Wireless Privacy, Opt-Out Settings Don't Protect Your Security Online

NEWS ANALYSIS: Tests reveal that carriers may be including unique identifiers on your wireless data transmissions despite your efforts to opt out of advertising or tracking.

Mobile Security B

Advertisers on the Internet know who you are; they know where you are with your mobile phone; and they can track your interests and send you advertising despite efforts on your part to avoid their attention.

The good news is you can find out fairly easily if this tracking is taking place. The better news is that not every carrier inserts tracking codes in your data stream.

The initial details of this practice were first revealed by the non-profit journalism group Pro Publica, which discovered that Twitter is making use of this information from Verizon wireless phones as a way to deliver advertising.

AT&T is testing such a service, but has not deployed it commercially. The unique identifier, sometimes called a "perma-cookie," allows an internet site to track a specific phone and from that information build a database of information as to what the user of the phone is doing, such as looking for sports scores or searching for restaurants or shops.

For the most part, the ID number does not specifically identify the person using the wireless device, but it can if the wireless company agrees to sell the information related to the device. Verizon, for example, has said that it makes such information available to its partners unless the device user specifically opts out of tracking.

AT&T told eWEEK that the company is testing such a program. "AT&T does not currently have a mobile Relevant Advertising program," spokesman Mark Siegel told eWEEK. "We are considering such a program and any program we would offer would maintain our fundamental commitment to customer privacy."

Siegel said that once the program goes live, customers can opt out of it completely, meaning that the unique identifier will not be inserted into the customer's data stream at all. Verizon, in contrast, lets customers opt out of providing information, but not out of the unique identifier itself.

Verizon has acknowledged that the tracking code, which it calls a Unique Identifier Header, is present in all cases, even when the customer has opted out of advertising to their mobile device.

The company provided an advance copy of a document explaining how it works to eWEEK. Verizon has two programs that use this information, Relevant Mobile Advertising and Verizon Selects. "When a customer opts out, our partners receive no information, anonymized or otherwise, about those customers," the document explains, but it also confirms that the UIDH remains.

T-Mobile, on the other hand, says it does not engage in this sort of activity. "T-Mobile doesn’t use a 'perma cookie', like those other wireless providers are accused of using to track their customers," a senior executive in the company's corporate communications department told eWEEK.

The privacy implications of this tracking are fairly obvious. But what's not so obvious are the risks that accompany the effort to grab those unique identification numbers. Some sites, for example, will instruct the mobile device to turn off its SSL encryption so that it has access to the information. While this may not matter, assuming it turns the encryption back on immediately, this does not necessarily happen.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...