Remember That Undeletable Super Cookie Verizon Claimed Wouldn't Be Abused? Yeah, Well, Funny Story...

from the your-privacy-preferences-now-mean-absolutely-nothing dept

A few months ago, we noted how Verizon and AT&T were at the bleeding edge of the use of new "stealth" supercookies that can track a subscriber's web activity and location, and can't be disabled via browser settings. Despite having been doing this for two years, security researchers only just noticed that Verizon was actively modifying its wireless users' traffic to embed a unique identifier traffic header, or X-UIDH. This identifier effectively broadcasts user details to any website they visit, and the opt-out settings for the technology only stopped users from receiving customized ads -- not the traffic modification and tracking.

AT&T responded to the fracas by claiming it was only conducting a trial, one AT&T has since claimed to have terminated. Verizon responded by insisting that the unique identifier was rotated on a weekly basis (something researchers found wasn't true) and that the data was perfectly anonymous (though as we've long noted anonymous data sets are never really anonymous). While security researchers noted that third-party websites could use this identifier to build profiles without their consent, Verizon's website insisted that "it is unlikely that sites and ad entities will attempt to build customer profiles" using these identifiers.

As such, you'll surely be shocked to learn that sites and ad entities are building customer profiles using these identifiers.

Not only that, they're using the system to resurrect deleted tracking cookies and share them with advertising partners, making consumer opt-out preferences moot. According to security researcher Jonathan Mayer (and tested and confirmed by ProPublica), an online advertising clearinghouse by the name of Turn has been using Verizon's modifications when auctioning ad placement to websites like Google, Facebook and Yahoo for some time. When asked, Verizon pretends this is news to the company:
"When asked about Turn's use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, "We're reviewing the information you shared and will evaluate and take appropriate measures to address." Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn's use of the Verizon tracking number and said "they were quite satisfied."
Like Verizon's implementation of the program, Turn lets users opt out of receiving targeted ads, but users have no way of really opting out of being tracked or having their packets manipulated without prior consent. As the EFF notes, your only option is to use a VPN for all your traffic, or to use a browser add-on like AdBlock, which doesn't fully address the issues with the use of a UIDH header. Amusingly, Turn tries to claim to ProPublica that it's actually using Verizon's UIDH to respect user behavioral ad opt out preferences, but the website found that repeatedly wasn't working:
"Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out. But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed."
Even if Turn's being honest, there are plenty of companies that aren't going to bother being ethical. Verizon, which in 2008 insisted that consumer privacy protections weren't necessary because public shame would keep them honest, pretty clearly isn't interested in stopping the practice without legal or regulatory intervention. So yeah, again, we've got a new type of supercookie that tracks everything you do, can't be opted out of, and is turning consumer privacy completely on its ear, but there's absolutely nothing here you need to worry your pretty little head about.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: mobile data, privacy, super cookie, tracking, wireless, x-uidh
Companies: at&t, turn, verizon

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    Anonymous Coward, 15 Jan 2015 @ 1:43pm

    Re: Re:

    Will a Tor strip out the X-UIDH header in transit through their system? My guess would be "Yes", but I don't really know.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.