Request For Research Presentations For the PrivacyCon Conference
HTTP header enrichment allows mobile operators to annotate HTTP connections via the use of a wide range of request headers. Operators employ proxies to introduce such headers for operational purposes, and---as recently widely publicized---also to assist advertising programs in identifying the subscriber responsible for the originating traffic, with significant consequences for the user's privacy. In this talk, we will talk about our efforts to identify and characterize HTTP header enrichment in modern mobile networks. In our study, we use data collected by the Netalyzr network troubleshooting service over 16 months. We present a timeline of HTTP header usage for 299 mobile service providers (including both mobile network operators as well as mobile virtual network operators, MVNOs) from 112 countries, observing three main categories: (1) unique user and device identifiers (e.g., IMEI and IMSI), (2) headers related to advertising programs, and (3) headers associated with network operations. Unfortunately, those practices are implemented without user-awareness. In fact, many users lack of mechanisms to detect and prevent such practices, therefore, promoting user awareness is vital. I attach both a preliminary version of the talk as well as our ACM HotMiddlebox'15 paper in which we describe more in detail HTTP Header Enrichment.