AT&T Stops Using 'Super Cookies' To Track Cellphone Data

jriding (1076733) writes AT&T Mobility, the nation's second-largest cellular provider, says it's no longer attaching hidden Internet tracking codes to data transmitted from its users' smartphones. The practice made it nearly impossible to shield its subscribers' identities online. Would be nice to hear something similar from Verizon.

Putting ourselves in such awkward position ...

[Taco Cowboy]

Reading the TFA

AT&T Mobility, the nation's second-largest cellular provider, says it's no longer attaching hidden Internet tracking codes to data transmitted from its users' smartphones. The practice made it nearly impossible to shield its subscribers' identities online
 
 
Would be nice to hear something similar from Verizon

really makes me cringe!

First of all, why on earth we, the users, putting ourselves at the mercy of companies such as Verizon or AT&T?

I mean, WE PAID THEM to do the "data carrier job" for us, or in other words, they are not our boss

Why are we letting them having the power to inserting "super cookies" (or whatever fuck else they can come up with) inside the datastreams that we paid them to carry?

So many people making so much noise about FREE SERVICES search engines / social sites such as Google or FB for "tracking" them, where the hell are those people when PAID SERVICES such as AT&T and/or Verizon doing the same thing to them??

Why are we giving away so much of our own rights??

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Really? You "highly doubt" that the same telco's who are practically bending over backwards to track their own users and sell that shit to the NSA would be "stupid" enough for an MITM attack?

What you call "stupid" the NSA calls "making their job a hell of a lot easier." What do you think the purpose was behind AT&T sabotaging TLS encryption for e-mail? A MITM attack. You think you're using an encrypted connection but you're actually sending everything in glorious, easily-mined plain text. Well, not any

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Ad hominem attack is ad hominem

Re:

[sjames]

Given everything they have done, how can you even imagine they would hesitate to do that?

Bad people do bad things. Doubly so when the 'person' is of the legally incorporated multi-national variety.

The better argument against GP is the almost purely ad-hominem attack.

Re:

[davester666]

Yes. Yes they would. Cricket, a subsidiary of AT&T has been altering email connections to strip out STARTTLS, so your email traffic, and possibly also your password, is sent via plain text instead of being encrypted. And LOTS of very private communications are sent via email.

If AT&T can make a buck by wrecking your encryption, they will.

Re:Putting ourselves in such awkward position ...

[sjames]

You're forgetting, the last time those very same telcos engaged in mass law-breaking on the behalf of the NSA, they got blanket immunity as a reward. Those who didn't cooperate got contracts terminated and a 'coincidental' string of denials on the regulatory front.

It may be dirty and crooked but not stupid to go ahead and do the MITM attack secure in the knowledge that at the end of the day their customers will be forced to eat the losses and have nowhere else to go for their telecommunications if anything goes bad.

You only get spanked if you don't cut the NSA in on the haul. That is NOT paranoia, it's a summary of recent history.

Moreover, the only way they could even do it would be to install trusted certificates on the phones that they sell. How long do you suppose that would fly under the radar before being discovered? Do you really think Google or Apple would go along with it? Use some common sense man....

The telcos have considerable latitude with the extra crap they bundle onto the phones. Do you really think Apple would rather not sell iFruits in the U.S. than agree to allow a few mandatory extras from the telcos?

Re:

[davester666]

what do you mean? AT&T owns Cricket, which has just been found to alter the data sent from your email program to your email provider, stripping out STARTTLS so that instead of having a secure method to send your password and email, it is sent in the clear.

These companies have to be smacked down by the FCC and told that they ARE just dumb pipes. Their job is to transport our data back and forth, and that is ALL. Not log it, not sell it, not slow it down, not alter it, nothing but transport. And it do

Re:

[Anonymous Coward]

Unfortunately, they are required by law to log and retain all the data.

Re:

[tepples]

Slashdot redirects all connections by non-subscribers in the other direction: from HTTPS to HTTP.

Re:

[jbmartin6]

Or perhaps a discussion about making TLS mandatory on all TCP sockets. We're heading that way anyway, eventually, or so it seems to me.

Re:

[tepples]

What compelling reason is there to transmit data in clear text?

Even if StartSSL offers personal S/MIME and TLS certificates without charge, and even if all hostnames have a distinct IPv6 address, the "manual dance" of certificate renewal [slashdot.org] involves a substantial recurring overhead cost in labor. It can't be set on auto-renew like hosting.

Re:

[sjames]

The service has become important enough that opting out is hard yet there aren't enough competitors and there's not enough freedom to switch to keep them honest. Meanwhile, consumer regulation and privacy in particular is practically non-existent in telecommunications.

Force them to harmonize their standards so all phones can work on all networks, ban them from locking phones. require open bootloaders, force them to allow free switching of SIMs. All of that is to make sure customers can flee bad policy decis

Correction

[sunderland56]

AT&T *claims* to have stopped using internal tracking codes.

Whether or not you believe one of the top 3 most evil corporations on the planet is up to you.

Re:

[DaMattster]

AT&T *claims* to have stopped using internal tracking codes.

Whether or not you believe one of the top 3 most evil corporations on the planet is up to you.

I wouldn't believe anything any of the large telecom companies say with the possible exception of T-Mobile. And even with T-Mobile, I'm likely to have a healthy dose of skepticism.

Re:

[kesuki]

no, they 'claim' the have stopped doing it with CELLPHONE data. everything else is still fair game as far as i read it. cellphones already are tracking devices so super cookies are redundant.

Re:

[Anonymous Coward]

proper translation: "we found another way to do the same thing"

Re:Correction

[meerling]

They have, honest.
Now they use their new ultra secret tracking brownies.

Re: Correction

[Anonymous Coward]

Just check for yourself here: http://lessonslearned.org/sniff

I verified my AT&T phone is no longer including the cookies.

Re:

[l0n3s0m3phr34k]

LOL they stopped using *that particular implementation*, will probably wait a few months, then roll it out again under a different name and just keep more of a lid on it this time.

Somehow I doubt

[rbgaynor]

"Would be nice to hear something similar from Verizon" Somehow I doubt we will hear them now...

Re:

[fustakrakich]

Why even report on it?...
It isn't verifiable.

Not much else to talk about right now. You know, except maybe the weather... Is it raining where you are?

Re:

[cduffy]

How isn't it verifiable? The whole thing that made this extra, extra evil was that they were deanonymizing their clients for everyone to see. Run a web server? Access it from your phone, see if your subscriber ID is still there in a header.

Evenhanded Responses

[Tokolosh]

Six comments so far, and all very nice to AT&T. I would have expected more hating.

I'll try: fuck 'em.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[fustakrakich]

Did it work?

before giving ATT kudos..

[rogoshen1]

The pattern more than likely will be something like this:
1. get called out for bullshit, anti-consumer practice
2. Throw out PR spin about how they care about their customers, and don't do said practice
3. Finally admit to the practice, promise to stop
4. Wait a length of time until the practice becomes more 'industry standard', and the furor has died down
5. re implement under a new name

This tracking garbage is probably far too lucrative -- both to law enforcement (well they see themselves as law enforcement) and advertisers to ever really pass up.

Now that the genie is out of the bottle, it's not going back in.

Re:

[koan]

The same way the NSA ships data to the 5 eyes and lets them do the things they can't.

Hear something similar from Verizon? Riiight.

[jthill]

They believe being "compelled" to carry traffic with the content of which theydecide to disagree is a violation of their first amendment rights.

If you're like me, you flat-out rejected that statement, on sight. Right? There is simply no way that statement isn't some overhyped overheated drama? Clickbait or karma whoring or somebody nursing a grudge?

By denying Internet service providers their editorial discretion and by compelling them to convey content providers’ messages with which they may disagree, the Order violates broadband providers’ First Amendment rights [cato.org]

Re:

[Paradise Pete]

That is amazing. I was sure your link would go to some rant-filled blog, but those are Verizon's actual words in the court filing. Unbelievable.

I think they just switched

[koan]

To a different way of doing it.

TFA misses the point

[real gumby]

The way to end this is not to say, "Would be nice to hear something similar from Verizon" like it's some sort of game.

TFA (and the summary) are silent on the real question is which is, "What right do they have to fuck with my traffic?"

It's like they are asking to be reclassified as a Title II common carrier.

Re:

[Winkkin]

I think the network provider has every right to monitor the traffic on their network to insure the quality of the system. That entails capturing certain information on practically every transmission. They probably don't need information on every packet, but designing complete capture is probably easier. Tagging is perfectly understandable.

Idiotic

[alexborges]

Of course. By now, they dont need cookies: they have all the data they need already through simple transparent snort and span ports.... man oh man....

Re:

[l0n3s0m3phr34k]

all the net traffic gets routed through a proxy already, so yeah. So many time Google would complain that my IP when logging on to gmail had suddenly gone from Oklahoma to California (where one of their exit nodes are). Quite annoying.

Trackability

[Winkkin]

Maybe people doesn't realize that the machine minds that monitor packet traffic have gotten so good at what they do, they just don't need the keys to keep track of all of it. Take the other piece of news today that Google, is getting out of the "Pay" business for digital download content. That was just their method of familiarizing their algorithm writers with the financial transaction process. Now the computers do their masters snooping without needing the non-core business of barter.