‘Supercookies’ Have Privacy Experts Sounding the Alarm

Credit to Author: Chris Stokel-Walker| Date: Tue, 28 Jun 2022 16:05:21 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

Customers of some phone companies in Germany, including Vodafone and Deutsche Telekom, have had a slightly different browsing experience from those on other providers since early April. Rather than seeing ads through regular third-party tracking cookies stored on devices, they’ve been part of a trial called TrustPid.

TrustPid allows mobile carriers to generate pseudo-anonymous tokens based on a user’s IP address that are administered by a company also named TrustPid. Each user is assigned a different token for each participating website they visit, and these can be used to provide personalized product recommendations—but in what TrustPid calls “a secure and privacy-friendly way.” It’s that “privacy-friendly” part that has raised critics’ hackles.

The internet runs on advertising: Digital ads worth a total of $189 billion were bought and sold last year, according to the Internet Advertising Bureau (IAB). But the ad industry’s dirty little not-so-secret is that it relies on intrusive surveillance of people’s online activities, piecing together their interests based on the websites they visit, what they post, and more.

For Vodafone, the company running the trial in Germany, TrustPid offers an alternative by allowing advertisers to gain value from customer insights while also supposedly keeping those users’ data private. But not everyone agrees. Internet privacy experts have labeled TrustPid a supercookie—a piece of technology that links a crumb of data to a user’s IP address and mobile phone number—and believe the trial should be halted and commercial plans shelved. They are particularly concerned about the way network operators are co-opting what is meant to be a simple passage of communications data, which they have unique access to, to transform it into a targeted advertising platform. Deutsche Telekom did not respond to WIRED’s request for comment. Vodafone says it’s all a misunderstanding.

“Let me stress that the TrustPid service is not a supercookie,” says Simon Poulter, senior manager of corporate communications at Vodafone Group, which is overseeing the German trial. Instead, the telco refers to the technology as being “based on digital tokens which do not include any personally identifiable information.” Each token, says Poulter, has a limited lifespan of 90 days that is specific to individual advertisers and publishers.

William Harmer, product lead at Vodafone, says the project isn’t a supercookie because it doesn’t use data interception to build up customer profiles, unlike the ad tech once used by Verizon Wireless, which in 2016 was fined $1.35 million by the US Federal Communications Commission (FCC) for having injected supercookies into users’ mobile browser requests for two years without consent. A 2015 investigation by digital civil rights nonprofit Access Now found that carriers across 10 different countries used supercookies dating back to 2000. Those negative headlines are why Vodafone pushes back so vehemently against the supercookie designation.

Vodafone claims TrustPid, which has each partner website generate a different token for the same user, reduces the likelihood of user data being triangulated across websites to create extensive profiles of user interests—a major concern for internet users sick of being chased around the web by targeted ads. “The technology has been built following a privacy-first design, and it complies with all GDPR requirements and related legislation,” says Poulter.

The TrustPid pilot came about because of the changing face of online advertising, says Harmer. “On the one hand, you have a lot of privacy measures being looked at for being anti-competitive,” he says. “Then you’ve got a lot of discussions around customer data being hemorrhaged and leaked quite openly on the internet.” Vodafone believed it could tackle both issues, giving advertisers the confidence to spend money online while offering customers protection over their data.

Vodafone says it has informed appropriate regulatory bodies of the trial, adding that it has met twice with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI). BfDI spokesperson Christof Stein says the organization was “merely informed by Vodafone about its trial of TrustPid technology together with Deutsche Telekom, as we are the responsible data protection authority for those telco companies.” Stein also pointed out that the establishment of TrustPid as a separate company based in the UK means that the responsible data authority for TrustPid is the UK’s Information Commissioner’s Office (ICO). ICO spokesperson Debora Biasutti tells WIRED that “any proposal that continues to facilitate cross-web tracking without putting users firmly in control is unlikely to resolve the privacy issues prevalent in online advertising.” Harmer confirmed that TrustPid has not had a conversation with the UK data protection authority.

Stein confirmed that the BfDI has not been contacted by the independent company running TrustPid. As for whether it adheres to data protection rules, the BfDI says TrustPid could argue that its unique, pseudonymous network identifier is a value-added service under the EU’s ePrivacy Directive.

The key word is “could.” “Only an informed and voluntary given consent is an acceptable foundation for the use of this technology,” says Stein. “High standards must be set here, and we are skeptical that the current consent fulfills that aim.”

The BfDI has not yet made a final decision about the data processing in the German trial, Stein says. The GSM Association, an industry body with more than 1,200 members, including Vodafone’s German and UK arms, says it hasn’t been consulted about the TrustPid trial but will be asking its technical teams to look at how data is handled.

One former GSMA director of privacy has made up his mind, however. “It’s extremely disappointing to see mobile operators behave in this way,” says Pat Walshe, a data protection and privacy consultant who worked at the GSMA between 2009 and 2015. “They should be the custodians of the confidentiality of your communications and your data—but here it’s quite clear these operators see you as yet another source of revenue by mining your personal data and treating you as a digital billboard.” Walshe sees it as particularly troublesome because it comes a decade after he wrote a set of privacy principles for the GSMA and the industry that he thinks TrustPid’s approach would contradict.

Walshe isn’t alone. “Companies that operate communication networks should neither track their customers nor should they help others to track them,” says Wolfie Christl, a researcher at Cracked Labs in Vienna, which investigates the data industry. “I consider the project an abuse of their very specific trusted position as communication network providers. It is a dangerous attack on the rights of millions.”

Walshe believes that TrustPid would struggle to claim it has obtained user consent to gather the data it does. “I don’t know how anybody would agree to an honest statement that we can analyze all your data, who you call, where you were when you called them, and so on,” he says. “I don’t know anybody who would agree to that statement—and it would have to be that explicit.” TrustPid’s privacy policy outlines the types of information that it collects from users and follows two key guidelines, says Vodafone’s Harmer: that you can accept or reject the service easily, and that there’s a clear explanation of what data is processed and how.

Christl worries that TrustPid is trying to justify its deployment with “the misleading and meaningless pseudo-consent banners we have to deal with on websites every day.” (For his part, Harmer says that cookie banners are themselves problematic because they’re not easy enough for users to reject, and TrustPid is trying to steer clear of using them.) Christl says the project is “irresponsible and outrageous” and “undermines trust into communication technology, and thus should be stopped immediately.”

Whether you call it a digital token or a supercookie, TrustPid’s bid to revolutionize online advertising has struck a nerve among digital privacy campaigners. Vodafone claims it wasn’t allowed to explain its side of the story in early coverage of the trial in German media. “There were assumptions that we were repeating some of the things that have happened elsewhere, which are in our view bad from a customer’s point of view,” says Harmer. That early coverage set the tone for what followed, the company believes. A second issue? “We are trying to facilitate digital advertising,” he says. “There is a limited exchange of data we think is required to make that take place between a customer and a website. Some people don’t believe that should take place at all.”

A successful trial for Vodafone would involve convincing content providers—or websites wanting to sell ads against their content—that it’s an idea worth pursuing. The company also recognized it needs to win advertisers over. “There probably won’t be enough scale in the pilot to say that this is redefining how things work, but [there could be enough] to give us some signs that it could help advertisers and publishers work,” says Harmer. The company is also conscious of consumer feedback—and that it’s been far from positive to date. For Walshe, that negative response is unsurprising. “I think it’s an arrogant view of customers,” he says, “as these passive individuals who don’t care about their data being used in this way.”

https://www.wired.com/category/security/feed/