Julia Angwin reported late Thursday that AT&T is dropping their tracking supercookie program. This comes in the wake of massive customer pressure over the discovery that AT&T and Verizon were quietly inserting unique tracking identifiers in their customers' web browsing and app data, by means of an HTTP header. The tracking identifiers quickly became known as "supercookies" because they enable tracking, like cookies, but cannot be removed.

AT&T told Angwin that the header program "has been phased off our network." Security researcher Kenn White, who operates a site to check whether a carrier inserts the header, partially confirmed the report. White said "it's not zero, but as a relative proportion, down over 90% and falling." At least one person found that AT&T is still sending the header, so it's important that AT&T do a full review of their network to ensure the phase-out is truly complete. Angwin also reports that Verizon is continuing its tracking program. EFF's own tests so far confirm the tracking header is now absent from accounts that were previously subject to header injection.

Decline in observed AT&T headers. Chart by Kenn White. Decline in observed AT&T headers. Chart by Kenn White.

This move by AT&T leaves Verizon out in the cold as the only remaining US provider to insert these tracking headers, and shows that concerned customers can produce meaningful change in their carriers' policies. It is also a victory for carrier non-interference with customer data. We call on Verizon to follow AT&T's lead and terminate their tracking header injection program or convert it to a true opt-in, immediately.

There have also been reports of international mobile providers doing similar tracking header injection. We call on all network providers globally to respect their customers' data and not inject tracking headers.