Verizon May Soon Get to Enjoy a Lawsuit Over Its Sneaky Use of Perma-Cookies

from the privacy-schmivacy dept

Fri, Nov 7th 2014 7:51am — Karl Bode

Over the last few years, Verizon has been ramping up its behavioral tracking efforts via programs like Verizon Selects and its Relevant Mobile Ad system, which track wireless and wireline subscriber web behavior to deliver tailored ads and sell your information to third parties. Unknown until a few weeks ago however was the fact that as part of this initiative, Verizon has started using what many are calling controversial "stealth," "super" or "perma" cookies that track a user's online behavior covertly, without users being able to disable them via browser settings.

Lawyer and Stanford computer scientist Jonathan Mayer offered up an excellent analysis noting that Verizon was actively modifying its users' traffic to embed a unique identifier traffic header, or X-UIDH. This header is then read by marketing partners (or hey, anybody, since it's stamped on all of your traffic) who can then build a handy profile of you. It's a rather ham-fisted approach, argues Mayer, who notes that while you can opt-out of Verizon selling your data, you can't opt out of having your traffic embedded with the unique identifier. He also offered up a handy graphic detailing precisely how these headers work:

As the story grew the last few weeks, ProPublica noted that Twitter's mobile advertising arm is already one of several clients using Verizon's "header enrichment" system, though Twitter didn't much want to talk about it. Several tools like this one have popped up since, allowing users to test their wireless connections (note it doesn't work if your cellular device is connected to Wi-Fi, and may be masked by the use of Google Mobile Chrome, Opera Mini, or if viewed through apps like Flipboard).

Kashmir Hill at Forbes also has a great article exploring the ramifications of the system and asked Verizon and AT&T (who has started trials of a similar system) what consumer protections are in place. Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information. But as we've noted time and time again, there's really no such thing as an anonymized data set, and security consultant Ken White argues that only part of the data in the headers is modified, if at all:

"White has been tracked for the past 6 days across 550 miles with a persistent code from both Verizon and AT&T. He has a smartphone with Verizon service and a hotspot with AT&T service. In AT&T’s case, the code has four parts; only one part changes, he says. “It’s like if you were identified by a birth month, a birth year, a birth day, and a zip code, and they remove one of those things,” said White. You’d still be able to reasonably track that person with the other three. Verizon’s code meanwhile hasn’t changed for him, and it’s been almost a week."

Amusingly, I remember back in 2008 when concerns about deep packet inspection and behavioral ads were heating up, Verizon declared there really wasn't any need for consumer protections or privacy rules governing such technologies, because, the company claimed, public shame and the oodles of competition in the broadband space would somehow keep them honest:

"A couple of years back during the debate on net neutrality, I made the argument that industry leadership through some form of oversight/self-regulatory model, coupled with competition and the extensive oversight provided by literally hundreds of thousands of sophisticated online users would help ensure effective enforcement of good practices and protect consumers."

Yet here we have an example where the behavior Verizon was engaged in was so surreptitious, even some of the best networking and security experts in the business didn't notice Verizon was doing it until two years after the effort was launched. Apparently, holding Verizon accountable is going to take a little more than a public scolding in the town square. The EFF has stated they're taking a look at possible legal action against Verizon for violating consumer privacy law.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: behavioral tracking, perma-cookies, spying, tracking
Companies: at&t, verizon

55 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 7 Nov 2014 @ 8:07am

We need TLS everywhere
TLS guarantees the end-to-end principle. What I send is what the server receives, no more, no less. What the server sends is what I receive, no more, no less.
[ link to this | view in chronology ]
- Gumnos (profile), 7 Nov 2014 @ 8:17am
  
  Re: We need TLS everywhere
  Unless the providers interfere with the TLS handshake negotiation…
  [ link to this | view in chronology ]
- Cdaragorn (profile), 7 Nov 2014 @ 8:32am
  
  Re: We need TLS everywhere
  TLS cannot guarantee that. It can only guarantee that nothing in your message will be altered.
  
  Verizon is using a Man-in-the-middle attack here, and all they are doing is adding to your message. TLS has no control over that.
  
  Think of it as if you sent a letter, then the mail man wrote a message and put your letter and their message into a new envelope and mailed that. There's nothing you can do to stop it.
  [ link to this | view in chronology ]
  - elemecca (profile), 9 Nov 2014 @ 4:25am
    
    Re: Re: We need TLS everywhere
    That's... just not true, at least for a properly set up TLS connection. They can't add to, remove from, or change anything that goes over a TLS channel in a way that either party will accept without knowing the session key. It doesn't just guarantee that nothing in a particular HTTP request will be altered, as you seem to imply. It guarantees that nothing sent over the TLS connection will be altered. Even were that not true, the header would need to be inserted into the middle of the user's HTTP request and would thus require alteration of the message itself.
    
    If Verizon has a CA cert that's trusted by mobile browsers they could be MITM-ing the TLS negotiation. That's even plausible for phones distributed by Verizon. If that were the case, though, it'd be called out by the researchers who've been reporting on this. We'd also see calls for it to be removed from the trust roots.
    
    Gumnos' concerns about TLS-stripping attacks are much more likely to be valid, although the particular case mentioned probably wasn't malicious.
    [ link to this | view in chronology ]
- Jack Sprat, 7 Nov 2014 @ 8:32pm
  
  Re: We need TLS everywhere
  See https://www.eff.org/https-everywhere
  [ link to this | view in chronology ]
Pixelation, 7 Nov 2014 @ 8:07am

Hope they get screwed
It will be interesting to see just how far they will be able to go in invading our privacy.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Nov 2014 @ 8:48am
  
  Re: Hope they get screwed
  They didn't invade your privacy, you did read the T&C didn't you?
  
  You're quite free to choose another provider or to not use the internet, after all.
  
  The concept of (unfettered) internet access as a human right suddenly starts to sound attractive instead of flaky.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 7 Nov 2014 @ 9:10am
    
    Re: Re: Hope they get screwed
    Just because the behavior is allowed in the ToS doesn't mean it isn't an invasion of privacy.
    [ link to this | view in chronology ]
    - Anonymous Coward, 7 Nov 2014 @ 9:39am
      
      Re: Re: Re: Hope they get screwed
      If you agree to be invaded have you been invaded?
      
      Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?
      
      Questions, questions.
      [ link to this | view in chronology ]
      - John Fenderson (profile), 7 Nov 2014 @ 10:03am
        
        Re: Re: Re: Re: Hope they get screwed
        "If you agree to be invaded have you been invaded?"
        
        I disagree with the assumption that because something is in the ToS, you have agreed to it. I know that it's true legally, but practically it's almost never the case.
        
        "Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?"
        
        That's an oddly worded question. Of course you can agree to have your privacy invaded. But just because you agree to it doesn't magically stop it from being an invasion of privacy.
        [ link to this | view in chronology ]
    - Anonymous Coward, 7 Nov 2014 @ 2:24pm
      
      Re: Re: Re: Hope they get screwed
      "Just because the behavior is allowed in the ToS doesn't mean it isn't an invasion of privacy."
      
      Also, it may not be legal/enforceable even if it's in the ToS.
      [ link to this | view in chronology ]
  - Anonymous Coward, 7 Nov 2014 @ 12:38pm
    
    Re: Re: Hope they get screwed
    "They didn't invade your privacy, you did read the T&C didn't you?"
    "Consent" means nothing if it is not appropriately informed. The fact that no one knew about this illustrates that there was no informed consent.
    "You're quite free to choose another provider or to not use the internet, after all."
    Isn't there some sort of state-imposed monopoly on these services? Meaningful participation in contemporary society necessitates use of the internet. Most of us are "free" not to use the internet in only the most technical sense, that is, not at all.
    
    Laws are not necessarily reasonable, ethical or legitimate. Current privacy and data protection laws are radically inadequate and require urgent reform. Thanks to
    lobby dollars / political donations (political bribes) from Google et al, combined with the toxic influence of the security state, this is unlikely
    to occur for years.
    [ link to this | view in chronology ]
Anonymous Coward, 7 Nov 2014 @ 8:12am

'you can't opt out of having your traffic' read.

all Verizon and others need is to allow others to read where you have been and they will obviously get paid. what is so annoying about this is that it's your data that they are giving access to, for a fee, and you not only dont get asked, you dont get paid either!!
[ link to this | view in chronology ]
- Liariasnoallowed, 7 Nov 2014 @ 8:43am
  
  Personal
  What if I want to send a love letter to my wife or girlfriend?
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Nov 2014 @ 9:51am
    
    Re: Personal
    [ link to this | view in chronology ]
  - PRMan, 7 Nov 2014 @ 9:51am
    
    Re: Personal
    If you really loved her, you wouldn't be ashamed for the world to know about it...
    
    /sarc
    [ link to this | view in chronology ]
- John Fenderson (profile), 7 Nov 2014 @ 8:47am
  
  Re:
  "you not only dont get asked, you dont get paid either!!"
  
  Getting paid wouldn't make the tracking any less objectionable.
  [ link to this | view in chronology ]
- Anonymous Coward, 7 Nov 2014 @ 11:36am
  
  Re:
  I agree customers should be asked if they want to opt in too this theft ring , the tolls have already been paid by the customer this is double dipping ,invasion of privacy , and like reading your mail before it hits the receivers house, any and all money should be passed on to the consumer for past interceptions of data.
  [ link to this | view in chronology ]
Sheriff Fatman, 7 Nov 2014 @ 8:13am

Bah, that's nothing. A couple of years back, the UK mobile-phone network O2 was caught injecting 3G users' phone numbers into HTTP requests.
[ link to this | view in chronology ]
beech, 7 Nov 2014 @ 8:14am

Any fines leveled against Verizon will be less than the profit they made off selling this information, so Verizon will have incentive to find other sneaky ways to turn profit
[ link to this | view in chronology ]
- Karl Bode (profile), 7 Nov 2014 @ 8:29am
  
  Re:
  Sadly you're right. They'll have made a billion long before getting a $50 million fine.
  [ link to this | view in chronology ]
- Charles (profile), 7 Nov 2014 @ 8:31am
  
  Re:
  I agree with you. But why are not fines greater than the profit from whatever shady practice is being investigated? Perhaps it is the too cozy relationship between the regulated and the regulators.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Nov 2014 @ 8:56am
    
    Re: Re:
    How do you determine what they made?
    
    I doubt Verizon is going to make it easy for you...
    [ link to this | view in chronology ]
    - Anonymous Coward, 7 Nov 2014 @ 9:41am
      
      Re: Re: Re:
      Indeed, so forget the fines and file criminal charges. Our legal code is so byzantine there's almost no doubt they broke a number laws doing this. All that's left is doing some research and taking them to court.
      [ link to this | view in chronology ]
Cdaragorn (profile), 7 Nov 2014 @ 8:34am

Classic Man in the Middle
This is disgusting. This technique well known as a man in the middle attack and should be prosecuted as such. The fact that they're your provider does not give them the freedom to alter your messages like this.
[ link to this | view in chronology ]
- John Fenderson (profile), 7 Nov 2014 @ 8:48am
  
  Re: Classic Man in the Middle
  This is yet another areas where Title II classification would help. If you're a common carrier, you aren't allowed to alter the communications that you're carrying.
  [ link to this | view in chronology ]
  - derpwagon, 7 Nov 2014 @ 8:59am
    
    Re: Re: Classic Man in the Middle
    This isn't for wireline, it's wireless only (for now). Title II is only being considered for wireline. You'd need to get wireless included.
    
    So for now, Title II won't do anything.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 7 Nov 2014 @ 9:11am
      
      Re: Re: Re: Classic Man in the Middle
      Yes, I know. I was making a larger point. :)
      [ link to this | view in chronology ]
- Uriel-238 (profile), 7 Nov 2014 @ 10:00am
  
  Re: Classic Man in the Middle
  Why is it that when haxxorz do MITM attacks they get imprisoned for years and years for a CFAA violation but when a company does it, wotcha gonna do, eh?
  [ link to this | view in chronology ]
radix (profile), 7 Nov 2014 @ 8:48am

Uhh...
You can either have targeted ads, semi-targeted ads, or generic ads.

Nobody uses generic ads, since they're useless. There's really not even an offline equivalent. You always know something about your audience, even if it's as little as where they are when they see the ad.

Semi-targeted ads are like a billboard, when you know the location it's being seen, or a TV spot where you have a good idea about the demographics of the viewing audience.

Targeted ads are usually thought of as online, but any mailers you get from retailers you frequent are basically the same thing. Or coupons that print on your receipt at checkout. They know what you bought previously and will push similar products.

Injecting identifiers, for the purpose of delivering advertising, is INHERENTLY targeting. Any attempt to claim it's not is a flat-out lie. And not even a good one. It's a three-year-old with ice cream all over his face telling you the dog did it.

Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information.

W. T. F.

If a profile expired every day, or even every week, it would be WORTHLESS. The entire point of doing this is that it's trackable.

Claiming otherwise doesn't take big brass balls, it takes a small withered brain.
[ link to this | view in chronology ]
Anonymous Coward, 7 Nov 2014 @ 8:48am

Does this count toward overage/bandwidth?
[ link to this | view in chronology ]
- Karl Bode (profile), 7 Nov 2014 @ 8:51am
  
  Re:
  This is just a string of text, so not much bandwidth is consumed. Ads in general though do erode your usage allotment. AT&T is experimenting with a system that will let advertisers and content companies pay them an additional premium for their content and ads NOT counting against the usage cap, however.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Nov 2014 @ 9:02am
    
    Re: Re:
    This is just a string of text, so not much bandwidth is consumed.
    
    Is this excuse valid when it comes time to pay for overages? :)
    
    I understand that it is just a string of text, but depending on how they measure bandwidth, it could add up...
    [ link to this | view in chronology ]
    - Karl Bode (profile), 7 Nov 2014 @ 9:51am
      
      Re: Re: Re:
      No, I imagine Verizon won't be sympathetic. :) They want you to reach your shared data cap limit any way possible and start incurring those $10-15 per GB overage fees.
      [ link to this | view in chronology ]
    - Eldakka (profile), 9 Nov 2014 @ 4:48pm
      
      Re: Re: Re:
      The extra header(s) are inserted into the packet after it's left your phone and and reached the telco. Therefore depending on where the actual metering of your data usage is done, it may not be included, as it may be inserted after it's already metered your packet.
      
      Of course, it may also be inserted before the metering, so it might be included...
      [ link to this | view in chronology ]
Anonymous Coward, 7 Nov 2014 @ 8:50am

Enjoy it Verizon! It's our pleasure. Want some more?
[ link to this | view in chronology ]
Anonymous Coward, 7 Nov 2014 @ 9:42am

I cancelled my Verizon account the moment I confirmed this tracking. They apparently dont like being told this in person when they ask why you're leaving. I doubt I'm the first to state that as a reason for immediate termination of service (curious how many have left as a result of this discovery).

They should be fined per customer whose privacy they violated and not just a flat rate of 50 million which is essentially nothing to them.
[ link to this | view in chronology ]
TDR, 7 Nov 2014 @ 10:17am

Verizon should be forced to forfeit all their profits from this past fiscal year and have then evenly distributed amongst their victims/customers.
[ link to this | view in chronology ]
- MAM, 7 Nov 2014 @ 2:19pm
  
  Re:
  Thanks, but no thanks. You are assuming that most of us care, and I can assure you we don't. I do not need, nor do I care, what Verizon does with this information. We have the right and ability to ignore ads. Your statement sounds like a Class Action attempt, which I believed is not allowed based on it's T&C.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 8 Nov 2014 @ 8:29am
    
    Re: Re:
    "We have the right and ability to ignore ads."
    
    This isn't about the ads.
    [ link to this | view in chronology ]
Mason Wheeler (profile), 7 Nov 2014 @ 10:45am

Security consultant Ken White
This is someone completely different from the Popehat guy, right?
[ link to this | view in chronology ]
Anonymous Coward, 7 Nov 2014 @ 11:02am

why not just convert their sheep to a static IPv6 address and steal/sell the DNS and network activity?

that would be much harder to detect, and work across apps (not sure if every single app uses the standard web api/rest/http protocol).
[ link to this | view in chronology ]
Claire Rand, 7 Nov 2014 @ 12:43pm

phorm for this
UK providers have phorm for trying this sort of rubbish as well. Would be nice to see _someone_ getting an actual punishment for it.

Prosecution over here fell apart with "no criminal intent" decided after attempting a long grass exercise as the alternative was hammering the former national phone carrier who got caught.

Guess that encryption hurts this sort of thing, and certain agencies don't want people encrypting things may have something to do with it. Plus not wanting a court to rule that this sort of stealth stuff is illegal.
[ link to this | view in chronology ]
MedicalQuack, 7 Nov 2014 @ 2:01pm

Pool old lonely blogger I am..
I'm not really complaining but I found the Stanford write up and tweeted it to Kashmir at Forbes and then what do you know I see the same image I used in my original blog there too.

Ok so I'm whining that nobody wants to recognize me (grin). I read your feeds here too and reference you in tweets and some blogs too.

There's my original at the link...

http://ducknetweb.blogspot.com/2014/10/verizon-wireless-packaging-and-selling.html

But just for that though, here's a new page I made up on my privacy campaign and worth a look at the Congressional testimony video there too:)

http://www.youcaring.com/other/help-preserve-our-privacy-/258776

You can make it up by donating if you want..I'm just kidding and wiping the tear of out my eye:) I'm a former developer in healthcare, and don't write anymore but try to put some bottom line stuff out there when I can:)
[ link to this | view in chronology ]
Anonymous Coward, 7 Nov 2014 @ 2:47pm

State Actor
Remind me again why a private company is charging us for their services, then turning around and selling literally everything they can about our use of their service. When they give the government access to records that should be protected, we should be able to shut down that company, not have it protected by new unconstitutional laws. Neither company should be open for business, much less colluding with the letters to "fight" whatever the buzzword excuse of the day is.
[ link to this | view in chronology ]
Coyne Tibbets (profile), 7 Nov 2014 @ 10:55pm

Delicious Lie
"Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information."

These companies don't care about user information. Therefore, they don't do that rotation to protect the users: they do that because, if they didn't, the advertising company would build its own database of tracking codes. To prevent that the code is rotated, requiring the advertising company to make yet another paid request to learn the identity of the person.

I'm sure Verizon was deliciously amused that this feature permitted them to lie that they were protecting "user information".
[ link to this | view in chronology ]
Anonymous Coward, 19 Nov 2014 @ 5:38am

When you lie down with dogs, don't be surprised when you get up with fleas.
[ link to this | view in chronology ]
Anonymous Coward, 23 Jan 2015 @ 5:40pm

Verizon is a cancerous bleeding sore. They give me the wrong 411 number, block emergency calls, block alarm contacts, screw with my emails. They block every attemp to contact someone with over 20 percent brain function and charge 300 percent to be a bag of shit.
[ link to this | view in chronology ]
Anonymous Coward, 8 Feb 2015 @ 8:45am

my TLS connections via Verizon e-mail stopped working appx November 2014. Now I know why. What a bunch of douchebags.

Fortunately we have alternatives, and I will send more of my money to Google to encourage them to develop access here.
[ link to this | view in chronology ]
Robby, 18 Feb 2016 @ 10:15pm

Alrighty than.
These assholes are doing this shit to me. I encountered this exact header on CNN's website. They are selling my information no matter where I am. AOL which is under their parent company of Verizon seems like a likely suspicion. If this starts crossing further lines which I'm constantly drawing and being lenient. I am actually going to file a privacy lawsuit for the main asshole responsible for this. Either they back their nosy behinds the fuck up or I'm taking action on the main perpetrating asshole who is responsible for this. This privacy lawsuit would only target the individuals employed by this company and any other douchebags connected with this hostile intrusion or the company itself. People better start shaping up and getting in line before this gets more serious. If you do not respect privacy then you will be sued. Cease and desist people. This will be far reaching too. I'm going to put preliminary work in for this lawsuit. I received a call from my lawyer about this issue and I didn't respond back since I was giving people a second chance. But this is over I am getting to the bottom of this with my lawyers and if they are reading this you will be sued. This is only going to target only a few specific individuals who are responsible for this. And believe me we have all the evidence for a lawsuit which my parents helped me and my lawyers gather. This has gone on for too long and those who don't respect privacy are in over their heads.
[ link to this | view in chronology ]
- Robby, 18 Feb 2016 @ 10:19pm
  
  Re: Alrighty than.
  These people should have thought harder about this. But this is it. I have reached a limit and it is not only affecting me but those close to me and trying their best to help me. It was dumb to think there wouldn't be a whistleblower at some point but hey I'm not the one wasting the time on this issue.
  [ link to this | view in chronology ]
Robby, 19 Feb 2016 @ 12:29pm

Still at it
The marketers and associated companies are STILL employing their dirty marketing and frauds schemes. The latest fraud scheme gaining access to all my emails in my inbox to marketers thereby giving permission to a website hidden as a spam clearing software. I'm mad happy these companies and marketers are still doing this especially when there will be a hefty bcompensation given to me. This is so awesome.
[ link to this | view in chronology ]
Robby, 19 Feb 2016 @ 6:13pm

Edit: Update
Forgot to add that on top of the large corporations this will also target the individual responsible for being the primary igniting source for this. This is a serious infiltration of my human and civil rights. Whoever is responsible for this you will pay. You will pay for everything you have done to me. The mental torture, the hospital bills, the student loans, the stress you have put on all of those that surround me every single place I go. You will pay for this targeted action. I promise it and guarantee it. I am going forward with this as long as it doesn't harm the one individual I care about and the members of my immediate family. Otherwise, its fairgame. You brought this on yourself.
[ link to this | view in chronology ]
Daniel, 19 Feb 2016 @ 9:35pm

...
I will never do something if it hurts the girl I love. If you are reading this I won't do it if there is any chance at all that it will involve any action on you. I still love you and I don't want anything bad to ever happen to you because you are incredibly sweet to me. If I wanted to ever take any action I want to meet you and date you first so you can also talk to me if it is a good idea to take any legal action or if you think it would be a bad idea and waste of time. I don't want you to become entangled in this. I want you to be a part of my success but what I am saying is that I don't want my success to be controlled by these asshole marketers especially if we start a family. We have to protect ourselves so that when we do have a child/children we do not want these stupid marketers to have any negative effect on us. My love before I ever consider going to Ethiopia I really do want you to come with me. That is why I told my mom I would start working before I even consider going overseas because I know that once I start working things will fall into place. Do not ever think for a second that after all this and everything you have done for me that I would ever leave you in the dust. I told my mother I would work just for that reason. I will work for myself and so you will know that I care about you and I love you and no dumb marketers will ever get in between us no matter what they do and how hard they try to ruin mine or your life. Please don't think I'll leave you. Once we start dating we will grow closer and I am going to do everything I can to make sure I start caring for myself. Let us take it day by day
[ link to this | view in chronology ]
Daniel, 21 Feb 2016 @ 5:19pm

Hahjjaj
Now someone can remotely control my Kindle so webpages from my history can pop up. Lolololol guess we all sensitive in a way now aren't we?
[ link to this | view in chronology ]