European super cookie gets the green light

On 10th February, the European Commission gave the go-ahead for the formation of a joint venture in Europe, formed by Deutsche Telekom (Germany), Orange (France), Telefónica (Spain) and Vodafone (UK). The objective is the centralisation of navigation and app tracking services —ad-tracking—, for business-to-consumer marketing on mobile devices. This is what the operators call TrustPid for the time being and, in more friendly terms, is known as the super operator cookie. A term that, on the other hand, the parties involved are trying to banish from the collective imagination at all costs, but which, for the sake of convenience, we will use exhaustively in this reflection.

TrustPid, the technical name for a super cookie

The origin of this initiative lies in the intention and need to regulate and control the online advertising market in the Eurozone. As opposed to the dominant position that Google, Facebook and Amazon have at a global level.

It is estimated that in 2022 the online advertising market will be worth 185 billion dollars.

To this end, Vodafone UK, together with Deutsch Telekom, has been conducting a pilot test in Germany that has culminated in the approval of European regulations that allow de facto centralised control of the tracking of users’ browsing on their mobile phones, including websites and apps.

This is in contrast to conventional cookies, over which the user has granular control and management in their local browser,

Although we all tend to click on “Accept all” or “Deny all”, European legislation obliges the user to be able to select which aspects of their browsing are traceable in a web domain.

The procedure to be implemented by operators will be delegated, with operators having control over the management of browsing tracking. In particular, companies wishing to enable the service with the TrustPid consortium,

let us not forget that this is a service provided by the operators, so it will presumably be at a cost for the contracting party and a benefit for the provider

will receive pseudo-anonymous information in real time on users’ browsing habits through random identifiers (tokens) related to the fixed IP address of the terminal, mobile phone number and the website the user is visiting.

Since this super cookie is implemented at the level of the mobile operator’s network, it has to be managed in a centralised portal. As of today, that portal is TrustPid. We will not be able to do anything in our browsers to prevent our browsing information from being shared if we have authorised it.

In a very simplified way, when a user visits a website or uses an app that has used the TrustPid service for the first time with their mobile phone, this will happen:

1. The operator of the user’s mobile service will —provided the user consents— generate a random token linked to the IP address of the user’s phone, his or her mobile number and the website he or she is visiting. Note two important aspects here:

  • The service only applies to mobile networks. For the time being, there is no mention of fixed fibre and/or ADSL networks deployed in Europe. The reason for this is probably the impossibility of unambiguously tracing the devices within a household, since they all share the same IP address. And while one could opt to use the MAC address of each device behind the router, this is always a swampy ground in terms of the European Data Protection Regulation.
  • Operators need to assign public fixed IP addresses to mobile handsets. And given the limited number of addresses available in the IPv4 standard, they need to make a massive deployment of IPv6 in their mobile networks. It is interesting to note that this coincides in time with the announcement of IPv6 deployment in mobile networks this year, for example in Spain.

2. This token, in the event that the user has previously allowed or permits its use at the time, will be transmitted to the company offering the web service, in order to track user traffic and offer, according to the TrustPid portal, a personalised user experience. This includes advertising and personalised product recommendations on their websites, apps and services.

3. Under no circumstances, as stated in TrustPid’s privacy terms, can these tokens be cross-referenced. That is, a company will not be able to have a record of the browsing that a user has done in another company, since their tokens cannot be linked. However, according to the legal terms set out in the privacy portal, these tokens can be used by third party companies acting on behalf of the company to which we have authorised the super cookie.

Can my token be used without my authorisation?

Absolutely not. The fundamental protection mechanism in this case is that operators cannot give out our token by default without our consent. Although the final implementation in each country remains to be seen, the basic idea is that we will be able to allow or deny for 90 days that a website tracks our browsing using the operator’s super cookie and, after those 90 days, the permission will be automatically revoked.

In addition, through the TrustPid portal, we can at any time see on which sites we have authorised the use of a super cookie and revoke it. We can even completely revoke permission for any website.

And, most importantly, the overall service can never be activated by default by the operator, we must actively authorise it.

And what will come out of all this?

Although guessing the future is always risky, the idea behind the use of a centralised, regulated and auditable mechanism for tracking online advertising seems to make some sense, but it is true that there are some uncertainties:

On the one hand, different organisations have shown before the European Commission their doubts about the intrusion in users’ privacy that this mechanism presents.

It should not be forgotten that the GDPR is probably the regulation that most guarantees privacy rights worldwide. And it is paradoxical that private companies are responsible for users’ mobile phones being tokenised by the same companies that hold their data.

It is worth remembering that the sale of anonymous mobile phones has been banned in Europe for many years now.

On the other hand, will TrustPid prevent Google, Facebook or Amazon from relinquishing advertising control of user browsing.

This remains to be seen. If these companies were to agree to remove their conventional cookies and adopt the new mechanism, users would gain, as they would have a single point of control over the permissions granted to third parties. But if this is not the case, what we will end up with is an overlap of cookies and super cookies that will undoubtedly make managing our privacy even more complex.

As this mechanism is only applicable to mobile networks, it will mean that any access from a fixed network will not be covered by this scenario.

As a result, companies that want to trace our browsing will need to resort to TrustPid plus conventional cookies. Which, going back to the previous point, will make the implementation of the mechanism redundant to say the least.

And last but not least: our privacy preferences will be moved from our browser to the cloud of a pan-European joint venture.

Even if the security and privacy controls on these companies are really tight, it is true that we all receive calls on our phones from companies to whom our number has been sold. Often with our consent, with a simple “yes” on a questionnaire or a call. Nothing will prevent our super cookie from not having a market value equivalent to our phone number. And let’s not forget that, in the legal conditions of use, third parties are allowed to use the super cookie on behalf of the company to which we have given permission to use it. Which can easily be guessed as the gateway to unauthorised use of the navigation.

Finally: is it already working?

Officially only in Germany, but Esferize encourages you to disable the Wi-Fi network on your mobile phone (remember that this applies only to mobile networks), log in to TrustPid and click on “Manage Preferences”. There you can check if your operator has already tokenised your mobile!