Privacy advocates claim that Verizon is “silently modifying its users’ web traffic on its network to inject a cookie-like tracker… sent to every unencrypted website a Verizon customer visits from a mobile device.” According to the Electronic Frontier Foundation (EFF) Verizon’s “tracker, included in an HTTP header called X-UIDH” and the EFF explains how the supercookies work:

Like a cookie, this header uniquely identifies users to the websites they visit. Verizon adds the header at the network level, between the user’s device and the servers with which the user interacts.

Unlike a cookie, the header is tied to a data plan, so anyone who browses the web through a hotspot, or shares a computer that uses cellular data, gets the same X-UIDH header as everyone else using that hotspot or computer.

That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising.

Forbes reports that AT&T is testing it supercookies and that there is “nothing ready to announce.”

The EFF is demanding that the FTC act on this, but if the Privacy Policies for Verizon and AT&T permit supercookies how can this violate any laws?