header enrichment or isp enrichment? · “in the mobile space delivering the right ad to the right...
TRANSCRIPT
Emerging Privacy Threats in Mobile Networks
Narseo Vallina-Rodriguez ICSISrikanth Sundaresan ICSIChristian Kreibich ICSI LastLine Vern Paxson ICSI UC Berkeley
Header Enrichment or ISP Enrichment
ACM HotMiddlebox 2015 London
ldquoIn the mobile space delivering the right ad to the right person is difficult because there is no
common standard for identity and addressability We think wersquore in a position to solve thatrdquo
ndashColson Hillier VP of Verizonrsquos Precision Market Insight division
2
HTTP Header Enrichment (aka Header Injection)
IETF Working Group SFC Service Functioning Chaining
httpsdatatrackerietforgwgsfcdocuments
3
HTTP Header Enrichment bull Technique that allows ISP-enforced proxies to
extendinject HTTP headers for Performance Enhancement Load Balancing Access Control Content Customization Analytics Advertising and user-tracking
4
How does HTTP Header Enrichment work
GET indexhtml HTTP1113 Host wwwexamplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
Mobile ISP Network ISP Proxy
Internet
5
examplecom
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
6
How does HTTP Header Enrichment work
GET indexhtml HTTP1113
Mobile ISP Network ISP Proxy
Internet
examplecom
Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
7
User Implications
bull HTTP Header Enrichment may become a privacythreat for mobile users
ISPs may leak sensitive user and device data
ISPs may enable user-tracking (unique IDs)
8
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
ldquoIn the mobile space delivering the right ad to the right person is difficult because there is no
common standard for identity and addressability We think wersquore in a position to solve thatrdquo
ndashColson Hillier VP of Verizonrsquos Precision Market Insight division
2
HTTP Header Enrichment (aka Header Injection)
IETF Working Group SFC Service Functioning Chaining
httpsdatatrackerietforgwgsfcdocuments
3
HTTP Header Enrichment bull Technique that allows ISP-enforced proxies to
extendinject HTTP headers for Performance Enhancement Load Balancing Access Control Content Customization Analytics Advertising and user-tracking
4
How does HTTP Header Enrichment work
GET indexhtml HTTP1113 Host wwwexamplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
Mobile ISP Network ISP Proxy
Internet
5
examplecom
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
6
How does HTTP Header Enrichment work
GET indexhtml HTTP1113
Mobile ISP Network ISP Proxy
Internet
examplecom
Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
7
User Implications
bull HTTP Header Enrichment may become a privacythreat for mobile users
ISPs may leak sensitive user and device data
ISPs may enable user-tracking (unique IDs)
8
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
HTTP Header Enrichment (aka Header Injection)
IETF Working Group SFC Service Functioning Chaining
httpsdatatrackerietforgwgsfcdocuments
3
HTTP Header Enrichment bull Technique that allows ISP-enforced proxies to
extendinject HTTP headers for Performance Enhancement Load Balancing Access Control Content Customization Analytics Advertising and user-tracking
4
How does HTTP Header Enrichment work
GET indexhtml HTTP1113 Host wwwexamplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
Mobile ISP Network ISP Proxy
Internet
5
examplecom
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
6
How does HTTP Header Enrichment work
GET indexhtml HTTP1113
Mobile ISP Network ISP Proxy
Internet
examplecom
Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
7
User Implications
bull HTTP Header Enrichment may become a privacythreat for mobile users
ISPs may leak sensitive user and device data
ISPs may enable user-tracking (unique IDs)
8
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
HTTP Header Enrichment bull Technique that allows ISP-enforced proxies to
extendinject HTTP headers for Performance Enhancement Load Balancing Access Control Content Customization Analytics Advertising and user-tracking
4
How does HTTP Header Enrichment work
GET indexhtml HTTP1113 Host wwwexamplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
Mobile ISP Network ISP Proxy
Internet
5
examplecom
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
6
How does HTTP Header Enrichment work
GET indexhtml HTTP1113
Mobile ISP Network ISP Proxy
Internet
examplecom
Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
7
User Implications
bull HTTP Header Enrichment may become a privacythreat for mobile users
ISPs may leak sensitive user and device data
ISPs may enable user-tracking (unique IDs)
8
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
How does HTTP Header Enrichment work
GET indexhtml HTTP1113 Host wwwexamplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
Mobile ISP Network ISP Proxy
Internet
5
examplecom
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
6
How does HTTP Header Enrichment work
GET indexhtml HTTP1113
Mobile ISP Network ISP Proxy
Internet
examplecom
Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
7
User Implications
bull HTTP Header Enrichment may become a privacythreat for mobile users
ISPs may leak sensitive user and device data
ISPs may enable user-tracking (unique IDs)
8
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
6
How does HTTP Header Enrichment work
GET indexhtml HTTP1113
Mobile ISP Network ISP Proxy
Internet
examplecom
Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
7
User Implications
bull HTTP Header Enrichment may become a privacythreat for mobile users
ISPs may leak sensitive user and device data
ISPs may enable user-tracking (unique IDs)
8
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
How does HTTP Header Enrichment work
GET indexhtml HTTP1113
Mobile ISP Network ISP Proxy
Internet
examplecom
Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
7
User Implications
bull HTTP Header Enrichment may become a privacythreat for mobile users
ISPs may leak sensitive user and device data
ISPs may enable user-tracking (unique IDs)
8
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
User Implications
bull HTTP Header Enrichment may become a privacythreat for mobile users
ISPs may leak sensitive user and device data
ISPs may enable user-tracking (unique IDs)
8
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Why does it matter
bull User sensitive data may be collected and combined with other metadata by any online service if not removed by the egress point
bull IETF GW SFC leaves this decision up to the ISP
9
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Inappropriate use of HTTP Header Enrichment affects millions of mobile subscribers
all over the world
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Paper Contributions bull Identification analysis and characterization of
HTTP Header Enrichment 299 Mobile ISPs from 112 countries 16-month period
bull Data collection Netalyzr for Android traces
bull Discussion of user implications and solutions
11
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Method and Data Collection
12
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
How does HTTP Header Enrichment work
Mobile ISP Network ISP Proxy
GET indexhtml HTTP1113 Host wwwexamplecom
Internet
examplecom
GET indexhtml HTTP1113 Host wwwexamplecom13 x-acr 486E03F2A285E 07F5A981152DB80BB4 932022388EC34B22434 928ncc=310410type=Dyna
13
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Netalyzr Proxy Artifacts Detection
Mobile ISP Network
Internet
ISP Proxy
We control both end-points and generated traffic we can identify modifications
14
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Method Limitations
bull We cannot identify when HTTP Header Injection occurs to selected destinations (eg ISP partners)
bull Crowd-sourcing data collection discrete sampling
15
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Results
16
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
HTTP Header Analysis We defined 3 categories
Privacy-compromising headers
Tracking headers
Operational headers
17
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
1 Privacy-compromising headers
Definition HTTP headers leaking sensitiveinformation that identify uniquely
the device (eg IMEI)
the user (eg IMSIMSISDN)
Identified in 5 mobile operators
18
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
MSISDN 962779705XXX x-up-calling-line-id 277251XXXXX
1 Privacy-compromising headers
x-up-calling-line-id Vodacom (ZA) Phone
msisdn Orange (JO)MSISDN
x-nokia-msisdn Smart (PH)
x-up-3gpp-imeisv Vodacom (ZA) IMEI
x-up-3gpp-imeisv 35858805517XXXXX
19
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
2 Tracking headers
Definition Operator-generated unique identifier for advertising purposes
They are inmutable
They do not directly reveal sensitive information about users but enable user-tracking
Identified in 6 mobile operators
20
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
x-amobee-2 yJYE[hellip]5yepHn5Tc1hgdt5Hzog== X-UIDH Njk2ODY1NjkxAN8[hellip]eCcl c0kiEZJ1vnGJo
2 Tracking headers
x-acr ATampT (US)
x-amobee Airtel (IN) Singtel (SG)
x-uidh Verizon (US)
x-vf-acr Vodacom (ZA) Vodafone (NL)
x-acr 486E03D[hellip]D359Dncc=310410type=Dyna
21
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
2 Tracking headers xminusamobeeminus1
xminusacr xminusamobeeminus2
xminusuidh xminusvfminusacr xminusvfminusacr
Airtel (IN)
ATampT (US)
Singtel (SG)
Verizon (US)
Vodacom (ZA)
Vodafone (NL)
2013minus1
1
2014minus0
2
2014minus0
5
2014minus0
8
2014minus1
1
2015minus0
2
Date
Header injected Header not injected
22
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
3 Operational headers Definition HTTP headers for operational purposesThey contain information such as Mobile operator (MCCMNC codes) and 3GPP
technology 3GPP Gateway manufacturer (NokiaBlueCoat)
software version and even its location Handsetrsquos private IP address
Identified in 24 operators
23
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
3 Operational headers
Use-case x-forwarded-for header [RFC 7239] Reports the internal IP address of proxied traffic Used for load-balancing and abusive access Flip-side De-anonymizes traffic It may not tell the truth
T-Mobile (DE) Private IP 10921312-gt17921312
24
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Final Remarks
25
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
What can users do
Tech-savvy users may use VPNs ldquoDo-Not-Trackrdquo header is useless
26
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
Be aware and complain
httpamibeingtrackedcom
27
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu
This problem also requires non-technical solutions
28
This is an increasing concern bull Evidence of JavaScript injection for advertising
bull New 3rd party services providing advertising services for ISPs
bull No evidence of header injection in HTTPS traffic (yet)
29
narseoicsiberkeleyedu netalyzr-helpicsiberkeleleyedu