Request For Research Presentations For the PrivacyCon Conference #00008

Submission Number:
Deji Olukotun
Access Now
New York
Initiative Name:
Request For Research Presentations For the PrivacyCon Conference
Access's report "The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy" is an in-depth investigation into the global use of so-called "supercookies" or "permacookies" to track your web browsing. The results were based on almost 200,000 tests on -- a site developed by Access to allow people to test their devices to see if they were being tracked. We offer findings based on more than six months of tests about the use of tracking headers worldwide, and provide recommendations for governments, carriers, websites, intergovernmental bodies, and researchers. Highlights of the report include: - Evidence of widespread deployment. Carriers in 10 countries around the world, including Canada, China, India, Mexico, Morocco, Peru, the Netherlands, Spain, the United States, and Venezuela, are using tracking headers? - Correlative evidence exists that tracking headers may have been used by carriers for more than a decade. We found information indicating the use of tracking headers dating back 15 years.? - Users cannot block tracking headers because they are injected by carriers beyond their control. "Do not track" tools in web browsers do not block the tracking headers. Tracking headers can attach to the user even when roaming across international borders.? - Tracking headers leak private information about users and make them vulnerable to criminal attacks or even government surveillance.? - Tracking headers raise troubling questions about privacy as new technologies are developed. Current trends suggest that tracking headers will grow in use or will be replaced by a new tracking technology. The FTC is especially well placed to understand the use of tracking headers. The FTC has previously been encouraged to investigate persistent cookies, and in fact has issued a Rule with direct bearing on this situation. The FTC's amended Children's Online Privacy Protection Rule ("COPPA") requires operators to get parental consent before collecting personal information of children under 13. The amended Rule came into force in 2013, and defines personal information to include a "cookie," "that can be used to recognize a user over time and across different websites or online services, even where such identifier is not paired with other items of personal information." The Privacy Protection Rule applies to mobile providers like Verizon, who are operators of general online services and have actual knowledge that some of their users are children under 13, such as users of "family plans." Deji Olukotun is a lead author of the report and would be accompanied by another lead author, including possibly Gustaf Bjorksten, Chief Technologist at Access Now, or Peter Micek, Senior Policy Counsel at Access Now. The report was released at the end of August 2015. We would update it with additional information learned since its publication. Deji Olukotun is a licensed attorney who holds a BA from Yale, a J.D. from Stanford Law School, and masters degrees in Justice & Transformation and Creative Writing from the University of Cape Town. He is the Senior Global Advocacy Manager at Access Now. Access Now is an international organization that extends and defends the digital rights of users at risk around the world.