Return of the supercookie?
Tech writer Chris Stokel-Walker (@stokel) reports, “Customers of some phone companies in Germany, including Vodafone and Deutsche Telekom, have had a slightly different browsing experience from those on other providers since early April. Rather than seeing ads through regular third-party tracking cookies stored on devices, they’ve been part of a trial called TrustPid. TrustPid allows mobile carriers to generate pseudo-anonymous tokens based on a user’s IP address that are administered by a company also named TrustPid. … Internet privacy experts have labeled TrustPid a supercookie.” If you are wondering what a supercookie is, journalist Madelyn Bacon explains:
“A supercookie is a type of tracking cookie inserted into an HTTP header by an internet service provider (ISP) to collect data about a user’s internet browsing history and habits. Also known as a Unique Identifier Header, a supercookie isn’t technically an HTTP cookie, but rather information injected into packets sent from a user’s device and the service it connects to. When the internet service provider (ISP) detects a user’s HTTP traffic it inserts an extra HTTP header into the packets after they leave the user’s computer. Supercookies can be used to collect a wide array of data on users’ personal internet browsing habits including the websites users visit and the time they visit them. It does not matter which browser is being used or if users switch browsers. Supercookies can also access information collected by traditional tracking cookies — including login information, cached images and files and plug-in data — and store that information even after the traditional cookie has been deleted.”
Bacon reports, “In 2014, Verizon Wireless added supercookies to all of its mobile users as part of its advertising programs, a move that was strongly opposed by privacy advocates such as the Electronic Frontier Foundation.” Verizon also got in trouble for using supercookies. In 2016, the US Federal Communications Commission (FCC) fined Verizon $1.35 million by injecting supercookies into users’ mobile browser requests for two years without consent. The reason they are called supercookies, Bacon explains, is because, “unlike traditional tracking cookies, there is no easy way for a user to know a supercookie was added during their Internet browsing session. A supercookie cannot be removed by deleting the cache of the web browser like a traditional cookie because of the extra header inserted into the packets after they leave the user’s computer or mobile device. Ad blocking software is also ineffectual against supercookies, which can leak sensitive user information and be used by third parties, such as advertising companies, to track individuals across multiple websites.”
According Stokel-Walker, Vodaphone insists TrustPid is not a supercookie. He quotes Simon Poulter, senior manager of corporate communications at Vodafone Group, who stated, “Let me stress that the TrustPid service is not a supercookie.” He explains that TrustPid is “based on digital tokens which do not include any personally identifiable information [and each token] has a limited lifespan of 90 days that is specific to individual advertisers and publishers.” Another Vodaphone executive, William Harmer, also insists TrustPid “isn’t a supercookie because it doesn’t use data interception to build up customer profiles, unlike the ad tech once used by Verizon Wireless.”
Lomas calls the TrustPid scheme a “twist” on the Verizon scheme. She writes, “The ‘twist,’ if you can call it that, is that different tokens are generated for each ad partner — which they claim ‘limits’ the merging of data from different ad partners to create profiles on customers. But individual level ad targeting is still individual level ad targeting. (And consent spam may still be unlawfully attention sapping.) The telcos involved in TrustPid are proposing to manage — and presumably monetize — advertisers’ access to this network-based infrastructure.” She also notes, “EU privacy regulators are also on early alert, having fielded complaints and/or raised concerns over the telcos’ approach — which suggests regulatory intervention could follow if carriers decide to move ahead with a full launch.”
The targeted marketing conundrum
There is a constant tension between consumers and advertisers. Consumers understand the need for advertising. In fact, they often rely on advertising when searching for products they need or desire. On the other hand, consumers don’t like surrendering their privacy. Targeted advertising sits in the breach of this conundrum. As Stokel-Walker observes, “The internet runs on advertising: Digital ads worth a total of $189 billion were bought and sold last year, according to the Internet Advertising Bureau (IAB).” He adds, “But the ad industry’s dirty little not-so-secret is that it relies on intrusive surveillance of people’s online activities, piecing together their interests based on the websites they visit, what they post, and more.”
As I noted earlier, the best way many experts suggest this conundrum be handled is through the use of first-party data (i.e., data collected directly from consumers with their explicit consent). That’s not what is happening with TrustPid. Wolfie Christl, a researcher at Cracked Labs in Vienna, told Stokel-Walker, “Companies that operate communication networks should neither track their customers nor should they help others to track them. I consider the project an abuse of their very specific trusted position as communication network providers. It is a dangerous attack on the rights of millions. … I don’t know how anybody would agree to an honest statement that we can analyze all your data, who you call, where you were when you called them, and so on. I don’t know anybody who would agree to that statement — and it would have to be that explicit.”
The tension between consumers and advertisers isn’t going away. In many ways, it’s a healthy tension requiring both sides to be cautious. Whether you want to define TrustPid as a supercookie or not, the fact remains that system is likely to come under great scrutiny and consumers are likely to force policymakers to act against it. As Stokel-Walker concludes, “Whether you call it a digital token or a supercookie, TrustPid’s bid to revolutionize online advertising has struck a nerve among digital privacy campaigners.”
 Natasha Lomas, “Uh oh! European carriers are trying to get into ‘personalized’ ad targeting,” TechCrunch, 24 June 2022.
 Chris Stokel-Walker, “‘Supercookies’ Have Privacy Experts Sounding the Alarm,” Wired, 28 June 2022.
 Madelyn Bacon, “Supercookie,” TechTarget.