Turn Temporarily Pauses Their Use Of Verizon's Sneaky 'Zombie' Cookie
from the we-love-privacy-so-much-we're-killing-it dept
Last week we noted how an ad clearinghouse company by the name of Turn was found to be abusing Verizon's sneaky new stealth cookie, just a few months after Verizon claimed their new technology couldn't be abused by third parties. Verizon's basically modifying wireless user traffic streams and injecting a unique identifier traffic header, or UIDH. This header allows Verizon (and any third-party website that uses it) to track, collect and broadcast your online behaviors regardless of browser settings, and while Verizon's opt-out preferences opt you out of behavioral ads, they don't stop Verizon from fiddling with your traffic.A great investigation by ProPublica found that Turn had been using Verizon's header for some time to re-enable cookie tracking, and that Turn's opt-out functionality didn't work either (despite repeated claims that it did). Turn initially penned a blog post that tried to downplay the story by claiming it was "disappointed" in ProPublica for failing to "educate the public." With that clearly not working, Turn has now posted a second blog entry that states it's suspending the program for "re-evaluation." As with so many PR responses, Turn just can't help itself when it comes to insisting this is still largely a matter of ProPublica being misleading and the public being confused:
"We appreciate the opportunity that Ms. Angwin provided us to discuss the method prior to publishing her and Mr. Migas’s story. While we were disappointed with certain inaccuracies in the story and missed opportunities to further educate the public, we value the work that ProPublica is doing to bring attention to the broad issues of data privacy. Had Mr. Mayer offered us the same opportunity, we could also have helped to address some of the inaccuracies and misconceptions evident in his piece. I’m a strong believer in the power of direct dialogue and I have reached out to Mr. Mayer so that it can begin."In other words, we're so in love with consumer privacy we've been helping pioneer a technology that helps make consumer privacy choices entirely moot! Verizon meanwhile continues to happily modify user traffic, and when the company can be bothered to address concerns about the program, it largely tries to lay the blame at the foot of other companies for using Verizon's technology. Verizon's program FAQ, for example, implies that everything would be fine if companies would just use Verizon's UIDH header as it intended:
"Recent news reports have raised concerns about how TURN is using the UIDH for purposes outside of Verizon's advertising programs. TURN has announced its intent to discontinue this practice and we will work with other partners to ensure that their use of UIDHs is consistent with the purposes we intended."Of course Turn is just one company, and since the UIDH is broadcast to every site and service a Verizon Wireless user visits, there will soon be a large number of other companies (many impervious to public outrage) joining the party. The EFF continues to urge Verizon to shutter the program, and Verizon pretty clearly continues to not give a damn.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: privacy, zombie cookie
Companies: turn, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Had ProPublica properly "educated" the public then their abuse of the Verizon's UIDH would not have been exposed and Turn would still be turning a profit by spying upon Verizon users. I'm surprised they have not claimed this to be felony interference with a business model.
[ link to this | view in chronology ]
Verizon
Please publish the UIDH for all your executives and board members. Thanks in advance.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I believe them
Note also that Verizon is doubtless being paid to provide this zombie cookie and has a profit motive to keep it functioning.
[ link to this | view in chronology ]
Re: I believe them
[ link to this | view in chronology ]
What's their motto?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
DM: "Make a stealth check."
Verizon: Rolls a 1 - critical failure.
DM: "You fail. ProPublica discovers the cookie and announces its presence to the world. That is the end of the round. Next turn."
Turn: "Yes!"
DM: "Dammit, you named yourself Turn just to mess with us, didn't you?"
Turn: "Absolutely!"
DM: "Well, it's Turn's turn anyway. So what are you going to do?"
Turn: "I'm going to cast... Turn Undead! Teeheehee!"
DM: "Groan! That joke was old the first time you used it, Turn. OK, roll to see if you succeed."
Turn: Rolls a 1 - critical failure.
DM: "Your attempt to turn the zombie cookie fails. The public knows and mocks you for it."
Turn: "That's OK, I was really doing it for their safety. Not to dominate them or anything."
DM: "Roll your bluff check."
Turn: "But, I'm not bluffing!"
DM: "Yes you are. I'm not an idiot. You do this all the time, griefer."
Turn: *sigh* "Very well..."
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
If it can be abused, it WILL be abused.
[ link to this | view in chronology ]
What irritates me about Turn's response
They say this as if that's actually a reasonable solution that resolves any issues for people who don't want to be spied on. It does not. The industry tools to opt-out are wholly inadequate, and intentionally so. To point to them as if it were some sort of validation is disingenuous.
Almost as disingenuous as implying that if everyone were just "educated" then nobody would have a problem with what they were doing.
[ link to this | view in chronology ]
X-UIDH Firefox plugin?
I'm beginning to think that's the way to deal with all problems of this nature. If we all listen all the way through for "Rachel from Carholder Services" to finish her spiel, and then pressed 1 and waited for a "service" rep, and then led that service rep on for a while, maybe while making rude noises, all phone spam would be useless. Similarly, if all accused people held out for a jury trial, we'd see some legal reform pronto. Everyone who's capable should run SMTP or HTTP or WordPress or Joomla honeypots, so that all petty cybercriminals would get bogged down in false hacking attempts.
[ link to this | view in chronology ]
Re: X-UIDH Firefox plugin?
This is actually a pretty common thing already.
As a side-note, I did something a bit similar to this when I used to run a reasonably popular website: I included honeypot email addresses that weren't visible to actual users but were visible to bots. When email got sent to any of the honeypot addresses, it was guaranteed to be spam and was used to refine my spam filters.
[ link to this | view in chronology ]
Re: X-UIDH Firefox plugin?
If it doesn't overwrite or validate an already-present UIDH, sending a fake one would be trivial with plugins (or better, a localhost proxy so that all apps making http requests would be taken care of at once).
Honestly, the patent https://www.google.com/patents/US8763101 almost certainly answers this question... but I can't bring myself to muddle through the 90% of it that is nothing but legal ambiguity and obfuscation. Hell, I'm surprised there aren't any references to "reversing the polarity to generate a tachyon field."
[ link to this | view in chronology ]
Re: Re: X-UIDH Firefox plugin?
I finally decided to crank up a hotspot on a Verizon phone and connect thru it. Started up Fiddler and made a request for a page that spits back the request headers. Verizon had added an X-UIDH. OK. I built an identical request, but with an X-UIDH: header added in with a value of "gibberish". It didn't make it. The destination page response showed my X-UIDH: as "MTkxNzE2ODc...," same as the original request. Same results using variations on a theme.
[ link to this | view in chronology ]