Remember That Undeletable Super Cookie Verizon Claimed Wouldn't Be Abused? Yeah, Well, Funny Story...
from the your-privacy-preferences-now-mean-absolutely-nothing dept
A few months ago, we noted how Verizon and AT&T were at the bleeding edge of the use of new "stealth" supercookies that can track a subscriber's web activity and location, and can't be disabled via browser settings. Despite having been doing this for two years, security researchers only just noticed that Verizon was actively modifying its wireless users' traffic to embed a unique identifier traffic header, or X-UIDH. This identifier effectively broadcasts user details to any website they visit, and the opt-out settings for the technology only stopped users from receiving customized ads -- not the traffic modification and tracking.AT&T responded to the fracas by claiming it was only conducting a trial, one AT&T has since claimed to have terminated. Verizon responded by insisting that the unique identifier was rotated on a weekly basis (something researchers found wasn't true) and that the data was perfectly anonymous (though as we've long noted anonymous data sets are never really anonymous). While security researchers noted that third-party websites could use this identifier to build profiles without their consent, Verizon's website insisted that "it is unlikely that sites and ad entities will attempt to build customer profiles" using these identifiers.
As such, you'll surely be shocked to learn that sites and ad entities are building customer profiles using these identifiers.
Not only that, they're using the system to resurrect deleted tracking cookies and share them with advertising partners, making consumer opt-out preferences moot. According to security researcher Jonathan Mayer (and tested and confirmed by ProPublica), an online advertising clearinghouse by the name of Turn has been using Verizon's modifications when auctioning ad placement to websites like Google, Facebook and Yahoo for some time. When asked, Verizon pretends this is news to the company:
"When asked about Turn's use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, "We're reviewing the information you shared and will evaluate and take appropriate measures to address." Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn's use of the Verizon tracking number and said "they were quite satisfied."Like Verizon's implementation of the program, Turn lets users opt out of receiving targeted ads, but users have no way of really opting out of being tracked or having their packets manipulated without prior consent. As the EFF notes, your only option is to use a VPN for all your traffic, or to use a browser add-on like AdBlock, which doesn't fully address the issues with the use of a UIDH header. Amusingly, Turn tries to claim to ProPublica that it's actually using Verizon's UIDH to respect user behavioral ad opt out preferences, but the website found that repeatedly wasn't working:
"Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out. But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed."Even if Turn's being honest, there are plenty of companies that aren't going to bother being ethical. Verizon, which in 2008 insisted that consumer privacy protections weren't necessary because public shame would keep them honest, pretty clearly isn't interested in stopping the practice without legal or regulatory intervention. So yeah, again, we've got a new type of supercookie that tracks everything you do, can't be opted out of, and is turning consumer privacy completely on its ear, but there's absolutely nothing here you need to worry your pretty little head about.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: mobile data, privacy, super cookie, tracking, wireless, x-uidh
Companies: at&t, turn, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Only visit sites with httpS and they cannot insert these super cookies.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Exactly!
We need all sites to use https.
If you have ads on your site, ensure they are also served over https.
Its not even expensive, you can get certificates for under $10/year.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Better research...
[ link to this | view in chronology ]
Re: Re: Better research...
By the way, if you want to test your own carrier for this, browse to http://amibeingtracked.com over your cell connection.
[ link to this | view in chronology ]
Re: Re: Re: Better research...
[ link to this | view in chronology ]
Re: Re: Re: Re: Better research...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Better research...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Better research...
[ link to this | view in chronology ]
Re: Re: Re: Better research...
using that site, t-mob in florida is indicating i am not being tracked...
YMMV
[ link to this | view in chronology ]
Re: Re: Re: Better research...
[ link to this | view in chronology ]
Re: Re: Re: Better research...
[ link to this | view in chronology ]
Re: Re: Better research...
A few years back, I moved into an apartment complex in an area I new supplied ATT broadband. I know because I asked the businesses 300 yards from my front door. So when I went to sign up for ATT broadband, they told me it wasn't available in my area. I explained that I knew that was untrue and asked why I was being offered restricted service.
I was told that because my area wasn't considered profitable enough (read: not upper-middle class) ATT could only offer me DSL service.
The funny part is, I moved to what appeared to be the end of the same apartment complex where the higher class people had been gentrified, and I got ATT broadband no problem. This was in the same apartment complex.
ISPs abuse any and all rules to maximize profit, always. If they CAN sell your info, they WILL and HAVE sold your info.
[ link to this | view in chronology ]
Re: Re: Re: Better research...
True, but this is about cell phones, not home broadband.
[ link to this | view in chronology ]
Re: Re: Better research...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
can be = will be
[ link to this | view in chronology ]
I'll keep an eye on it see if mine changes
[ link to this | view in chronology ]
Re:
https://www.eff.org/https-everywhere
[ link to this | view in chronology ]
Re: X-Up-Subno
[ link to this | view in chronology ]
Is indexing and licensing making sense yet?
http://ducknetweb.blogspot.fr/2014/03/virtual-worlds-real-world-we-have.html
Here's my campaign and shortly I'll add a radio show link that I did today on privacy. Lawyers are messing up privacy efforts as they still think verbiage can control things and code in the world...their perceptions are nutty as heck. I invited the FTC to listen to the radio podcast as well since I write them almost every week on this topic:) Here's the campaing and if anyone kicks in a few dollars it's appreciated but not necessary.
http://www.youcaring.com/other/help-preserve-our-privacy-/258776
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I can save them a lot of time and money in conducting their review: the only possible appropriate measure available is to stop injecting these tracking numbers.
This sort of response from companies that track users makes me angrier at those companies than if they just said "suck it, you can't opt out". My objection to the tracking is not the advertising. It's the tracking itself.
[ link to this | view in chronology ]
Re:
I have to think of that case where some mother furiously reacted to some supermarket sending her 16-year old daughter diaper and baby clothes advertisements only to figure out afterwards that the browsing habits analysis leading to that targeted advertising had been pretty much on-spot.
N O W, that makes me suspect that the "does not want to be spied upon -> child molester and/or terrorist" conclusion that NSA and its bosses come up in every political argument with is a lot less sophisticated than what advertising companies can come up with, never mind the gigantic data sets they are working with.
So it would seem just sensible if the task of proposing stings and FBI operations was taken off the NSA and given to Walmart and Toys'r'us. That should cut costs considerably while improving accuracy to a degree where some suspects might possibly even be arrested before they complete their attack: something that all the spying somehow so far failed to accomplish.
[ link to this | view in chronology ]
Re: Re:
And yes i had to mark this as sarcasm as they really would do this if they could.
[ link to this | view in chronology ]
Re: Re: Re:
at the risk of being dismissed as a loony:
WHO here thinks that WHEN (not IF) nanobots are just a LITTLE bit more advanced then they are now, the spooks will want to put one up the butt of EVERY person they want to 'track' ? ? ?
AGAIN, we have KIND OF/SORT OF made our own problem in this regard, in that we have not objected to surveillance on the grounds it is immoral, illegal, etc; but on the grounds that it is obtrusive, breaks the tubes, etc...
so, now we are left without a leg to stand on (butt to sit on?) when The They (tm) have nanobots they can deploy up our butt, because they are TOTALLY unobtrusive and unnoticeable, WHAT POSSIBLE OBJECTION COULD YOU HAVE, CITIZEN...
(you should have nothing to hide, blah blah blah...)
[ link to this | view in chronology ]
Re: Re: Re: Re:
Not me! It's much more likely that such nanobots would be introduced through inhalation than anally. :)
[ link to this | view in chronology ]
Re: Re:
Yes, that wasn't just some supermarket, that was Target. And they made their determination based on the kid's purchasing history, not her browsing habits.
The rest of your comment is right, although I think it's a reasonable assumption that the NSA (and CIA and FBI, etc.) have all this data as well.
[ link to this | view in chronology ]
In other words: spam the spammer!
[ link to this | view in chronology ]
Re:
'
[ link to this | view in chronology ]
Re:
With the right code and properly implemented db, that would make you more trackable.
John's right. Don't browse the web on a cellphone if this can't be tolerated. If you're getting or sending stuff from within intrusive or nosy regimes (who isn't?), you need to know this. If Turn can do it, so can GCHQ & NSA.
[ link to this | view in chronology ]
Re: Re:
Maybe you misunderstood? what I had in mind was something like this:
If the original insert is (simplified for clarity)
/TAG id=1234/
... a few lines, with random ids, could be added beforehand (e.g.):
/TAG id=4321/
/TAG id=3412/
/TAG id=1324/
/TAG id=3142/
....
You get the picture.
Ha, if the plug-in could be pooled to use actual ids, it would confuse the collection no end. (I realise no-one would like to give that away, of course.)
Biggest issue I can see is not being able to control the placement, as the actual tracking id would be either first of last. Don't know of-hand of a work-round for this.
Anyway, just a thought experiment, nothing more.
It goes without saying that this behaviour should be abandoned forthright!
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
(http://webpolicy.org/2015/01/14/turn-verizon-zombie-cookie/)
[ link to this | view in chronology ]
Ayup
[ link to this | view in chronology ]
I am not asked if I want to opt out. Giving a cookie to opt out is meaningless as soon as you clear the cookies for those that won't pay attention to your desires to not be datamined. Most folks don't realize you can whitelist cookies till it's too late and it's gone.
I'm totally fed up with all this spying, datamining, and trying to force ads on you.
[ link to this | view in chronology ]
HAcking
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The firewall I use on my Android phone (DroidWall) makes this easy to enforce, as you can easily set it up so that specific applications are blocked from using the cell network but can use WiFi.
[ link to this | view in chronology ]
Re: Re:
-
Thanks for the DroidWall info I will definitely check it out.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What this does, is to screw up utterly any chance the advertisers have of targetting actual customers as everyone appears to have completely random and arbitrary tastes and everyone they ever meet appears to have visited X and Y sites....
There are android, PC and Mac apps to do just this thing.
It completely renders null and void ALL tracking for advertising purposes by submerging your actual traffic in a vast cesspool of gibberish.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
VPN
[ link to this | view in chronology ]
Unethical Practices
Tired of your bullshit Verizon :[
[ link to this | view in chronology ]
FCC, where are you?
[ link to this | view in chronology ]