“Verizon and AT&T are adding ‘supercookies’ to your cellphone browsing.”
Thus is born the supercookie which does not reside in the browser. Generally it is some form of fingerprinting of specific characteristics of your computer. It is easy for a web server to ask the browser to report plug-ins and fonts it knows about and also CPU capability and screen resolution, among other features. It will use these statistics to better customize the web page, graphics, and video it sends you. A half-dozen pieces of information uniquely identifies me out of over 4.5 million computers. The website can then collect this information in a database correlated to personal facts it already knows about.
Recently the popular press has picked up on another type of supercookie being fed us by the cell carriers. Verizon has acknowledged that they’ve added this “feature” since 2012 and it has also shown up on tests of AT&T phones. The technique involves the fact that your cell carrier, like any ISP, is a man in the middle for everything you send out on their network. In this case, they are adding a text identifier to every HTTP transmission you send over cellular data – it is not included if you connect via WiFi.
Verizon’s goal was to allow websites,, for a fee to send them your code and receive some of the plethora of personal data Verizon knows about you. This could include details such as your demographics, phone number, and which store you just walked into at the mall. Unfortunately for Verizon, because the ID is included whether the website subscribes or not, the website could just as easily build their own dossier on that ID. The ID is still attached to your browsing even if you opt out of allowing Verizon to sell your data.
The only way to block this identifier is to make your communications on the cellular network all through a secure channel. They cannot attach the ID to HTTPS browsing. Fortunately major social networking sites such as Facebook, Google, and Twitter use HTTPS all the time. For all the other websites you might visit, your only recourse is to install and use a VPN.
Although Verizon is the only carrier to admit that they include and are monetizing this ID; the technology is available to every cellular company, ISP, or public access site.
Steve Gibson’s Security Now
· The entire podcast: http://twit.tv/show/security-now/479
· His show notes and other text: https://www.grc.com/sn/sn-479-notes.pdf
Wired Magazine describes the process
My articles on cookies
EFF fingerprint test.
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home