracking headers are not used by the carrier itself to sell advertising, other firms can independently identify and use the tracking headers for advertising purposes.
- Using "Do not track" tools in web browsers does nothing to block the tracking headers.
- Unfortunately, tracking headers "can attach to the user" even when he or she crosses international borders.
- Tracking headers do not work when users visit websites that encrypt connections using Secure Socket Layer (SSL) or Transport Layer Security (TLS), meaning the site has an HTTPS URL. That's great, but Access researchers are concerned that lack of tracking may lead to fewer sites offering secure and encrypted HTTPS connections.
- Tracking headers have been used since 2000, meaning it took 15 years for the U.S. to investigate how they were being used (pdf). Access added, "It is entirely possible that new, undiscovered tracking mechanisms are already being deployed."
It's not only Access warning about such tracking; the W3C Consortium is against unsanctioned web tracking as it is "actively harmful to the web" and "may introduce privacy, security, and consumer protection concerns."
Access pointed out that not all carriers disrespect their users' privacy by secretly monitoring them with tracking headers, but others telcos also need to be "freedom providers."
Sign up for CIO Asia eNewsletters.