Utiq: The new telecom 'Super-Cookie' threatening your privacy

The scheduled end of third-party cookies on web browsers has triggered a true arms race in the targeted advertising industry. While Google is trying to impose its own standards (like the Privacy Sandbox), another unexpected player has decided to grab a piece of the pie: your Internet Service Provider (ISP).

Thus was born Utiq (formerly known as project TrustPid), a joint venture founded by European telecommunications giants. Sold to the general public as a “transparent and respectful” solution, Utiq is actually what cybersecurity experts fear most: a “supercookie” operating at the network level.

What is Utiq and how does it work?

Traditionally, advertising tracking (cookies) is managed by your web browser (Chrome , Firefox , Safari ). You could block it using extensions (like uBlock Origin ) or a privacy-oriented browser (like Brave ).

Utiq shifts the problem one step back: to the level of your network connection.

Here is how the trap springs:

1. Network interception: When you browse the internet via your mobile connection (4G/5G) or your fiber box, Utiq uses your IP address and your telecom subscription data to identify you.
2. Consent (the false choice): Upon arriving at a partner site, a pop-up window asks you to accept Utiq. Due to the fatigue associated with cookie banners (Consent Fatigue), millions of users click “Accept” without reading.
3. The “Network Signal”: Once consent is given, Utiq directly contacts your telecom operator. The latter generates a unique, pseudonymized identification token (the network signal) which it transmits to advertisers.

You are now trackable from site to site, not by a file stored on your computer, but by the very infrastructure that provides you with the internet.

Why Utiq is a privacy nightmare (OPSEC)

The initiative raises serious problems for digital sovereignty and the confidentiality of your data:

• Tracking at the source: Unlike classic cookies, you cannot simply “clear your history” or “empty your cache” to get rid of Utiq. The identification token is generated by your ISP.
• The centralization of profiles: Telecom operators already know your name, physical address, banking details, and location in real-time. By linking your web browsing history via Utiq to this, they create behavioral profiling of daunting precision.
• The flaw of pseudonymization: Utiq defends itself by not sharing your name in plain text, claiming to use “encrypted” tokens. However, in the cybersecurity world, it is proven that pseudonymization is reversible. Cross-referencing these tokens with other databases allows individuals to be easily re-identified.

Which operators use Utiq?

Utiq was founded by an alliance of the four largest European operators. If you are a customer of one of them (or one of their low-cost subsidiaries), your connection is potentially already “compatible” with this tracking.

Here are the founders and links to their respective privacy policies:

• Orange (France, Spain, Poland, etc.)
• Vodafone (Germany, Spain, UK, etc.)
• Telefónica / O2 / Movistar (Spain, Germany, etc.)
• Deutsche Telekom (Germany, Central Europe)

The OPSEC tip: Although Utiq offers a centralized consent management portal (consenthub.utiq.com ) to revoke access, the best defense remains technological.

The Zero-Trust approach to counter Utiq

The philosophy of digital sovereignty, driven by ecosystems like Arpokrat, relies on a simple principle: never trust the network infrastructure.

To technically neutralize systems like Utiq, the solution is to hide your traffic from your own internet service provider:

1. Using a sovereign VPN: By encrypting your traffic as soon as it leaves your device, your ISP only sees an unreadable stream of data directed towards a VPN server. It can no longer inject or read Utiq tokens.
2. The Tor network (Orbot ): Onion routing prevents any end-to-end identification.
3. DNS Encryption (DoH/DoT): Prevents your operator from knowing which websites you request to visit.

In summary, Utiq is proof that internet service providers are no longer content with being mere “pipes”; they want to become data brokers. More than ever, encrypting your traffic is no longer a security option, but an absolute necessity to preserve your digital silence.