The scheduled end of third-party cookies on web browsers has triggered a true arms race in the targeted advertising industry. While Google is trying to impose its own standards (like the Privacy Sandbox), another unexpected player has decided to grab a piece of the pie: your Internet Service Provider (ISP).
Thus was born Utiq (formerly known as project TrustPid), a joint venture founded by European telecommunications giants. Sold to the general public as a “transparent and respectful” solution, Utiq is actually what cybersecurity experts fear most: a “supercookie” operating at the network level.
What is Utiq and how does it work?
Traditionally, advertising tracking (cookies) is managed by your web browser (Chrome, Firefox, Safari). You could block it using extensions (like uBlock Origin) or a privacy-oriented browser (like Brave).
Utiq shifts the problem one step back: to the level of your network connection.
Here is how the trap springs:
- Network interception: When you browse the internet via your mobile connection (4G/5G) or your fiber box, Utiq uses your IP address and your telecom subscription data to identify you.
- Consent (the false choice): Upon arriving at a partner site, a pop-up window asks you to accept Utiq. Due to the fatigue associated with cookie banners (Consent Fatigue), millions of users click “Accept” without reading.
- The “Network Signal”: Once consent is given, Utiq directly contacts your telecom operator. The latter generates a unique, pseudonymized identification token (the network signal) which it transmits to advertisers.
You are now trackable from site to site, not by a file stored on your computer, but by the very infrastructure that provides you with the internet.
Why Utiq is a privacy nightmare (OPSEC)
The initiative raises serious problems for digital sovereignty and the confidentiality of your data:
- Tracking at the source: Unlike classic cookies, you cannot simply “clear your history” or “empty your cache” to get rid of Utiq. The identification token is generated by your ISP.
- The centralization of profiles: Telecom operators already know your name, physical address, banking details, and location in real-time. By linking your web browsing history via Utiq to this, they create behavioral profiling of daunting precision.
- The flaw of pseudonymization: Utiq defends itself by not sharing your name in plain text, claiming to use “encrypted” tokens. However, in the cybersecurity world, it is proven that pseudonymization is reversible. Cross-referencing these tokens with other databases allows individuals to be easily re-identified.
Which operators use Utiq?
Utiq was founded by an alliance of the four largest European operators. If you are a customer of one of them (or one of their low-cost subsidiaries), your connection is potentially already “compatible” with this tracking.
Here are the founders and links to their respective privacy policies:
- Orange (France, Spain, Poland, etc.)
- Vodafone (Germany, Spain, UK, etc.)
- Telefónica / O2 / Movistar (Spain, Germany, etc.)
- Deutsche Telekom (Germany, Central Europe)
The OPSEC tip: Although Utiq offers a centralized consent management portal (consenthub.utiq.com) to revoke access, the best defense remains technological.
The Zero-Trust approach to counter Utiq
The philosophy of digital sovereignty, driven by ecosystems like Arpokrat, relies on a simple principle: never trust the network infrastructure.
To technically neutralize systems like Utiq, the solution is to hide your traffic from your own internet service provider:
- Using a sovereign VPN: By encrypting your traffic as soon as it leaves your device, your ISP only sees an unreadable stream of data directed towards a VPN server. It can no longer inject or read Utiq tokens.
- The Tor network (Orbot): Onion routing prevents any end-to-end identification.
- DNS Encryption (DoH/DoT): Prevents your operator from knowing which websites you request to visit.
In summary, Utiq is proof that internet service providers are no longer content with being mere “pipes”; they want to become data brokers. More than ever, encrypting your traffic is no longer a security option, but an absolute necessity to preserve your digital silence.