HACKER Q&A
📣 lakomen

Can you explain how TrustPID works and what can be done against it?


TrustPID is a cookie that, in the EU, at least in Germany, probably more countries, is in effect now, and is being transmitted in every request. At least I assume it is. I can't find any technical documentation.

It allows one to track everything you do on the ISP level.

Can you explain or link to technical documentation about it?

What can be done to protect against TrustPID, given that all major ISPs are using it?

  👤 ThePhysicist Accepted Answer ✓
Basically it means that your ISP, which so far was mostly on your side in regards to tracking in Germany (or at least not actively working against you), will start actively tracking you and selling your data.

Technically it's a reaction to the increasing crackdown on first- & third-party cookies in browsers, which makes tracking more difficult. And the idea those providers have is quite simple: They know who you are as you connect through their network, so they can just pass along that information to third parties. Hence, a publisher will no longer try to set a cookie in your browser or fingerprint you, instead it will simply call an endpoint provided by the TrustPid providers, passing along your IP address. The provider will then look up that IP in their database and return a pseudonymous ID, which basically is the same like a cookie ID. The important difference here is that everything happens on the server-side, so there's no way to block this using browser technology. And that's also why it's so interesting to these providers, as they're finally seeing their chance to get a big piece of the advertising / tracking cake due to the crackdown on cookies. Normally data protection would step in and block this, but the second ingredient is what I call "weaponized consent", i.e. make users explicitly agree to this form of invasive tracking. That will be quite easy as people are used to click "Accept" on cookie banners everywhere, so a large percentage of users will opt-in to this practice. I'm not 100 % sure about the technical details but I think the broad picture is correct.

Pretty much the only chance of stopping this is if the regulators step up and forbid this practice, otherwise it's shockingly effective. In general we can expect a lot more server-side technologies that try to replicate / replace client-side tracking, as those are harder to detect and block.

👤 jaclaz
I think it is a proposal, being experimented by Vodafone and Deutsche Telekom (possibly others) in Germany only:

https://www.wired.co.uk/article/trustpid-digital-token-super...

and recently they were joined by Telefonica (Spain) and Orange (France):

https://www.digitaltveurope.com/2023/02/13/deutsche-telekom-...

tests there are still to be carried from what I understand, the EU approved the joint venture, but nothing about the actual protocol/method.

It is also not clear (to me at least) if it is related to mobile operators only.

I would expect that - in due time - the one or the other EU country regulators will accidentally wake up from their eternal sleep and notice it.