Verizon May Soon Get to Enjoy a Lawsuit Over Its Sneaky Use of Perma-Cookies
from the privacy-schmivacy dept
Over the last few years, Verizon has been ramping up its behavioral tracking efforts via programs like Verizon Selects and its Relevant Mobile Ad system, which track wireless and wireline subscriber web behavior to deliver tailored ads and sell your information to third parties. Unknown until a few weeks ago however was the fact that as part of this initiative, Verizon has started using what many are calling controversial "stealth," "super" or "perma" cookies that track a user's online behavior covertly, without users being able to disable them via browser settings.Lawyer and Stanford computer scientist Jonathan Mayer offered up an excellent analysis noting that Verizon was actively modifying its users' traffic to embed a unique identifier traffic header, or X-UIDH. This header is then read by marketing partners (or hey, anybody, since it's stamped on all of your traffic) who can then build a handy profile of you. It's a rather ham-fisted approach, argues Mayer, who notes that while you can opt-out of Verizon selling your data, you can't opt out of having your traffic embedded with the unique identifier. He also offered up a handy graphic detailing precisely how these headers work:
As the story grew the last few weeks, ProPublica noted that Twitter's mobile advertising arm is already one of several clients using Verizon's "header enrichment" system, though Twitter didn't much want to talk about it. Several tools like this one have popped up since, allowing users to test their wireless connections (note it doesn't work if your cellular device is connected to Wi-Fi, and may be masked by the use of Google Mobile Chrome, Opera Mini, or if viewed through apps like Flipboard).
Kashmir Hill at Forbes also has a great article exploring the ramifications of the system and asked Verizon and AT&T (who has started trials of a similar system) what consumer protections are in place. Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information. But as we've noted time and time again, there's really no such thing as an anonymized data set, and security consultant Ken White argues that only part of the data in the headers is modified, if at all:
"White has been tracked for the past 6 days across 550 miles with a persistent code from both Verizon and AT&T. He has a smartphone with Verizon service and a hotspot with AT&T service. In AT&T’s case, the code has four parts; only one part changes, he says. “It’s like if you were identified by a birth month, a birth year, a birth day, and a zip code, and they remove one of those things,” said White. You’d still be able to reasonably track that person with the other three. Verizon’s code meanwhile hasn’t changed for him, and it’s been almost a week."Amusingly, I remember back in 2008 when concerns about deep packet inspection and behavioral ads were heating up, Verizon declared there really wasn't any need for consumer protections or privacy rules governing such technologies, because, the company claimed, public shame and the oodles of competition in the broadband space would somehow keep them honest:
"A couple of years back during the debate on net neutrality, I made the argument that industry leadership through some form of oversight/self-regulatory model, coupled with competition and the extensive oversight provided by literally hundreds of thousands of sophisticated online users would help ensure effective enforcement of good practices and protect consumers."Yet here we have an example where the behavior Verizon was engaged in was so surreptitious, even some of the best networking and security experts in the business didn't notice Verizon was doing it until two years after the effort was launched. Apparently, holding Verizon accountable is going to take a little more than a public scolding in the town square. The EFF has stated they're taking a look at possible legal action against Verizon for violating consumer privacy law.
Filed Under: behavioral tracking, perma-cookies, spying, tracking
Companies: at&t, verizon