Enlarge image
Headquarters of Vodafone Germany: What does the company intend to do with TrustPid?
Photo: Federico Gambarini/dpa
»Get the free Internet« – this is the message the provider Vodafone uses to greet visitors to its relatively new »TrustPid« offer.
Together with Deutsche Telekom, the company is currently testing a new way of marketing its customer data.
It's supposed to work like this: Up to now, cell phone providers have forwarded their end customers' data traffic largely untouched to the Internet.
With TrustPid, Vodafone would intervene in this data traffic and assign users a fixed ID based on a customer's mobile phone number, among other things.
Website operators could then call up this identifier in order to record exactly what content a mobile phone user is looking at in order to create a personal profile and display targeted advertising.
The argument: Only through such data transactions could many online offers generate enough income to remain free of charge in the future.
Goodbye advertising cookie, hello advertising ID
The demand from advertisers for such solutions is currently particularly high.
Especially since the iPhone manufacturer Apple started to push back all-encompassing tracking for advertising purposes, large branded companies have complained that they can only use half of the advertising cookies at most.
If Google turns off the advertising cookie in Chrome in 2023 as planned, the technical basis of the advertising business would have to be placed on a completely new technical basis.
But the advertising industry does not want to limit itself to unpersonalized advertising in the future and, for example, prefers to display car advertising on websites and articles related to cars.
Instead, a real race has begun between the providers of advertising IDs, who promise their customers that they can continue to track users.
The methods are diverse: On the one hand, the industry is trying to technically circumvent the tracking blocks.
For this purpose, the advertising cookies are moved to non-suspicious servers, for example.
Or when visiting a website, users are redirected in the background via various other domains, which then set cookies themselves.
At the same time, more and more providers want to get users to log in permanently and accept all data processing.
Provider in a central location
Cellular providers like Vodafone and Telekom are in a unique position.
Even if the browser routinely deletes cookies or even changes the IP address, the provider can still link the data traffic to the respective cell phone number.
Advertisers don't want access to names or real mobile phone numbers, only to a pseudonymous identifier.
However, this can quickly be reassigned to a specific user profile, for example when shopping in an online shop or logging in to an e-mail provider.
However, a new feature from Apple could ruin the business again.
With the so-called "iCloud Private Relay", the data is encrypted and redirected via Apple's servers, so the providers no longer have access.
Vodafone and Deutsche Telekom have therefore already lodged a complaint with the European Commission.
At the same time, the providers have started a joint lobbying campaign to ensure that they are allowed to monetize their end customers' data traffic themselves in order to finance network expansion.
The EU Commissioner Margrethe Vestager, responsible for digital, was open to such proposals.
Test run with unknown size
TrustPid is currently only in the test stage.
When asked, a spokesman for Vodafone Germany explained that the service was part of a "technical solution for digital advertising in Europe" from which "consumers, advertisers and publishers could benefit equally".
However, Vodafone does not reveal how many customers are taking part in the test operation.
However, the provider assures that they are informed about the data processing.
Tests by SPIEGEL suggest that TrustPid has not yet been routinely used by all Telekom and Vodafone customers in Germany.
So far, only one website seems to be involved in the process.
Bild.de has included a reference to the new program in its data protection conditions and also offers a revocation form to object to the use of the mobile phone ID.
However, Axel Springer did not answer a request from SPIEGEL.
Where the journey is headed, however, becomes clear when you call up the rudimentary TrustPid website: Vodafone not only wants to provide the advertising identifier, but also manage who can access this identifier.
For example, a function is built into the website with which mobile phone customers can give or revoke their consent to data processing by individual advertising partners.
This would give the providers a central role in advertising marketing, which they naturally want to be paid for.
Indelible cookies
The idea is by no means new.
The US provider Verizon had already used a very similar technology in 2012 to track its own users.
It was only years later that the so-called indelible "super cookies" became known and the provider had to pay a fine.
Vodafone wants to avoid such conflicts.
"We take the protection of privacy, data security and compliance with data protection and privacy laws very seriously," a spokesman assured SPIEGEL.
But are users even able to assess what the data that their mobile phone is constantly collecting about them is used for?
The extent of the data-gathering frenzy can be seen in the United States, for example, where several data brokers routinely traded the profiles of people who had attended an abortion clinic.
Even if the mobile phone provider does not deliver the data directly to such data brokers, advertising IDs such as those from Vodafone make it easier to link different data sources.
Until now, data brokers have routinely used Apple and Google device IDs, but the companies are now fighting this.
Data protectionists are alarmed by the mobile operators' initiative.
"From our point of view, the effectiveness of the user's consent must be questioned," explains the responsible data protection authority in North Rhine-Westphalia to SPIEGEL.
Data processing for users must be made transparent and voluntariness must be guaranteed.
In addition, the authority sees problems in the fact that the personal data is not stored on the users' devices, but on external servers.
The authority has therefore announced that it will examine TrustPid's data protection compliance more closely.
