DUBAI: It wasn’t long ago when two of the biggest telecom carriers in America, Verizon and AT&T, were in hot waters and paid fines to the tunes of millions for their supercookie header injection.
This was just one of the many fears that network security professionals had about what could happen to Pakistan’s internet-space, before the launch of its much-awaited 3G internet services.
Today, it is close to impossible to browse the internet on 3G/4G data connections because of their supercookie header injection which pumps in these annoying popup ads on users’ mobile browsers – popups that can’t be closed. Every other cellular data user in Pakistan comes across these DNSLocker ads. These ads are not only a sham, but lead to a much bigger problem – a total compromise on users’ privacy.
Did you ever contemplate that 3G packages in Pakistan are way cheaper than they should be? Did the 3G/4G infrastructure not cost pretty much the same as in any other country? Here’s how your privacy is being traded off in exchange of cheap or let’s say close-to-free 3G packages. These telcos have been silently modifying your web traffic on its network to inject a tracker – a super-cookie that is extremely difficult to get rid of.
This cookie is included in an HTTP header known as X-UIDH and is sent to every website you visit from your mobile device. As a consequence, third-party advertisers working silently with these telecom companies (or with their employees under the table), get to know your entire browsing habit, in order to force-advertise the best-suited products, without your consent.
3G/4G users up 3.74%, but growth slowing
Firstly, you didn’t ask for any ads from the telco at least, since it’s a paid service, right? Secondly, you didn’t expect that your telco knows about each and every website you visited and what you did there?
Now comes a third problem. There’s a third force that knows about your entire browsing habits – this can be the government, or hackers, or anyone who can easily exploit the X-UIDH header, since it’s highly insecure. You’re basically allowing your telecom carrier/government/hackers to hijack your browser, invite them to install fake browser certificates and even get access to your secure data such as Facebook, Gmail etc, let alone the forced ads that are just the tip of the iceberg. These crimes are not limited to mobile only. Some telecom carriers are doing this in the open, even on desktop browsers.
The associated risks are huge. Some examples of how Pakistanis are paying the price are in the form of getting their PayPal and other monetary services accounts blocked completely.
Have you recently had problems logging into your Internet banking? A telco’s range has already been blacklisted by CloudFlare and many other Content Delivery Networks that can be witnessed every time you are asked to fill a captcha or a “I’m not a robot” challenge.
Even on Facebook, you sometimes end up getting this before posting something.
This also opens doors to the vulnerability of forming a bot-net out of all users on the telecom carrier. The worst part is; you can’t opt out of this unless you’re a techie. It can’t get any worse than this, folks.
Mobile broadband demand growing at rapid pace
It is partly due to these vulnerabilities that Pakistan’s internet-space has the highest malware threat encounter rate in the world. According to Microsoft Security Intelligence’s latest report, malware threat encounter rate in Pakistan is 60% as compared to the world’s average of 20%.
It’s about time these telecom carriers are held accountable and made to pay fines before more web traffic histories are exchanged for dollars, before more internet banking and PayPal accounts get blocked, before more un-closeable ads earn them a fortune, before more user-time is wasted on filling out captchas and before Pakistan makes it to the top in more international reports about poor internet safety.
The writer runs a software and web-publishing company in Dubai.
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ