November 14, 2014 | By Jacob Hoffman-Andrews

AT&T Ditches Tracking Header Program; Verizon Still Refuses

Julia Angwin reported late Thursday that AT&T is dropping their tracking supercookie program. This comes in the wake of massive customer pressure over the discovery that AT&T and Verizon were quietly inserting unique tracking identifiers in their customers' web browsing and app data, by means of an HTTP header. The tracking identifiers quickly became known as "supercookies" because they enable tracking, like cookies, but cannot be removed.

AT&T told Angwin that the header program "has been phased off our network." Security researcher Kenn White, who operates a site to check whether a carrier inserts the header, partially confirmed the report. White said "it's not zero, but as a relative proportion, down over 90% and falling." At least one person found that AT&T is still sending the header, so it's important that AT&T do a full review of their network to ensure the phase-out is truly complete. Angwin also reports that Verizon is continuing its tracking program. EFF's own tests so far confirm the tracking header is now absent from accounts that were previously subject to header injection.

Decline in observed AT&T headers. Chart by Kenn White.

This move by AT&T leaves Verizon out in the cold as the only remaining US provider to insert these tracking headers, and shows that concerned customers can produce meaningful change in their carriers' policies. It is also a victory for carrier non-interference with customer data. We call on Verizon to follow AT&T's lead and terminate their tracking header injection program or convert it to a true opt-in, immediately.

There have also been reports of international mobile providers doing similar tracking header injection. We call on all network providers globally to respect their customers' data and not inject tracking headers.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

In Xilinx ruling, Federal Circuit suggests trolls still able to drag you to their distant lairs.

Feb 17 @ 3:14pm

A ruling in Microsoft's fight against gag orders covering government requests for user data

Feb 17 @ 2:14pm

As cities like San Jose consider using "smart city" tech, they need to protect residents' privacy.

Feb 17 @ 11:36am
JavaScript license information