Verizon Strikes $1.35 Million Settlement With FCC Over Its Use Of Stealth 'Zombie Cookies'

from the comes-around-goes-around dept

Last year you'll recall Verizon Wireless found itself in hot water after being caught modifying user packets to insert stealth tracking technology. By embedding each packet with a unique identifier traffic header, or X-UIDH. Verizon and its marketing partners were not only able to ignore user browser preferences and track their behavior around the Internet, they were then able to use this technology to build detailed user profiles. Verizon Wireless launched and operated the technology for two years before security researchers even noticed the program, and it required another six months of public pressure for Verizon to even offer an opt-out option.

According to the FCC's full press announcement (pdf), the fairly measly $1.35 million settlement doesn't stop the program, which likely won't please many privacy advocates. Verizon Wireless will however need to transparently notify users of the system and get their explicit opt-in (a rare dinosaur in online tracking rules) consent before sharing any of this data with third parties. The FCC is quick to highlight how Verizon previously proclaimed the technology couldn't be abused by third parties to build detailed profiles of users -- right before it was.

The FCC's full order (pdf) indicates that the regulator is leaning heavily on both the transparency requirement embedded in the FCC's net neutrality rules, and the agency's authority under Title II of the Communications Act to enforce the settlement:
"Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose. Section 8.3 of the Commission’s rules, known as the Open Internet Transparency Rule, requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings."
When the FCC reclassified ISPs as common carriers under Title II, ISPs became subject to Title II’s Section 222 privacy protections regarding "customer proprietary network information" (CPNI). That portion of Title II was written specifically for phone companies, so the FCC is planning (prompted in large part by Verizon's behavior) to update the CPNI rules to create new broadband consumer privacy protections. While the FCC politely lauds Verizon's cooperation in the investigation, these kinds of consumer protections are precisely what Verizon was trying to stop when it sued to cripple net neutrality (both in 2010 and again last year).

Granted Verizon could have easily avoided the new privacy rules. It has argued for years that tougher privacy protections for broadband weren't necessary because the industry could self-regulate. And regulators appeared to buy that claim for a while. But Verizon's decision to covertly fiddle with packets and track tens of millions of customers without bothering to tell any of them indicates just how well that plan actually worked in practice.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fcc, privacy, settlement, zombie cookies
Companies: verizon


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    limbodog (profile), 7 Mar 2016 @ 11:57am

    Fines that low are really just a "cut" of the action.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 7 Mar 2016 @ 11:59am

    and i suppose that's about 1% of the revenue Verizon raked in from the advertising!

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:05pm

    Does that even qualify as a slap on the wrist? Hell, does it even qualify as a mildly disapproving frown?

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:09pm

    Just blink to "opt in".

    There, that wasn't so hard, was it?

    link to this | view in thread ]

  5. identicon
    DCL, 7 Mar 2016 @ 12:19pm

    How long before...

    ... we find out it was actually a government requested/mandated security/tracking program under guise of a advertising revenue stream.

    Think of the children!

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:22pm

    Where is my cut?

    I am a Verizon customer... why is it that I first get fucked by Verizon and then the FTC gets to profit while I still got fucked without any compensation?

    I know a lot of you tech dirter's like your government institutions but I have yet to see much of a benefit to all of these "regulations". I have however, notice a whole lot of monopolies and poor service with little choice in the market however.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:28pm

    The first rule of how to run a business today is ..

    .. do not get caught.

    link to this | view in thread ]

  8. icon
    That One Guy (profile), 7 Mar 2016 @ 12:29pm

    Hit hard or don't bother

    If the $1.35 million ended up being so much as 5% of what they gained from selling the data I would be greatly surprised, which means that the FCC might as well not have even bothered. What possible reason does Verizon have not do do the same thing in the future with a fine this pathetic after all, it's basically just a cost of business, a minuscule cost that ever so slightly lessens the profits gained.

    No, if the FCC or other similar agencies want to provide some real incentive for companies to follow the rules then they need to use a percentage based fine system, and start at 100%. If companies know that the absolutely smallest fine for violations will leave them no better off than before should they be caught, in addition to any other penalties, then they might care, but as it stands the penalties and motivations are entirely on the side of breaking as many of the rules as they can and then just paying the laughable fines should they get caught.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:30pm

    Re: The first rule of how to run a business today is ..

    2nd rule is to lobby for laws and fines that make it still profitable to break the law.

    Verizon breaks the law, Government profits, Citizens still wronged and not give any compensation. I am seeing a patternhere.

    link to this | view in thread ]

  10. icon
    Ninja (profile), 7 Mar 2016 @ 12:34pm

    $1.35 million settlement

    Maybe I'm wrong but with such a detailed mining method they probably made much more than that. This is almost like punishing a kid for eating too much cake by giving them more cake.

    Verizon Wireless will however need to transparently notify users of the system and get their explicit opt-in (a rare dinosaur in online tracking rules) consent before sharing any of this data with third parties.

    Oh yes, I'd be delighted to have the privilege of being thoroughly tracked online while my data is subject to "outstanding" security practices. They'll need to word their "transparent notification" eloquently to get users to opt in to such thing. Then again how many tool bars have I seen installed on computers of the world?

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:35pm

    Re: Hit hard or don't bother

    No fines! not even a $1.

    Jail Time, nothing other than Jail Time. Fines serve as nothing more than a catalyst for government to ignore a problem long enough to ensure that they catch them do just enough damage for citizens to ignorantly feel good about it while the company laughs all the way to bank shaking the had that fined them for their generosity.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:45pm

    New Rule

    If you get caught by the cops for robbing a bank, you must share some of the loot with the cops.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:53pm

    Re:

    Maybe I'm wrong but with such a detailed mining method they probably made much more than that. This is almost like punishing a kid for eating too much cake by taking a very small bite of the cake.

    Correction

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 7 Mar 2016 @ 12:59pm

    I would almost guarantee Facebook uses something similar. Sometime in the middle of a Facebook session, try turning cookies off. Facebook will almost immediately log you off.

    You are the product when it comes to Facebook, and the moment they can't track your every move, they will shut you out. Not the kind of "free" application I'm interested in.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 7 Mar 2016 @ 1:34pm

    So as a Verizon user who has been affected by this terrible thing, how much money am I going to see from this settlement?

    link to this | view in thread ]

  16. icon
    James T (profile), 7 Mar 2016 @ 1:48pm

    What happens to the data collected?

    As far as I can concerned any existing data in Verizon's direct or indirect control should be deleted.

    link to this | view in thread ]

  17. identicon
    Kronomex, 7 Mar 2016 @ 2:28pm

    $1.35M, that must be about 0.001% of their yearly profit. What an effect that will have on their bottom line. It's a joke.

    link to this | view in thread ]

  18. icon
    Jeremy2020 (profile), 7 Mar 2016 @ 3:12pm

    Re:

    don't worry, they'll tack on a new under the line fee for it...so the fine being this small is a huge benefit to Verizon Customers that were affected by this issue!

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 7 Mar 2016 @ 6:46pm

    Re: New Rule

    unfortunately, its not new.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 7 Mar 2016 @ 7:47pm

    Re: Hit hard or don't bother

    hopefully there is a larger game afoot and the ftc is just flexing its muscles and setting legal president under the new laws. by charging this little they get a president they can then use as a hammer later for real fines that verizon may actually want to fight about. but then again reading to much techdirt has shaken my faith in humanity.

    link to this | view in thread ]

  21. identicon
    Wendy Cockcroft, 8 Mar 2016 @ 7:30am

    Re: Where is my cut?

    Well I've noticed that the much-vaunted market has utterly failed to correct itself; the choice being between "take it" or "leave it."

    Funny, that.

    link to this | view in thread ]

  22. icon
    John Fenderson (profile), 9 Mar 2016 @ 6:59am

    Re:

    The difference is that you can turn your cookies off and have it be effective with Facebook.

    With ISPs, cookies don't enter into it. Verizon, for example, was tagging the traffic itself in a manner that you had little control over. Facebook cannot technically do this sort of thing. You have to be an ISP to pull it off.

    link to this | view in thread ]

  23. identicon
    Fone home, 30 Mar 2017 @ 7:30pm

    Re: Re:

    When you own your own datacenters, does it even matter that you're not an ISP?

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 15 May 2019 @ 2:30am

    Win cookies or fountain drink by participating in the global subway customer survey at https://www.globalsubwaylistens.com/

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.