Advertisers on the Internet know who you are; they know where you are with your mobile phone; and they can track your interests and send you advertising despite efforts on your part to avoid their attention.
The good news is you can find out fairly easily if this tracking is taking place. The better news is that not every carrier inserts tracking codes in your data stream.
The initial details of this practice were first revealed by the non-profit journalism group Pro Publica, which discovered that Twitter is making use of this information from Verizon wireless phones as a way to deliver advertising.
AT&T is testing such a service, but has not deployed it commercially. The unique identifier, sometimes called a “perma-cookie,” allows an internet site to track a specific phone and from that information build a database of information as to what the user of the phone is doing, such as looking for sports scores or searching for restaurants or shops.
For the most part, the ID number does not specifically identify the person using the wireless device, but it can if the wireless company agrees to sell the information related to the device. Verizon, for example, has said that it makes such information available to its partners unless the device user specifically opts out of tracking.
AT&T told eWEEK that the company is testing such a program. “AT&T does not currently have a mobile Relevant Advertising program,” spokesman Mark Siegel told eWEEK. “We are considering such a program and any program we would offer would maintain our fundamental commitment to customer privacy.”
Siegel said that once the program goes live, customers can opt out of it completely, meaning that the unique identifier will not be inserted into the customer’s data stream at all. Verizon, in contrast, lets customers opt out of providing information, but not out of the unique identifier itself.
Verizon has acknowledged that the tracking code, which it calls a Unique Identifier Header, is present in all cases, even when the customer has opted out of advertising to their mobile device.
The company provided an advance copy of a document explaining how it works to eWEEK. Verizon has two programs that use this information, Relevant Mobile Advertising and Verizon Selects. “When a customer opts out, our partners receive no information, anonymized or otherwise, about those customers,” the document explains, but it also confirms that the UIDH remains.
T-Mobile, on the other hand, says it does not engage in this sort of activity. “T-Mobile doesn’t use a ‘perma cookie’, like those other wireless providers are accused of using to track their customers,” a senior executive in the company’s corporate communications department told eWEEK.
The privacy implications of this tracking are fairly obvious. But what’s not so obvious are the risks that accompany the effort to grab those unique identification numbers. Some sites, for example, will instruct the mobile device to turn off its SSL encryption so that it has access to the information. While this may not matter, assuming it turns the encryption back on immediately, this does not necessarily happen.
Wireless Privacy, Opt-Out Settings Don’t Protect Your Security Online
But even if it does, if your corporate mobile device that is used for compliance-related work is allowed to communicate with a non-secure site, even briefly, it’s possible you or your organization could fail a compliance audit. In other words, you could get busted for taking a second to visit an e-commerce site if that site wants your device identifier.
Chance are you thought that when you initiated a secure session, your connection was encrypted. That may not be true. “It is possible to force a channel to become non-secure,” said Jonathon Carter, technical director for Arxan Technologies, which specializes in securing mobile communications.
“The server that accepts the SSL connection would simply redirect the user to a non-secure form of the same site. In response to a redirect request, the user’s browser (Safari in iOS, for example) would unconditionally open the non-SSL version of the site.”
Carter said that normally the switch to an insecure connection would last only long enough to get the identifier, but that depends on the site being programmed so that actually happens. Done wrong, and the communication will remain insecure. Carter noted that the browser would indicate a non-secure connection, but that in turn depends on the user noticing that. Worse, if an app is using such a connection, there may be no indication at all.
Complicating the situation is the fact that almost no one knows that these identifiers are being inserted by some carriers, and almost no one knows that SSL encryption can be turned off by the remote site. Fortunately, you can at least find out if your carrier is inserting such a number into your phone’s data stream by visiting a page run by Kenn White, who runs an auditing service.
To make matters worse, even when you’re connected using a secure protocol, you might not be very secure if you’re switched back after the site retrieves the identifier. Carter suggests checking any sites you plan to visit first by running them through the SSL Labs test site.
But that’s only part of the problem. Analyst Craig Mathias points out that almost no one realizes or even considers that it’s a problem that data is being transferred or that advertising will be sent to your mobile device. “I tried it on my phone, and I was quite surprised,” he said.
Mathias noted that unless advertising is disabled, it eats up the bandwidth allocation that you or your company is paying for. Twitter is one of the companies making use of the unique identifiers as a way to serve advertising, he said.
The problem, of course, isn’t the advertising, per se, nor is it the use of the identifier. The problem is that it’s not necessarily disclosed to users and that opting out is difficult or impossible.
With Verizon, for example, you can opt out of the company sharing private information, but not the process of injecting the number into your data stream. Until you can control that, your company’s communications are at risk and you could fail an audit even if nobody steals a thing.