![](\"https:\/\/media.wired.com\/photos\/62bb25b22d121fa443291b7f\/master\/pass\/Supercookies_Science_GettyImages-1194303228.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Chris Stokel-Walker| Date: Tue, 28 Jun 2022 16:05:21 +0000<\/strong><\/p>\n Chris Stokel-Walker<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Customers of some<\/span> phone companies in Germany, including Vodafone and Deutsche Telekom, have had a slightly different browsing experience from those on other providers since early April. Rather than seeing ads through regular third-party tracking cookies stored on devices, they\u2019ve been part of a trial called TrustPid.<\/p>\n TrustPid allows mobile carriers to generate pseudo-anonymous tokens based on a user\u2019s IP address that are administered by a company also named TrustPid. Each user is assigned a different token for each participating website they visit, and these can be used to provide personalized product recommendations\u2014but in what TrustPid calls<\/a> \u201ca secure and privacy-friendly way.\u201d It\u2019s that \u201cprivacy-friendly\u201d part that has raised critics\u2019 hackles.<\/p>\n The internet runs on advertising: Digital ads worth a total of $189 billion<\/a> were bought and sold last year, according to the Internet Advertising Bureau (IAB). But the ad industry\u2019s dirty little not-so-secret is that it relies on intrusive surveillance of people\u2019s online activities, piecing together their interests based on the websites they visit, what they post, and more.<\/p>\n For Vodafone, the company running the trial in Germany, TrustPid offers an alternative by allowing advertisers to gain value from customer insights while also supposedly keeping those users\u2019 data private. But not<\/a> everyone<\/a> agrees<\/a>. Internet privacy experts have labeled TrustPid a supercookie\u2014a piece of technology that links a crumb of data to a user\u2019s IP address and mobile phone number\u2014and believe the trial should be halted and commercial plans shelved. They are particularly concerned about the way network operators are co-opting what is meant to be a simple passage of communications data, which they have unique access to, to transform it into a targeted advertising platform. Deutsche Telekom did not respond to WIRED\u2019s request for comment. Vodafone says it\u2019s all a misunderstanding.<\/p>\n \u201cLet me stress that the TrustPid service is not a supercookie,\u201d says Simon Poulter, senior manager of corporate communications at Vodafone Group, which is overseeing the German trial. Instead, the telco refers to the technology as being \u201cbased on digital tokens which do not include any personally identifiable information.\u201d Each token, says Poulter, has a limited lifespan of 90 days that is specific to individual advertisers and publishers.<\/p>\n William Harmer, product lead at Vodafone, says the project isn\u2019t a supercookie because it doesn\u2019t use data interception to build up customer profiles, unlike the ad tech once used by Verizon Wireless, which in 2016 was fined $1.35 million<\/a> by the US Federal Communications Commission (FCC) for having injected supercookies into users\u2019 mobile browser requests for two years without consent. A 2015 investigation<\/a> by digital civil rights nonprofit Access Now found that carriers across 10 different countries used supercookies dating back to 2000. Those negative headlines are why Vodafone pushes back so vehemently against the supercookie designation.<\/p>\n Vodafone claims TrustPid, which has each partner website generate a different token for the same user, reduces the likelihood of user data being triangulated across websites to create extensive profiles of user interests\u2014a major concern for internet users sick of being chased around the web by targeted ads. \u201cThe technology has been built following a privacy-first design, and it complies with all GDPR<\/a> requirements and related legislation,\u201d says Poulter.<\/p>\n The TrustPid pilot came about because of the changing face of online advertising, says Harmer. \u201cOn the one hand, you have a lot of privacy measures being looked at for being anti-competitive,\u201d he says. \u201cThen you\u2019ve got a lot of discussions around customer data being hemorrhaged and leaked quite openly on the internet.\u201d Vodafone believed it could tackle both issues, giving advertisers the confidence to spend money online while offering customers protection over their data.<\/p>\n Vodafone says it has informed appropriate regulatory bodies of the trial, adding that it has met twice with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI). BfDI spokesperson Christof Stein says the organization was \u201cmerely informed by Vodafone about its trial of TrustPid technology together with Deutsche Telekom, as we are the responsible data protection authority for those telco companies.\u201d Stein also pointed out that the establishment of TrustPid as a separate company based in the UK means that the responsible data authority for TrustPid is the UK\u2019s Information Commissioner\u2019s Office (ICO). ICO spokesperson Debora Biasutti tells WIRED that \u201cany proposal that continues to facilitate cross-web tracking without putting users firmly in control is unlikely to resolve the privacy issues prevalent in online advertising.\u201d Harmer confirmed that TrustPid has not had a conversation with the UK data protection authority.<\/p>\n Stein confirmed that the BfDI has not been contacted by the independent company running TrustPid. As for whether it adheres to data protection rules, the BfDI says TrustPid could argue that its unique, pseudonymous network identifier is a value-added service under the EU\u2019s ePrivacy Directive<\/a>.<\/p>\n The key word is \u201ccould.\u201d \u201cOnly an informed and voluntary given consent is an acceptable foundation for the use of this technology,\u201d says Stein. \u201cHigh standards must be set here, and we are skeptical that the current consent fulfills that aim.\u201d<\/p>\n The BfDI has not yet made a final decision about the data processing in the German trial, Stein says. The GSM Association, an industry body with more than 1,200 members, including Vodafone\u2019s German and UK arms, says it hasn\u2019t been consulted about the TrustPid trial but will be asking its technical teams to look at how data is handled.<\/p>\n One former GSMA director of privacy has made up his mind, however. \u201cIt\u2019s extremely disappointing to see mobile operators behave in this way,\u201d says Pat Walshe, a data protection and privacy consultant who worked at the GSMA between 2009 and 2015. \u201cThey should be the custodians of the confidentiality of your communications and your data\u2014but here it\u2019s quite clear these operators see you as yet another source of revenue by mining your personal data and treating you as a digital billboard.\u201d Walshe sees it as particularly troublesome because it comes a decade after he wrote a set of privacy principles for the GSMA and the industry that he thinks TrustPid\u2019s approach would contradict.<\/p>\n Walshe isn\u2019t alone. \u201cCompanies that operate communication networks should neither track their customers nor should they help others to track them,\u201d says Wolfie Christl, a researcher at Cracked Labs in Vienna, which investigates the data industry. \u201cI consider the project an abuse of their very specific trusted position as communication network providers. It is a dangerous attack on the rights of millions.\u201d<\/p>\n Walshe believes that TrustPid would struggle to claim it has obtained user consent to gather the data it does. \u201cI don\u2019t know how anybody would agree to an honest statement that we can analyze all your data, who you call, where you were when you called them, and so on,\u201d he says. \u201cI don\u2019t know anybody who would agree to that statement\u2014and it would have to be that explicit.\u201d TrustPid\u2019s privacy policy<\/a> outlines the types of information that it collects from users and follows two key guidelines, says Vodafone\u2019s Harmer: that you can accept or reject the service easily, and that there\u2019s a clear explanation of what data is processed and how.<\/p>\n Christl worries that TrustPid is trying to justify its deployment with \u201cthe misleading and meaningless pseudo-consent banners we have to deal with on websites every day.\u201d (For his part, Harmer says that cookie banners<\/a> are themselves problematic because they\u2019re not easy enough for users to reject, and TrustPid is trying to steer clear of using them.) Christl says the project is \u201cirresponsible and outrageous\u201d and \u201cundermines trust into communication technology, and thus should be stopped immediately.\u201d<\/p>\n Whether you call it a digital token or a supercookie, TrustPid\u2019s bid to revolutionize online advertising has struck a nerve among digital privacy campaigners. Vodafone claims it wasn\u2019t allowed to explain its side of the story in early<\/a> coverage<\/a> of<\/a> the trial<\/a> in German media. \u201cThere were assumptions that we were repeating some of the things that have happened elsewhere, which are in our view bad from a customer\u2019s point of view,\u201d says Harmer. That early coverage set the tone for what followed, the company believes. A second issue? \u201cWe are trying to facilitate digital advertising,\u201d he says. \u201cThere is a limited exchange of data we think is required to make that take place between a customer and a website. Some people don\u2019t believe that should take place at all.\u201d<\/p>\n A successful trial for Vodafone would involve convincing content providers\u2014or websites wanting to sell ads against their content\u2014that it\u2019s an idea worth pursuing. The company also recognized it needs to win advertisers over. \u201cThere probably won\u2019t be enough scale in the pilot to say that this is redefining how things work, but [there could be enough] to give us some signs that it could help advertisers and publishers work,\u201d says Harmer. The company is also conscious of consumer feedback\u2014and that it\u2019s been far from positive to date. For Walshe, that negative response is unsurprising. \u201cI think it\u2019s an arrogant view of customers,\u201d he says, \u201cas these passive individuals who don\u2019t care about their data being used in this way.\u201d<\/p>\n