‘Supercookies’ Have Privacy Experts Sounding the Alarm

Vodafone claims TrustPid, which has each partner website generate a different token for the same user, reduces the likelihood of user data being triangulated across websites to create extensive profiles of user interests—a major concern for internet users sick of being chased around the web by targeted ads. “The technology has been built following a privacy-first design, and it complies with all GDPR requirements and related legislation,” says Poulter.

The TrustPid pilot came about because of the changing face of online advertising, says Harmer. “On the one hand, you have a lot of privacy measures being looked at for being anti-competitive,” he says. “Then you’ve got a lot of discussions around customer data being hemorrhaged and leaked quite openly on the internet.” Vodafone believed it could tackle both issues, giving advertisers the confidence to spend money online while offering customers protection over their data.

Vodafone says it has informed appropriate regulatory bodies of the trial, adding that it has met twice with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI). BfDI spokesperson Christof Stein says the organization was “merely informed by Vodafone about its trial of TrustPid technology together with Deutsche Telekom, as we are the responsible data protection authority for those telco companies.” Stein also pointed out that the establishment of TrustPid as a separate company based in the UK means that the responsible data authority for TrustPid is the UK’s Information Commissioner’s Office (ICO). ICO spokesperson Debora Biasutti tells WIRED that “any proposal that continues to facilitate cross-web tracking without putting users firmly in control is unlikely to resolve the privacy issues prevalent in online advertising.” Harmer confirmed that TrustPid has not had a conversation with the UK data protection authority.

Stein confirmed that the BfDI has not been contacted by the independent company running TrustPid. As for whether it adheres to data protection rules, the BfDI says TrustPid could argue that its unique, pseudonymous network identifier is a value-added service under the EU’s ePrivacy Directive.

The key word is “could.” “Only an informed and voluntary given consent is an acceptable foundation for the use of this technology,” says Stein. “High standards must be set here, and we are skeptical that the current consent fulfills that aim.”

The BfDI has not yet made a final decision about the data processing in the German trial, Stein says. The GSM Association, an industry body with more than 1,200 members, including Vodafone’s German and UK arms, says it hasn’t been consulted about the TrustPid trial but will be asking its technical teams to look at how data is handled.

One former GSMA director of privacy has made up his mind, however. “It’s extremely disappointing to see mobile operators behave in this way,” says Pat Walshe, a data protection and privacy consultant who worked at the GSMA between 2009 and 2015. “They should be the custodians of the confidentiality of your communications and your data— but here it’s quite clear these operators see you as yet another source of revenue by mining your personal data and treating you as a digital billboard.” Walshe sees it as particularly troublesome because it comes a decade after he wrote a set of privacy principles for the GSMA and the industry that he thinks TrustPid’s approach would contradict.


Leave a Comment