Telecom major Vodafone is piloting a new advertising ID system in Germany called TrustPid, which it argues will help it serve targeted ads. The new system is designed to be immune to Apple’s ban on user tracking and will work even after Google retires the advertising cookie. Vodafone contends it needs to do this to generate advertising revenue and keep the internet free, while privacy advocates claim tying the tracking to individual devices will enable Vodafone to collect very specific data about people.  “This is an enormous violation of user confidentiality and the expectation of privacy,” Steven Harris, an open source intelligence (OSINT) specialist, told Lifewire over Twitter DMs. “The idea that this highly sensitive data could be made routinely available to marketing and analytics companies should horrify anyone who is concerned about privacy.”

Free For All

TrustPid involves Vodafone assigning a fixed ID to each customer, then associating all their online activity with that ID.  Harris said even when law enforcement agencies want to access this kind of targeted information about individual users, it’s made to jump through several hoops because of the far-reaching consequences it has on a person’s privacy. “We must accept that services we consume on the internet cost real money to deliver,” Brian Chappell, chief security strategist, EMEA & APAC, at BeyondTrust, told Lifewire over email. “Some we subscribe to directly with monthly or annual payments…the rest we quietly, often silently, subscribe [to] by ‘selling’ our information.” Chappell added that this has led to an industry of tracking people and building profiles on them to allow for ever more targeted advertising.  Frank Maduri, Global VP of Sales and Business Development for LoginID, can understand TrustPid’s appeal to service providers and advertisers. “As we’ve seen recently with Twitter, advertisers want to ensure they are reaching unique, real people and not bots,” Maduri told Lifewire over email. “We expect that advertisers will increasingly be demanding assurances that they are not paying for impressions/clicks from bots.” Harris chimed in saying that, historically, the tracking industry has relied on a combination of cookies, browser fingerprints, and tracking pixels in order to better profile users. However, with careful countermeasures, privacy-conscious users can negate this tracking. He added that Apple’s recent moves to curb many of the prevalent tracking mechanisms in the latest version of iOS helped ensure user privacy, even for people without the technical know-how to safeguard their interests. “It appears that Vodafone and TrustPid are proposing to trial a different method to uniquely identify users by using phone hardware,” warned Harris. “Hardware-based tracking is potentially much more difficult, or perhaps even impossible, for users to protect themselves from when compared to software-based tracking.”

Who Do You Trust?

Further explaining the dangers, Harris said that mobile network operators are aware of the unique serial number of the SIM in the phones, the device’s unique handset identifier, and our approximate location to within a few cell towers. It needs to know these details in order to route calls to our devices. However, combining these data points together could easily create a hardware-based unique identifier that would be very persistent and scarily accurate, and reliable. Harris continued, saying this level of tracking is extremely useful for advertisers, especially when people use mobile data, as opposed to Wi-Fi, because then the mobile network can theoretically also track their activity across all of their phone apps.  “If advertising companies had access to this data, they would have far-reaching insights into which websites and apps you used and how regularly you use them, and so on,” feared Harris. TrustPid’s only saving grace, explains Chappell, is that it’ll only share our unique IDs with websites that we’ve asked them to share the ID with. If the consent is withdrawn, the ID will no longer be shared. Of course, this does mean that people will need to sign into the service with the telecom operators, Vodafone and Deutsche Telekom, for the time being, who we’ll have to trust to maintain the link between our identity and the ID. “They will also share your information with other third parties who participate in the service, though what information will be shared isn’t entirely clear,” pointed out Chappell. “The lack of real information on the TrustPid website, along with a lackluster design, does little to build confidence in this new approach.” Correction 06/3/2022: Updated the position of Steven Harris in paragraph three at the person’s request.