Verizon May Soon Get to Enjoy a Lawsuit Over Its Sneaky Use of Perma-Cookies
from the privacy-schmivacy dept
Over the last few years, Verizon has been ramping up its behavioral tracking efforts via programs like Verizon Selects and its Relevant Mobile Ad system, which track wireless and wireline subscriber web behavior to deliver tailored ads and sell your information to third parties. Unknown until a few weeks ago however was the fact that as part of this initiative, Verizon has started using what many are calling controversial "stealth," "super" or "perma" cookies that track a user's online behavior covertly, without users being able to disable them via browser settings.Lawyer and Stanford computer scientist Jonathan Mayer offered up an excellent analysis noting that Verizon was actively modifying its users' traffic to embed a unique identifier traffic header, or X-UIDH. This header is then read by marketing partners (or hey, anybody, since it's stamped on all of your traffic) who can then build a handy profile of you. It's a rather ham-fisted approach, argues Mayer, who notes that while you can opt-out of Verizon selling your data, you can't opt out of having your traffic embedded with the unique identifier. He also offered up a handy graphic detailing precisely how these headers work:
As the story grew the last few weeks, ProPublica noted that Twitter's mobile advertising arm is already one of several clients using Verizon's "header enrichment" system, though Twitter didn't much want to talk about it. Several tools like this one have popped up since, allowing users to test their wireless connections (note it doesn't work if your cellular device is connected to Wi-Fi, and may be masked by the use of Google Mobile Chrome, Opera Mini, or if viewed through apps like Flipboard).
Kashmir Hill at Forbes also has a great article exploring the ramifications of the system and asked Verizon and AT&T (who has started trials of a similar system) what consumer protections are in place. Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information. But as we've noted time and time again, there's really no such thing as an anonymized data set, and security consultant Ken White argues that only part of the data in the headers is modified, if at all:
"White has been tracked for the past 6 days across 550 miles with a persistent code from both Verizon and AT&T. He has a smartphone with Verizon service and a hotspot with AT&T service. In AT&T’s case, the code has four parts; only one part changes, he says. “It’s like if you were identified by a birth month, a birth year, a birth day, and a zip code, and they remove one of those things,” said White. You’d still be able to reasonably track that person with the other three. Verizon’s code meanwhile hasn’t changed for him, and it’s been almost a week."Amusingly, I remember back in 2008 when concerns about deep packet inspection and behavioral ads were heating up, Verizon declared there really wasn't any need for consumer protections or privacy rules governing such technologies, because, the company claimed, public shame and the oodles of competition in the broadband space would somehow keep them honest:
"A couple of years back during the debate on net neutrality, I made the argument that industry leadership through some form of oversight/self-regulatory model, coupled with competition and the extensive oversight provided by literally hundreds of thousands of sophisticated online users would help ensure effective enforcement of good practices and protect consumers."Yet here we have an example where the behavior Verizon was engaged in was so surreptitious, even some of the best networking and security experts in the business didn't notice Verizon was doing it until two years after the effort was launched. Apparently, holding Verizon accountable is going to take a little more than a public scolding in the town square. The EFF has stated they're taking a look at possible legal action against Verizon for violating consumer privacy law.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: behavioral tracking, perma-cookies, spying, tracking
Companies: at&t, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
We need TLS everywhere
[ link to this | view in chronology ]
Re: We need TLS everywhere
[ link to this | view in chronology ]
Re: We need TLS everywhere
Verizon is using a Man-in-the-middle attack here, and all they are doing is adding to your message. TLS has no control over that.
Think of it as if you sent a letter, then the mail man wrote a message and put your letter and their message into a new envelope and mailed that. There's nothing you can do to stop it.
[ link to this | view in chronology ]
Re: Re: We need TLS everywhere
If Verizon has a CA cert that's trusted by mobile browsers they could be MITM-ing the TLS negotiation. That's even plausible for phones distributed by Verizon. If that were the case, though, it'd be called out by the researchers who've been reporting on this. We'd also see calls for it to be removed from the trust roots.
Gumnos' concerns about TLS-stripping attacks are much more likely to be valid, although the particular case mentioned probably wasn't malicious.
[ link to this | view in chronology ]
Re: We need TLS everywhere
[ link to this | view in chronology ]
Hope they get screwed
[ link to this | view in chronology ]
Re: Hope they get screwed
You're quite free to choose another provider or to not use the internet, after all.
The concept of (unfettered) internet access as a human right suddenly starts to sound attractive instead of flaky.
[ link to this | view in chronology ]
Re: Re: Hope they get screwed
[ link to this | view in chronology ]
Re: Re: Re: Hope they get screwed
Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?
Questions, questions.
[ link to this | view in chronology ]
Re: Re: Re: Re: Hope they get screwed
I disagree with the assumption that because something is in the ToS, you have agreed to it. I know that it's true legally, but practically it's almost never the case.
"Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?"
That's an oddly worded question. Of course you can agree to have your privacy invaded. But just because you agree to it doesn't magically stop it from being an invasion of privacy.
[ link to this | view in chronology ]
Re: Re: Re: Hope they get screwed
Also, it may not be legal/enforceable even if it's in the ToS.
[ link to this | view in chronology ]
Re: Re: Hope they get screwed
Laws are not necessarily reasonable, ethical or legitimate. Current privacy and data protection laws are radically inadequate and require urgent reform. Thanks to
lobby dollars / political donations (political bribes) from Google et al, combined with the toxic influence of the security state, this is unlikely
to occur for years.
[ link to this | view in chronology ]
all Verizon and others need is to allow others to read where you have been and they will obviously get paid. what is so annoying about this is that it's your data that they are giving access to, for a fee, and you not only dont get asked, you dont get paid either!!
[ link to this | view in chronology ]
Personal
[ link to this | view in chronology ]
Re: Personal
[ link to this | view in chronology ]
Re: Personal
/sarc
[ link to this | view in chronology ]
Re:
Getting paid wouldn't make the tracking any less objectionable.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I doubt Verizon is going to make it easy for you...
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Classic Man in the Middle
[ link to this | view in chronology ]
Re: Classic Man in the Middle
[ link to this | view in chronology ]
Re: Re: Classic Man in the Middle
So for now, Title II won't do anything.
[ link to this | view in chronology ]
Re: Re: Re: Classic Man in the Middle
[ link to this | view in chronology ]
Re: Classic Man in the Middle
[ link to this | view in chronology ]
Uhh...
Nobody uses generic ads, since they're useless. There's really not even an offline equivalent. You always know something about your audience, even if it's as little as where they are when they see the ad.
Semi-targeted ads are like a billboard, when you know the location it's being seen, or a TV spot where you have a good idea about the demographics of the viewing audience.
Targeted ads are usually thought of as online, but any mailers you get from retailers you frequent are basically the same thing. Or coupons that print on your receipt at checkout. They know what you bought previously and will push similar products.
Injecting identifiers, for the purpose of delivering advertising, is INHERENTLY targeting. Any attempt to claim it's not is a flat-out lie. And not even a good one. It's a three-year-old with ice cream all over his face telling you the dog did it.
W. T. F.
If a profile expired every day, or even every week, it would be WORTHLESS. The entire point of doing this is that it's trackable.
Claiming otherwise doesn't take big brass balls, it takes a small withered brain.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Is this excuse valid when it comes time to pay for overages? :)
I understand that it is just a string of text, but depending on how they measure bandwidth, it could add up...
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Of course, it may also be inserted before the metering, so it might be included...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
They should be fined per customer whose privacy they violated and not just a flat rate of 50 million which is essentially nothing to them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
This isn't about the ads.
[ link to this | view in chronology ]
Security consultant Ken White
[ link to this | view in chronology ]
that would be much harder to detect, and work across apps (not sure if every single app uses the standard web api/rest/http protocol).
[ link to this | view in chronology ]
phorm for this
Prosecution over here fell apart with "no criminal intent" decided after attempting a long grass exercise as the alternative was hammering the former national phone carrier who got caught.
Guess that encryption hurts this sort of thing, and certain agencies don't want people encrypting things may have something to do with it. Plus not wanting a court to rule that this sort of stealth stuff is illegal.
[ link to this | view in chronology ]
Pool old lonely blogger I am..
Ok so I'm whining that nobody wants to recognize me (grin). I read your feeds here too and reference you in tweets and some blogs too.
There's my original at the link...
http://ducknetweb.blogspot.com/2014/10/verizon-wireless-packaging-and-selling.html
But just for that though, here's a new page I made up on my privacy campaign and worth a look at the Congressional testimony video there too:)
http://www.youcaring.com/other/help-preserve-our-privacy-/258776
You can make it up by donating if you want..I'm just kidding and wiping the tear of out my eye:) I'm a former developer in healthcare, and don't write anymore but try to put some bottom line stuff out there when I can:)
[ link to this | view in chronology ]
State Actor
[ link to this | view in chronology ]
Delicious Lie
These companies don't care about user information. Therefore, they don't do that rotation to protect the users: they do that because, if they didn't, the advertising company would build its own database of tracking codes. To prevent that the code is rotated, requiring the advertising company to make yet another paid request to learn the identity of the person.
I'm sure Verizon was deliciously amused that this feature permitted them to lie that they were protecting "user information".
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Fortunately we have alternatives, and I will send more of my money to Google to encourage them to develop access here.
[ link to this | view in chronology ]
Alrighty than.
[ link to this | view in chronology ]
Re: Alrighty than.
[ link to this | view in chronology ]
Still at it
[ link to this | view in chronology ]
Edit: Update
[ link to this | view in chronology ]
...
[ link to this | view in chronology ]
Hahjjaj
[ link to this | view in chronology ]