When it comes to using Internet services such as Google and Facebook, the general rule of thumb is that you are giving up privacy in exchange for free stuff. You have probably heard the adage that if you aren’t a paying customer, you’re the product being sold. It’s a reminder of the Faustian bargain we make whenever we accept the terms of service agreements for “free” social networks and apps that allow companies to collect intimate data, from the websites we frequent to the contents of our emails. The implication is that the inverse is also true: If you are paying for something, you’re a customer, not the product. Right?
Disturbingly, this is not always the case. Last week security researchers revealed that the two largest telecommunications providers in the U.S., Verizon and AT&T, are tracking and monetizing their customers’ Web browsing habits and app usage in the same way you’d expect Facebook or Google to. Even worse, they are doing so by modifying customers’ Internet traffic to attach a persistent, unblockable tracking ID to every Web request. It’s part of a troubling trend in which consumers are effectively charged twice: once in the form of a hefty monthly bill and again by accessing their private data.
In other words, even when you’re the paying customer, sometimes you’re still the product.
A new, dangerous paradigm
According to security researchers, Verizon and AT&T have been quietly manipulating Internet traffic on their networks, injecting tracking beacons into every packet of unencrypted data its customers send and receive. These bits of code, which Verizon calls unique identifier headers (UIDH), operate much like the tracking cookies that websites place on your computer to target you with ads. The big difference is that Verizon and AT&T’s are persistent and permanent. They follow you across every page you visit and monitor which apps you use, and you can’t block them by simply adjusting browser settings. Verizon says it has been using the trackers since 2012, the same year it began an initiative called Precision Market Insights, which collects data about the online habits of its paying customers and sells it to advertisers in the form of periodic trend reports. Its main competitor, AT&T, has a similar program that subjects customers to the same kind of tracking, though the company claims it’s only in a testing phase.
Both companies are well aware of how intrusive their tracking schemes are. At an industry conference two years ago, the chief executive of Verizon’s U.S. advertising initiative bragged about the company’s ability to spy on customers, saying, “We’re able to view just everything that they do” on the company’s network. Incredibly, this was just four years after both Verizon and AT&T pledged before Congress to refrain from tracking users. Verizon’s executive vice president said during that session that any company capturing user data “should obtain meaningful, affirmative consent from consumers” — the polar opposite of the company’s current posturing. AT&T’s chief privacy officer agreed and even wagged a finger at Google while articulating her company’s supposed commitment to customer privacy, saying, “We encourage all companies that engage in online behavioral advertising ... likewise to adopt this affirmative advance consent paradigm.”
Ironically, the fact that Verizon and AT&T are leveraging their nearly total control over the country’s telecommunications infrastructure to track customers is due in large part to the success of companies like Google. It’s no wonder Silicon Valley’s now ubiquitous business model of corporate surveillance — offering free services that spy on users and monetize their information — has led more traditional businesses, such as Internet service providers, to be tempted by the untapped data flowing through their systems.
Even paying customers are quarries of data to be mined by the very companies that are supposed to serve them.
The new paradigm has opened a Pandora’s box of dangers and opportunities. The idea of companies’ offering deals and discounts in exchange for sensitive user data is not only becoming mainstream but widely accepted. Google offers its Nexus devices at dramatically reduced prices not because the company has somehow managed to reduce supply costs but because it is selling subsidized products whose primary objective is to help you provide Google with more of your data. Online retail giant Amazon has similar subsidies on its Kindles and Fire phones, devices that not only collect incredibly intimate data about your media consumption habits but also are captive portals created to help you buy more stuff on — you got it — Amazon.
At least in these cases, you’re getting something — free software, discounted devices — out of the deal. Verizon and AT&T customers are being automatically opted in to invasive tracking schemes that offer them no tangible benefits. The companies claim that the collected data is anonymized and reassure customers that they can opt out of the tracking at any time. Both of these claims are dubious. First, researchers have shown that supposedly anonymous data is often anything but and that individuals can be identified within large data sets with relative ease. In one 2013 study, Harvard researchers were able to identify more than 40 percent of the people who participated in a human genetics experiment, linking their names to highly sensitive records regarding medical conditions, drug use, abortions and sexually transmitted diseases.
The claim that customers can opt out of tracking programs is also misleading. Security researcher Kenn White, who built a site that checks if your device is being tracked, found that both Verizon’s and AT&T’s tracking beacons are added to Web traffic even after users opt out. Verizon later admitted there is no way to prevent the trackers from being sent; opting out merely stops the company from using them to target you with ads. The only way to avoid the trackers entirely is by visiting websites that support encrypted connections or by connecting to the Internet through a virtual private network. (AT&T anticipated the former, and it has a patent that proposes actually downgrading users to insecure connections so tracking codes can go through.) And since the trackers are being sent over unencrypted channels, any third party — including stalkers, criminals and other companies — can still use them to track and build profiles on customers as they move across the Web.
ProPublica’s Julia Angwin and Jeff Larson have discovered that Twitter’s mobile advertising arm, MoPub, is already using the Verizon identifiers for user tracking of its own. Cybercriminals who frequently target ad networks for the troves of data they store would also undoubtedly benefit from having access to unique customer IDs. And we can safely assume the persistent beacons are an enormous boon to intelligence services such the National Security Agency, which is known to use browser cookies and advertising IDs to track surveillance targets and infect devices with spyware, according to documents leaked by former NSA contractor-turned-whistleblower Edward Snowden.
Tracking schemes like Verizon’s and AT&T’s should serve as a warning, even to those who aren’t worried about their privacy. Whether guided by advertisers or the NSA, we are sleepwalking into a world of default mass surveillance, in which even paying customers are quarries of data to be mined by the very companies that are supposed to serve them. Trading our data for free stuff is tempting, but it’s also a gateway to greater inequality. As the practice becomes normalized, data simply becomes another commodity that companies demand from us. The result is an aggregate loss of security and consumer rights, benefiting no one but the corporate Internet gatekeepers that already stand to profit.