BY CRAIG TIMBERG
Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers with what critics have dubbed “supercookies” — markers so powerful that it’s difficult for even savvy users to escape them.
The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.
Verizon and AT&T say they have taken steps to alert their customers to the tracking and to protect customer privacy as the companies develop programs intended to help advertisers hone their pitches based on individual Internet behavior. But as word has spread about the supercookies in recent days, privacy advocates have reacted with alarm, saying the tracking could expose user Internet behavior to a wide range of outsiders — including intelligence services — and may also violate federal telecommunications and wiretapping laws.
One civil liberties group, the Electronic Frontier Foundation, says it has raised its concerns with the Federal Communications Commission and is contemplating formal legal action to block Verizon. AT&T’s program is not as advanced and, according to the company, is still in testing.
The stakes are particularly high, privacy advocates say, because Verizon’s experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.
Those companies track their users and sell targeted advertising based on what they learn. Supercookies could allow cellular carriers and other Internet providers to do the same, potentially encircling ordinary users in a Web of tracking far more extensive than experienced today.
“You’re making it very difficult for people who want privacy to find it on the Internet,” said Paul Ohm, a former Federal Trade Commission official who teaches at the University of Colorado Law School.
Verizon began tracking its 106 million “retail” customers — meaning those who don’t have business or government contracts — in November 2012, the company said. The company excluded all government and some business customers, though it would not say how many. Verizon said it sent notifications to customers and offered a way for them to opt out of the program, but it declined to say how many did.
Privacy advocates, who typically favor systems in which customers must choose to participate by opting in, have long maintained that such company notices are ineffective; the few who read them struggle to express their preferences. Even those who did opt out of the Verizon program still have a unique identifying code attached to all of their Web traffic, the company said, but that information is not used to build behavioral profiles that are sold to advertisers.
A company spokeswoman, Adria Tomaszewski, said the supercookie — a unique combination of letters and numbers — is changed regularly to prevent others from tracking Verizon customers, but she declined to say how often. Tomaszewski also said that those who are not part of the Verizon advertising program called Precision Market Insights are not able to use the supercookie to track Verizon customers.
“The way it’s built, it wouldn’t be able to be used for that,” Tomaszewski said.
Independent researchers dispute that claim. Unique codes — such as device ID numbers, Internet protocol addresses and cookies — get shared among Web sites, advertisers and data brokers, allowing them all to gather so much information on individual users that it’s easy to derive a name or other identifying data, experts say. The process is called “de-anonymizing” a user.
One security researcher, Stanford’s Jonathan Mayer, said, “I don’t know any computer scientist who takes that ‘It’s anonymous’ argument seriously. It’s been so thoroughly debunked in so many ways.”
Critics also say the supercookies, especially if more widely deployed, will be extremely valuable to intelligence agencies that monitor Internet behavior. The National Security Agency has used cookies — an older and more easily erased tracking code that is stored on a browser — to pinpoint Internet users worldwide for hacking attacks, The Washington Post reported last year.
AT&T declined to say how long it has been tracking its customers’ Internet behavior but said the program remains in testing and has not yet been used to target advertising. “We are considering such a program, and any program we would offer would maintain our fundamental commitment to customer privacy,” spokeswoman Emily J. Edmonds said in an e-mail.
The AT&T supercookie changes every 24 hours in an effort to protect privacy, Edmonds said.
AT&T’s program, unlike Verizon’s, would not attach an identifying code to its customers’ Internet traffic once they opt out.
There was surprise among security researchers and privacy activists in the days after the Electronic Frontier Foundation, based in San Francisco, first tweeted about the practice on Oct. 22, calling it “terrible” and citing an article in Advertising Age from May. Several news organizations have since reported the news.
Jacob Hoffman-Andrews, a senior staff technologist for the foundation, said he was surprised by the intensity of the reaction generated by the tweet, which was sent from his account. “Everybody was like, ‘Wow, that’s really appalling,’ ” he said.
The potential legal issues, experts say, stem in part from the Communications Act, which prohibits carriers from revealing identifying information about their customers or helping others to do so. That is at the heart of complaints by the foundation, which is contemplating a lawsuit or other action to stop Verizon, said one of the group’s lawyers, Nate Cardozo.
Also potentially at issue is the federal Wiretap Act, which prohibits altering personal communications during transmission without consent or a court order. Ohm, the law professor, said the companies could be vulnerable if a court found that the notification efforts by Verizon and AT&T were not adequate. Officials from both companies told a Senate committee in 2008 that they wouldn’t begin tracking their customers without seeking explicit permission first.
Privacy advocates say that without legal action, in court or by a regulatory agency such as the FCC or FTC, the shift toward supercookies will be impossible to stop. Only encryption can keep a supercookie from tracking a user. Other new tracking technologies are probably coming soon, advocates say.
“There’s a stampede by the cable companies and wireless carriers to expand data collection,” said Jeffrey Chester, executive director of the Center for Digital Democracy, a Washington-based advocacy group. “They all want to outdo Google.”