Verizon Finally Buckles, Will Allow A Total Opt Out From Sneaky Super Cookies

from the that-only-took-two-years-and-four-months dept

Mon, Feb 2nd 2015 1:33pm — Karl Bode

It took a while, but Verizon appears to finally have gotten the message that consumers don't like companies fiddling with their traffic and ignoring all of their privacy preferences (weird, right?). The wireless carrier has taken heat for several months now for its practicing of embedding all wireless user traffic with a unique identifier traffic header (or UIDH). That header was intended to help Verizon track user online behavior via its own programs, but because it's transmitted for everyone to see, the potential for abuse was high and -- despite Verizon's claims to the contrary -- it pretty quickly wound up being abused.

One of the biggest problems with the program (aside from modifying user traffic to begin with) was that if a user opted out of Verizon's program, they were only able to opt out of personalized ad delivery -- not the embedding of the UIDH. After months of staying largely mute on the subject, Verizon has issued a statement saying that its opt-out service will actually work -- sometime "soon":

"Verizon takes customer privacy seriously and it is a central consideration as we develop new products and services. As the mobile advertising ecosystem evolves, and our advertising business grows, delivering solutions with best-in-class privacy protections remains our focus. We listen to our customers and provide them the ability to opt out of our advertising programs. We have begun working to expand the opt-out to include the identifier referred to as the UIDH, and expect that to be available soon. As a reminder, Verizon never shares customer information with third parties as part of our advertising programs."

Again, you're not "taking customer privacy seriously" when you develop and use a system that not only makes all of their privacy choices completely irrelevant, but broadcasts their online behavior for any unethical nitwit to abuse. That would, by fairly strict definition, be not taking consumer privacy seriously.

While not engaging in this practice at all (or requiring that users opt in) would be a preferred solution, functional opt out would at least be an improvement, though it still raises questions about what kind of privacy protections need to be in place to prevent us from playing Whac-a-Mole with an endless parade of bad ideas just like this one. Back in 2008, Verizon stated that the wireless industry didn't really need consumer privacy protections because public shame would keep them honest; though it's worth repeating that this program was in play for two years before security researchers even noticed it. It stumbled forth another four months before Verizon finally stated it would do something about it -- eventually.

Verizon's decision came a day after the company received a letter from the Committee on Commerce, Science and Transportation asking for more details on the program. So while the company's hoping to avoid tougher consumer protections (like oh, any location data privacy protections whatsoever or Title II), it's once again proving quite clearly why we actually need someone guarding the privacy henhouse with notably sharper teeth.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: opt-out, privacy, super cookies, uidh, zombie cookies
Companies: turn, verizon

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 2 Feb 2015 @ 1:46pm

Because you can totally trust them now, and besides it's not like it was super easy to track by 3rd parties or anything /s
[ link to this | view in chronology ]
- Anonymous Coward, 2 Feb 2015 @ 1:47pm
  
  Re:
  Oh, and FYI it's OPT-IN by default
  [ link to this | view in chronology ]
sigalrm (profile), 2 Feb 2015 @ 2:00pm

Sure you can opt out...
However, due to "network" requirements, a unique, per-device super-opt-out cookie will be required for all users opting out, and will be added to your network traffic to ensure all advertisers know that you've opted out.
[ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2015 @ 2:04pm

This wouldn've been big news if "Verizon allows a total opt-IN".
[ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2015 @ 2:13pm

until the next time
[ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2015 @ 2:23pm

I find it despicable that I'm paying over $50 a month for Verizon service. Yet Verizon feels that money is not enough. So they take my money plus sell my personal web browsing history to advertisers and allow every webpage I visit to uniquely identify me.

To top it all off. Verizon makes this backstabbery opt out, instead of it being opt in. So I'm getting backstabbed by default, and I'm paying money for this privilege.

For a company that claims to take customer privacy very seriously. I feel like we had to twist Verizon's arm to the point where we almost broke it, before Verizon allowed customers the privilege to opt out of having their privacy violated.

This is one more reason why words coming from mega corporates have absolutely no meaning or value to me. Every time I see their lips move, I automatically assume I'm being lied to.
[ link to this | view in chronology ]
- merica, 2 Feb 2015 @ 9:46pm
  
  Re:
  Does nobody in the USA have the power to shut them down, Verizon and Comcast...seriously when a company has proven beyond doubt many times that they are corrupt they need to be prevented from staying in business.
  [ link to this | view in chronology ]
Anonymous Coward, 2 Feb 2015 @ 3:39pm

But I like playing Whack-A-Mole
[ link to this | view in chronology ]
Doug (profile), 2 Feb 2015 @ 8:36pm

Translation
From marketing-speak to English:

"Verizon wants you to construe this remark about privacy to mean that we care about privacy, and privacy is considered in a small but unprovable way as we develop new products and services for which the primary concern is how much revenue they generate. As we figure out how to wring more and more advertising revenue out of sneakily providing your eyeballs to third parties, we'll talk about protecting your privacy maybe about as well as, but not more than any other mobile service provider. We listen when our customers complain enough that our shenanigans end up in the media, and we trot out a hypothetical and teeny tiny band-aid that we can point to so we can say we're responding to them without lying but without actually making any real changes. Oh, we haven't actually done anything. That band-aid is a promise we won't be obligated to keep and we hope that when we don't keep it no one will be paying attention anymore. As a reminder, Verizon never shares customer information with third parties as part of our advertising programs, because they can figure that part out by themselves."
[ link to this | view in chronology ]
Ninja (profile), 3 Feb 2015 @ 1:23am

NOTHING should be opt-out. Everything should be OPT-IN. Still it's better than "NO OPT" at all.
[ link to this | view in chronology ]
jilocasin (profile), 3 Feb 2015 @ 7:49am

Just like Do Not Track header....
Just like the arguments presented by the marketing side in the Do Not Track header fiasco.

Verizon was pushing the Opt-Out only means opting out of targeted advertising, the marketers were pushing the view that Do Not Track didn't _actually_ mean _do_not_track_, it _really_ meant just don't serve targeted ads.

Until the FCC, or some other government agency starts punishing companies for these shenanigans, it's just going to keep on happening.

Of course, we shouldn't be too quick to claim victory, as I still haven't seen just _HOW_ people will be able to opt-out, and if it will _actually_ work the way normal people expect it to.

(p.s. For those of you who would suggest that _market_forces_ will keep companies honest, you are either disingenuous or you haven't been paying attention. Most users don't have a choice, or if there is one, all of the other choices are doing the same thing. A profitable race to the bottom that only regulation [good consumer protecting regulation] can address. )
[ link to this | view in chronology ]
John Fenderson (profile), 3 Feb 2015 @ 8:57am

I hardly call that "buckling"
Rather, it's a relatively small concession that was begrudgingly given. Buckling would be eliminating the tracking altogether (and would have been the right thing for them to do). An acceptable compromise would have been to make the thing opt-in (which is how all these things should be). Making it possible to opt-out is better than nothing, but not anything like actually giving up their intent to spy on all of the people using Verizon.
[ link to this | view in chronology ]
Josh in CharlotteNC (profile), 3 Feb 2015 @ 10:30am

This whole saga is a perfect example of what happens when there is an intended security vulnerability in a product. If there is a security hole for one thing, it absolutely will be found and used for other things.

It relates perfectly to our discussions on encryption and "golden keys". Government wants a backdoor to an encryption scheme? That's a backdoor for everyone else, too - and they'll find it and use it. It might be some advertiser trying to track you to make a buck. It might be an organized crime doing identity theft. It might be a hostile government's intelligence service.
[ link to this | view in chronology ]
GEMont (profile), 3 Feb 2015 @ 1:13pm

Addendum
"Verizon Finally Buckles, Will Allow A Total Opt Out From Old Sneaky Super Cookies, because they now use the New Sneakier Super Surveillance Cookies that were just, secretly initiated."
[ link to this | view in chronology ]
tqk (profile), 3 Feb 2015 @ 8:11pm

Is this Newspeak or something?
As the mobile advertising ecosystem evolves, and our advertising business grows ...

Huh. I thought they were an ISP/Telco, or at least something like that. Why are all you Verizon users signing up to an advertising business? That's just wierd.
[ link to this | view in chronology ]