Turn Temporarily Pauses Their Use Of Verizon's Sneaky 'Zombie' Cookie

from the we-love-privacy-so-much-we're-killing-it dept

Tue, Jan 20th 2015 3:41pm — Karl Bode

Last week we noted how an ad clearinghouse company by the name of Turn was found to be abusing Verizon's sneaky new stealth cookie, just a few months after Verizon claimed their new technology couldn't be abused by third parties. Verizon's basically modifying wireless user traffic streams and injecting a unique identifier traffic header, or UIDH. This header allows Verizon (and any third-party website that uses it) to track, collect and broadcast your online behaviors regardless of browser settings, and while Verizon's opt-out preferences opt you out of behavioral ads, they don't stop Verizon from fiddling with your traffic.

A great investigation by ProPublica found that Turn had been using Verizon's header for some time to re-enable cookie tracking, and that Turn's opt-out functionality didn't work either (despite repeated claims that it did). Turn initially penned a blog post that tried to downplay the story by claiming it was "disappointed" in ProPublica for failing to "educate the public." With that clearly not working, Turn has now posted a second blog entry that states it's suspending the program for "re-evaluation." As with so many PR responses, Turn just can't help itself when it comes to insisting this is still largely a matter of ProPublica being misleading and the public being confused:

"We appreciate the opportunity that Ms. Angwin provided us to discuss the method prior to publishing her and Mr. Migas’s story. While we were disappointed with certain inaccuracies in the story and missed opportunities to further educate the public, we value the work that ProPublica is doing to bring attention to the broad issues of data privacy. Had Mr. Mayer offered us the same opportunity, we could also have helped to address some of the inaccuracies and misconceptions evident in his piece. I’m a strong believer in the power of direct dialogue and I have reached out to Mr. Mayer so that it can begin."

In other words, we're so in love with consumer privacy we've been helping pioneer a technology that helps make consumer privacy choices entirely moot! Verizon meanwhile continues to happily modify user traffic, and when the company can be bothered to address concerns about the program, it largely tries to lay the blame at the foot of other companies for using Verizon's technology. Verizon's program FAQ, for example, implies that everything would be fine if companies would just use Verizon's UIDH header as it intended:

"Recent news reports have raised concerns about how TURN is using the UIDH for purposes outside of Verizon's advertising programs. TURN has announced its intent to discontinue this practice and we will work with other partners to ensure that their use of UIDHs is consistent with the purposes we intended."

Of course Turn is just one company, and since the UIDH is broadcast to every site and service a Verizon Wireless user visits, there will soon be a large number of other companies (many impervious to public outrage) joining the party. The EFF continues to urge Verizon to shutter the program, and Verizon pretty clearly continues to not give a damn.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: privacy, zombie cookie
Companies: turn, verizon

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 20 Jan 2015 @ 3:54pm

Evidently Title II can't come soon enough.
[ link to this | view in chronology ]
Anonymous Coward, 20 Jan 2015 @ 4:24pm

Since this is all something that happens on their servers, how do we know that they've truly discontinued the practice? How would Verizon, for that matter?
[ link to this | view in chronology ]
Anonymous Coward, 20 Jan 2015 @ 4:51pm

Let's see if I understand this correctly ...
Had ProPublica properly "educated" the public then their abuse of the Verizon's UIDH would not have been exposed and Turn would still be turning a profit by spying upon Verizon users. I'm surprised they have not claimed this to be felony interference with a business model.
[ link to this | view in chronology ]
RR, 20 Jan 2015 @ 6:49pm

Verizon
Dear Verizon,
Please publish the UIDH for all your executives and board members. Thanks in advance.
[ link to this | view in chronology ]
Anonymous Coward, 20 Jan 2015 @ 7:53pm

To better nsa you with
[ link to this | view in chronology ]
Applesauce, 20 Jan 2015 @ 8:36pm

I believe them
Turn CLAIMS TO temporarily pause their use of Verizon's Zombie cookie.
Note also that Verizon is doubtless being paid to provide this zombie cookie and has a profit motive to keep it functioning.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Jan 2015 @ 10:40pm
  
  Re: I believe them
  Which is why everyone involved should be fired and jailed for stalking, harrassment and illegal wiretapping.
  [ link to this | view in chronology ]
Pixelation, 20 Jan 2015 @ 10:11pm

What's their motto?
A Turn for the worse.
[ link to this | view in chronology ]
Anonymous Coward, 21 Jan 2015 @ 3:12am

Somebody'd better make a D&D joke soon.
[ link to this | view in chronology ]
- Zonker, 21 Jan 2015 @ 11:13am
  
  Re:
  Verizon: "I want to sneak this zombie cookie past users of our internet service."
  DM: "Make a stealth check."
  Verizon: Rolls a 1 - critical failure.
  DM: "You fail. ProPublica discovers the cookie and announces its presence to the world. That is the end of the round. Next turn."
  Turn: "Yes!"
  DM: "Dammit, you named yourself Turn just to mess with us, didn't you?"
  Turn: "Absolutely!"
  DM: "Well, it's Turn's turn anyway. So what are you going to do?"
  Turn: "I'm going to cast... Turn Undead! Teeheehee!"
  DM: "Groan! That joke was old the first time you used it, Turn. OK, roll to see if you succeed."
  Turn: Rolls a 1 - critical failure.
  DM: "Your attempt to turn the zombie cookie fails. The public knows and mocks you for it."
  Turn: "That's OK, I was really doing it for their safety. Not to dominate them or anything."
  DM: "Roll your bluff check."
  Turn: "But, I'm not bluffing!"
  DM: "Yes you are. I'm not an idiot. You do this all the time, griefer."
  Turn: *sigh* "Very well..."
  [ link to this | view in chronology ]
  - Anonymous Coward, 21 Jan 2015 @ 11:45pm
    
    Re: Re:
    Thank you, Sir Zonker. Puns and wordplay (even -- nay, especially -- the most obvious and painful) must be recognized and invoked, lest they fester and grow too powerful in the dark recesses of our minds. I was not up to the task, unable to muster a single comment that didn't make overly clumsy use of the word "cleric." You sir, have saved us all.
    [ link to this | view in chronology ]
Anonymous Coward, 21 Jan 2015 @ 5:05am

How many times does it need to be said?
If it can be abused, it WILL be abused.
[ link to this | view in chronology ]
John Fenderson (profile), 21 Jan 2015 @ 7:34am

What irritates me about Turn's response
They did it in their first blog post and again in the new one, talking about opting out:

That choice can be made via our website, or via industry tools like the NAI or the DAA opt-out pages, including eDAA and DAA Canada.

They say this as if that's actually a reasonable solution that resolves any issues for people who don't want to be spied on. It does not. The industry tools to opt-out are wholly inadequate, and intentionally so. To point to them as if it were some sort of validation is disingenuous.

Almost as disingenuous as implying that if everyone were just "educated" then nobody would have a problem with what they were doing.
[ link to this | view in chronology ]
Edward Teach, 21 Jan 2015 @ 10:51am

X-UIDH Firefox plugin?
Does a firefox plug-in exist that inserts randomly-generated X-UIDH headers into outgoing HTTP requests? Given that we don't know which corporate entities look for and use X-UIDH headers, if everyone generated them randomly, all of the "cookies" would be useless.

I'm beginning to think that's the way to deal with all problems of this nature. If we all listen all the way through for "Rachel from Carholder Services" to finish her spiel, and then pressed 1 and waited for a "service" rep, and then led that service rep on for a while, maybe while making rude noises, all phone spam would be useless. Similarly, if all accused people held out for a jury trial, we'd see some legal reform pronto. Everyone who's capable should run SMTP or HTTP or WordPress or Joomla honeypots, so that all petty cybercriminals would get bogged down in false hacking attempts.
[ link to this | view in chronology ]
- John Fenderson (profile), 21 Jan 2015 @ 11:29am
  
  Re: X-UIDH Firefox plugin?
  "Everyone who's capable should run SMTP or HTTP or WordPress or Joomla honeypots, so that all petty cybercriminals would get bogged down in false hacking attempts."
  
  This is actually a pretty common thing already.
  
  As a side-note, I did something a bit similar to this when I used to run a reasonably popular website: I included honeypot email addresses that weren't visible to actual users but were visible to bots. When email got sent to any of the honeypot addresses, it was guaranteed to be spam and was used to refine my spam filters.
  [ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2015 @ 1:02am
  
  Re: X-UIDH Firefox plugin?
  There are quite a few descriptions of the UIDH system out there (although a lot of discussion focuses on how orgs like Turn abuse it, rather than Verizon's injection of it), but one thing still confuses me. Since Verizon inserts the X-UIDH header downstream, does it simply overwrite a pre-existing X-UIDH since such a header would almost certainly have been added by the user as a dummy value?
  
  If it doesn't overwrite or validate an already-present UIDH, sending a fake one would be trivial with plugins (or better, a localhost proxy so that all apps making http requests would be taken care of at once).
  
  Honestly, the patent https://www.google.com/patents/US8763101 almost certainly answers this question... but I can't bring myself to muddle through the 90% of it that is nothing but legal ambiguity and obfuscation. Hell, I'm surprised there aren't any references to "reversing the polarity to generate a tachyon field."
  [ link to this | view in chronology ]
  - [more...], 22 Jan 2015 @ 1:52am
    
    Re: Re: X-UIDH Firefox plugin?
    Well, poisoning the well with spoofed UIDHs sent via non-Verizon connections will help. Actual Verizon connections, though, aren't that easy.
    
    I finally decided to crank up a hotspot on a Verizon phone and connect thru it. Started up Fiddler and made a request for a page that spits back the request headers. Verizon had added an X-UIDH. OK. I built an identical request, but with an X-UIDH: header added in with a value of "gibberish". It didn't make it. The destination page response showed my X-UIDH: as "MTkxNzE2ODc...," same as the original request. Same results using variations on a theme.
    [ link to this | view in chronology ]