When it comes to using Internet services such as Google and Facebook, the general rule of thumb is that you are giving up privacy in exchange for free stuff. You have probably heard the adage that if you aren’t a paying customer, you’re the product being sold. It’s a reminder of the Faustian bargain we make whenever we accept the terms of service agreements for “free” social networks and apps that allow companies to collect intimate data, from the websites we frequent to the contents of our emails. The implication is that the inverse is also true: If you are paying for something, you’re a customer, not the product. Right? Disturbingly, this is not always the case. Last week security researchers revealed that the two largest telecommunications providers in the U.S., Verizon and AT&T, are tracking and monetizing their customers’ Web browsing habits and app usage in the same way you’d expect Facebook or Google to. Even worse, they are doing so by modifying customers’ Internet traffic to attach a persistent, unblockable tracking ID to every Web request. It’s part of a troubling trend in which consumers are effectively charged twice: once in the form of a hefty monthly bill and again by accessing their private data. In other words, even when you’re the paying customer, sometimes you’re still the product.

A new, dangerous paradigm

According to security researchers, Verizon and AT&T have been quietly manipulating Internet traffic on their networks, injecting tracking beacons into every packet of unencrypted data its customers send and receive. These bits of code, which Verizon calls unique identifier headers (UIDH), operate much like the tracking cookies that websites place on your computer to target you with ads. The big difference is that Verizon and AT&T’s are persistent and permanent. They follow you across every page you visit and monitor which apps you use, and you can’t block them by simply adjusting browser settings. Verizon says it has been using the trackers since 2012, the same year it began an initiative called Precision Market Insights, which collects data about the online habits of its paying customers and sells it to advertisers in the form of periodic trend reports. Its main competitor, AT&T, has a similar program that subjects customers to the same kind of tracking, though the company claims it’s only in a testing phase. Both companies are well aware of how intrusive their tracking schemes are. At an industry conference two years ago, the chief executive of Verizon’s U.S. advertising initiative bragged about the company’s ability to spy on customers, saying, “We’re able to view just everything that they do” on the company’s network. Incredibly, this was just four years after both Verizon and AT&T pledged before Congress to refrain from tracking users. Verizon’s executive vice president said during that session that any company capturing user data “should obtain meaningful, affirmative consent from consumers” — the polar opposite of the company’s current posturing. AT&T’s chief privacy officer agreed and even wagged a finger at Google while articulating her company’s supposed commitment to customer privacy, saying, “We encourage all companies that engage in online behavioral advertising ... likewise to adopt this affirmative advance consent paradigm.” Ironically, the fact that Verizon and AT&T are leveraging their nearly total control over the country’s telecommunications infrastructure to track customers is due in large part to the success of companies like Google. It’s no wonder Silicon Valley’s now ubiquitous business model of corporate surveillance — offering free services that spy on users and monetize their information — has led more traditional businesses, such as Internet service providers, to be tempted by the untapped data flowing through their systems.

Even paying customers are quarries of data to be mined by the very companies that are supposed to serve them.