FCC Plan Might Kill Verizon's “Supercookie” Tracking Once and For All

The FCC's new privacy proposal might end ISPs' ability to send unkillable tracking code without customers opting in, but the details will matter.

Thanks to a huge loophole, Verizon has so far barely gotten a slap on the wrist for its "supercookie" program, which has allowed the telecom giant to track and monetize its paying customers' web browsing habits without consent.

But that might all be changing under a new Federal Communications Commission proposal, which Chairman Tom Wheeler seems to think will stop internet service providers from tracking customers who haven't specifically opted-in, even when that tracking is being done by in-house advertising networks.

The new FCC proposal, announced last week, responds to criticism of the Commission's recently-issued consent decree forbidding Verizon and other ISPs from sharing customers' internet activity with third parties unless they opt in. At issue was Unique Identifier Headers, or UIDH, unkillable tracking beacons that Verizon and AT&T were injecting into all unencrypted traffic on their networks, allowing themselves and third parties to monitor customers' browsing habits and monetize the data through targeted advertising.

The consent decree effectively codified changes Verizon had already made, requiring that customers opt in before the company can track them with the beacons. But it left a huge exception for first-party corporate subsidiaries like AOL, which Verizon now owns and whose enormous ad network reaches on average 40 percent of the desktop internet-using populace, according to comScore.

In other words, while third-party tracking without consent is now verboten, big telecoms like Verizon can still use tracking beacons to collect and share customer data with any in-house ad networks they may have purchased. And crucially, they can do so without customers proactively opting in to the tracking first.

But under the new proposal, Wheeler tells ProPublica that customers' internet records would be given protections that telephone records—including the duration, frequency, location and participants of calls—have had for decades. The rules would "overrule the consent decree" and would allow corporate subsidiaries such as AOL to collect and use customer behavioral data only for marketing "communications related services," Wheeler says. It would ostensibly mean Verizon can no longer have the AOL ad network utilize its tracking beacons without a user's explicit consent.

That would be a huge win for privacy advocates and anyone who thinks internet service providers are supposed to make money by, you know, providing internet service—not tracking and monetizing users.

But Wheeler's proposal still has many important blanks that need filling in. For one, it's not clear how broadly companies could interpret a "communications related service" under the new rules. Could Verizon simply argue that all its customers' web browsing data can potentially be used for "communications related" marketing and continue sending the tracking beacons without their permission?

In response to a query about the proposal, an FCC spokeswoman pointed Motherboard to Section 222 of the Communications Act, which defines "communications related services" as "telecommunications services, information services typically provided by telecommunications carriers, and services related to the provision or maintenance of customer premises equipment."

"The Chairman's proposal seeks comment on whether a broadband ISP may use or share with an affiliate customers' personal information for the purpose of marketing communications-related services subject to opt-out," the spokeswoman told Motherboard in an email.

Perhaps more worrisome is that it would still be kosher for companies to charge extra for the "luxury" of not spying on customers' internet activity. AT&T's gigabit fiber-optic network, for example, currently charges customers $29 per month more if they don't want the company to scrutinize their web histories and search engine queries. The proposal also wouldn't cover the content of websites, meaning data from any non-HTTPS encrypted site a customer visits is still up for grabs.

Much like the FCC's rules on net neutrality, the fine details on its privacy proposal will matter if it aims to truly put this matter to rest. Until then, it will be up to consumers to know about all these tracking schemes and proactively opt out.