At least nine telcos around the world are using so-called super-cookies to secretly monitor citizens' online behavior, according to a new study.

A super-cookie is a token unique to each subscriber that is injected into every HTTP request made through a telco's cellphone networks. They can't be stripped by the user: every time a subscriber visits a website from his or her smartphone, the telco's system places the super-cookie in the HTTP headers, so that the site's servers can identify the visitor.

This super-cookie allows ad networks and media publishers to follow people across the internet even if they clear their cookies. It allows the networks to build up profiles on users' habits, and pitch them targeted advertising, while the telcos take a cut.

When it emerged that Verizon and AT&T in the US were using this technology it caused a storm. AT&T dropped the super-cookies, and Verizon eventually switched to an opt-out approach: if you switched them off, the headers went away.

Now a six-month investigation by digital rights group Access has shown that telcos overseas are using the same super-cookie techniques.

Access set up a website called Amibeingtracked.com, and monitored visits from 180,000 netizens on their phones. The group found that 15.3 per cent of visitors had the tracking headers installed from cellphone owners in Canada, China, India, Mexico, Morocco, the Netherlands, Peru, Spain, the US, and Venezuela.

Verizon, AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica de España, Viettel Peru S.a.c., Vodafone NL, and Vodafone Spain all used the technology, although AT&T dropped off the charts when it withdrew the system. Verizon is still on the charts because people are opted-in by default.

By far the largest number of people being monitored were in the US, with the Access engine finding over 23,000 unstrippable headers from phone users in the Land of the Free. Spain was the next most tracked nation – with just over 3,000 cases – and the other countries had fewer than a thousand cases each.

The samples collected by the website showed a great degree of variance in what data was being collected and transferred using the technique. Telcos are increasingly encrypting the header information, but some still send data in clear text, including the phone number of the user in three cases.

"Not all carriers track their users, and those that respect user privacy deserve our support," the report [PDF] concludes.

"Telecommunications companies occupy a central role in providing access to the internet, enhancing the communications capabilities of billions of people. By delivering open access, networks, and services, telcos can serve not just as internet service providers, but also as 'freedom providers.'"

The only way to stop the header from reporting back is to limit your web browsing to HTTPS sites only, but that's going to prove rather limiting. Alternatively, switch to a telco that doesn't use the technology, although that may become harder over time as well. ®