Fresh spotlight on supercookies and Verizon

Mar 07, 2016, 3:16 PM EST
Source: Poster Boy/flickr
Source: Poster Boy/flickr

The news on Monday that Verizon Communications will pay $1.35 million in fines to the Federal Communications Commission, and that it has agreed to a three-year consent decree, puts the concept of “supercookies” and user tracking back in the spotlight, and is another chapter in the U.S.’s struggle to understand and contain the use of tracking headers by huge companies.

Reuters reports that the F.C.C. found Verizon’s wireless unit guilty of violating the privacy of its users by employing tech dubbed supercookies: tracking headers, or codes, inserted into web traffic to individually identify customers to both Verizon and, more importantly, advertisers. The case goes back to March 2015, when several U.S. senators sounded the alarm about Verizon’s practice of allowing consumers to opt out of having their traffic tracked, and becoming subject to supercookie technology. The F.C.C. has determined that supercookies violate user privacy by overriding consumer privacy practices set on web browsers, and said Verizon failed to disclose the fact that it was using this technology from late 2012 to 2014, which also violates a 2010 F.C.C. regulation on internet transparency.

The identifiers go by terms other than supercookies, i.e., perma-cookies, tracking headers, and others. But mostly they have been a controversial technology over the last few years as privacy advocates, consumer rights groups, and some government agencies have gone after big tech businesses that employ them to better target advertising. Studies conducted have shown that some wireless web browsers reveal user phone numbers to advertisers, and mostly have focused on the notion of consent policies — something Verizon has now agreed to adopt as policy.

Its agreement with the F.C.C. requires it to allow users to opt in to sharing their information outside Verizon Wireless; it also gives them the right to opt out of sharing it with Verizon. But Verizon isn’t the only company that has come under fire for tracking headers. AT&T has been similarly criticized by privacy groups. 

And, on an international scale, many a telco abroad has been accused of using the same tech to bypass privacy policies. A 2015 study from Access Now found that large mobile carriers including Telefonica de Espana, Vodafone in Spain and the Netherlands, and Bell Canada and Viettel Peru use supercookies, and overall, the tech was detected in 10 countries, including China, India, Mexico, Morocco and Venezuela.

Indeed, not tracking headers specifically, but another form of cookies was at the center of a debate last year for Facebook in Belgium. As the company faced probes and investigations on all European sides for its privacy practices, Blouin News reported that Belgium’s privacy watchdog accused Facebook of “trampling” on European privacy laws, saying that by tracking people online without their consent and dodging questions from national regulators the company refused to recognize Belgian and other E.U. national jurisdictions.

The Verizon case highlights just how much more work there is for privacy advocates to get the government to go after big tech corporations on their behalf. But it seems as though the F.C.C. is on board to pursue the big guys in some capacity. One obstacle is understanding the technology, and that is where telcos have an advantage: if the government can’t grasp the tech as quickly as the company can deploy it, the telco will already have a hoard of collected data before it is reprimanded.