It's bad enough that Verizon and AT&T have unleashed a new breed of "supercookie" that can track your every online move, even as you switch between your smartphone, tablet and TV. Far worse is the possibility of abuse by advertisers, governments and hackers, privacy experts warn.
"Any website you're going to end up on is going to get this supercookie," said Marc Maiffret, chief technology officer of cybersecurity company BeyondTrust. That opens the potential for these supercookies to be exploited by many more people than Verizon anticipated with its tracking program, he said.
Verizon, the largest mobile carrier in the US, uses information gleaned from its supercookies to understand your interests and concerns by tracking the websites you visit and links you click on. It then supplies that information to its advertisers so they can craft finely targeted advertising campaigns.
About 106 million of Verizon's consumer customers have been tracked this way for over two years by the company's Precision Market Insights program, according to a report by the Electronic Frontier Foundation published last week. AT&T tracks fewer customers, but only because the company says its program is still being tested.
Verizon and AT&T are the largest wireless carriers in the US.
"You're making it very difficult for people who want privacy to find it on the Internet," Paul Ohm, a senior policy adviser to the Federal Trade Commission and associate professor at the Colorado Law School, told The Washington Post, which reported the tracking programs last week.
Supercookies aren't called "super" for nothing. It's hard if not outright impossible to delete them. Verizon does allows customers to opt out of the tracking program: To opt out, consumers must unsubscribe from Precision Market Insights via Verizon's Wireless Web portal, its mobile app or over the phone.
"Customer privacy is a top priority. We never, ever share customer information with third-parties," said Verizon Wireless representative Adria Tomaszewski.
Verizon also changes its supercookie once a week, at the least. That's frequently enough to prevent third parties from exploiting Verizon's supercookie to their advantage, Tomaszewski said.
AT&T's supercookie is similar, although the company changes its supercookie every 24 hours and doesn't attach it after a customer deactivates it, the company told CNET News.
Cryptography researcher Kenneth White said his research indicates those supercookies never really go away.
And that's the problem, added Jacob Hoffman-Andrews, a senior technologist at the Electronic Frontier Foundation. "Your identity can be [rebuilt] from the cookies," he said.
T-Mobile said it has no plans to use supercookies. Sprint said that it does not use them.
Update 5:25 p.m. on Nov. 11 with comment from Sprint.