Nine international mobile providers, including Bell Canada, Vodafone NL, and Verizon track the websites their users visit on their phones. The digital rights group Access has just released a report entitled “The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy.” The report focuses on special tracking headers that mobile providers inject into their users’ web browsing sessions and use to track their surfing habits. Nicknamed supercookies, these tracking headers are injected by mobile companies when users access the internet but unlike regular internet cookies, they can’t be deleted or opted-out of and they can leak user data. (Note: after a previous public outcry, Verizon has started to offer customers the option of opting-out of this form of tracking.)

Typical internet cookies are small pieces of information sent from a website and stored in your web browser. They are intended for websites to remember information such as which items you’ve placed in a digital shopping cart or what data you’ve previously entered into online forms. These cookies can be deleted by the user and most web browsers offer private browsing options which avoid the use of such cookies. Most of the tracking headers mentioned in this report cannot be opted-out of or deleted by the user, as the mobile providers in question inject the tracking data as part of the user’s network connection, between their mobile device and the server of the website they are visiting.

The researchers found that “tracking headers leak private information about users and make them vulnerable to criminal attacks or even government surveillance.” In particular, they noted that “Certain tracking headers leak important private information about the user in clear text, including phone numbers.” One of the positive aspects of the report is that the tracking headers do not function on websites which have an encrypted connection, ie. an HTTPS connection rather than an HTTP. 

Access offers mobile users a website to test their mobile provider. http://amibeingtracked.com allows users to test their mobile carriers and see if they are using these tracking headers. Simply turn off your WiFi connection on your phone and make sure you are on a 3G, 4G, or LTE network, visit the site and press the Test Now button. We’re happy to report a positive result: