UIDH stands for “Unique Identifier Header.” When you visit a website on your phone or your computer, you typically send certain information to the website provider identifying your IP address, the software you’re using to browse the web, and more.
UIDH’s are “perma-cookies” that some mobile carriers inject into the information you’re sending when you surf the web. Mobile carriers use these unique identifiers to track the websites you visit, sometimes to share that data with third parties and other times for unknown reasons. Normal cookies allow users to maintain control, while perma-cookies are injected beyond reach, out of control of the user.
Privacy is a human right, recognized by the United Nations and protected in countries around the world, and privacy is essential to the exercise of most online activities, whether it’s e-banking, researching health problems, or organizing for change.
The use of these headers can violate this most fundamental right. We do not know how the data is shared with third parties, and often users don’t know that they’ve agreed to allow such behavior. There is also the possibility that criminals and other malicious attackers could take advantage of the header to track your online activity and invade your privacy.
UID headers can be injected on any unencrypted connection to the internet, whether you are using a mobile phone, a Kindle, a laptop or a tablet such as an iPad.
The test is designed to detect 3G or LTE connections. You must turn off your Wifi for the test to work.
Our test works with perma-cookies that we have identified through our research. Your carrier may be using a new header. When we identify a new header, we incorporate it into the tool as soon as we can.
We will be releasing the full list of carriers in the future.
We will be releasing the full list of countries in the future.
HTTPS sites use Secure Socket Layer encryption (SSL) which, in addition to helping to secure your online communications, prevent the UID header from being injected. The UID tracker mechanism is not effective in HTTPS connections. Unfortunately, millions of sites on the internet do not use SSL protection.
Our test examines whether your carrier inserts a UID header into your web traffic. The test gathers connection data, including the name of your mobile carrier, your mobile IP address, the country your request originates from, and HTTP header values. After our test, we transfer the results of the test to data servers located in Latin America and scrub your personal identifying information.
We were first alerted to this issue by researcher Kenn White.
Access defends and extends the digital rights of users at risk around the world. By combining innovative policy, user engagement, and direct technical support, we fight for open and secure communications for all. You can find out more at https://accessnow.org.
The best way is to sign up for Access’ newsletter, the Access Express. We keep our members informed about the latest news in digital rights--including this campaign.
Check out our newly released report The Rise of Mobile TrackingHeaders: How Telcos Around the World Are Threatening Your Privacy.
Media coverage: Wall Street Journal, National Journal, Medianama, India Today, Wired, The Register, Techdirt, Vice: Motherboard, RCR Wireless News, Security Lab, Dutch News, Network World, Lava Soft, Help Net Security, Hipertextual, Version 2, Mename, Tech Republic, Globb Security, Observer
If you have any questions, or are a researcher and would like to carry on this work, please contact email@example.com.