Verizon Finally Buckles, Will Allow A Total Opt Out From Sneaky Super Cookies

from the that-only-took-two-years-and-four-months dept

It took a while, but Verizon appears to finally have gotten the message that consumers don't like companies fiddling with their traffic and ignoring all of their privacy preferences (weird, right?). The wireless carrier has taken heat for several months now for its practicing of embedding all wireless user traffic with a unique identifier traffic header (or UIDH). That header was intended to help Verizon track user online behavior via its own programs, but because it's transmitted for everyone to see, the potential for abuse was high and -- despite Verizon's claims to the contrary -- it pretty quickly wound up being abused.

One of the biggest problems with the program (aside from modifying user traffic to begin with) was that if a user opted out of Verizon's program, they were only able to opt out of personalized ad delivery -- not the embedding of the UIDH. After months of staying largely mute on the subject, Verizon has issued a statement saying that its opt-out service will actually work -- sometime "soon":

"Verizon takes customer privacy seriously and it is a central consideration as we develop new products and services. As the mobile advertising ecosystem evolves, and our advertising business grows, delivering solutions with best-in-class privacy protections remains our focus. We listen to our customers and provide them the ability to opt out of our advertising programs. We have begun working to expand the opt-out to include the identifier referred to as the UIDH, and expect that to be available soon. As a reminder, Verizon never shares customer information with third parties as part of our advertising programs."

Again, you're not "taking customer privacy seriously" when you develop and use a system that not only makes all of their privacy choices completely irrelevant, but broadcasts their online behavior for any unethical nitwit to abuse. That would, by fairly strict definition, be not taking consumer privacy seriously.

While not engaging in this practice at all (or requiring that users opt in) would be a preferred solution, functional opt out would at least be an improvement, though it still raises questions about what kind of privacy protections need to be in place to prevent us from playing Whac-a-Mole with an endless parade of bad ideas just like this one. Back in 2008, Verizon stated that the wireless industry didn't really need consumer privacy protections because public shame would keep them honest; though it's worth repeating that this program was in play for two years before security researchers even noticed it. It stumbled forth another four months before Verizon finally stated it would do something about it -- eventually.

Verizon's decision came a day after the company received a letter from the Committee on Commerce, Science and Transportation asking for more details on the program. So while the company's hoping to avoid tougher consumer protections (like oh, any location data privacy protections whatsoever or Title II), it's once again proving quite clearly why we actually need someone guarding the privacy henhouse with notably sharper teeth.

Filed Under: opt-out, privacy, super cookies, uidh, zombie cookies
Companies: turn, verizon

AT&T Quietly Backs Away From Its Use of Sneaky Super Cookies

from the you're-the-product----and-the-guinea-pig dept

As we noted a few weeks ago, Verizon and AT&T recently began utilizing a controversial new snoopvertising method that involves meddling with user traffic to insert a unique identifier traffic header, or X-UIDH. This header is then read by marketing partners to track your behavior around the Internet, which Verizon and AT&T then hope to sell to marketers and other third parties. In addition to the fact they're modifying user traffic, these headers can also be read by third parties -- even if customers opt out from carrier-specific programs.

After the practice received heat from security experts and groups like the EFF, AT&T has since announced they're backing away from the practice. AT&T insists that unlike Verizon (who has been using this technology commercially for two years with clients like Twitter), AT&T's implementation was only a trial. That trial is now complete, insists AT&T, and while they may return to the practice -- AT&T promises it will be somehow modified so user information isn't broadcast and opting out actually works:

"AT&T says it has stopped its controversial practice of adding a hidden, undeletable tracking number to its mobile customers' Internet activity. "It has been phased off our network," said Emily J. Edmonds, an AT&T spokeswoman....AT&T said it used the tracking numbers as part of a test, which it has now completed. Edmonds said AT&T may still launch a program to sell data collected by its tracking number, but that if and when it does, "customers will be able to opt out of the ad program and not have the numeric code inserted on their device."

The EFF confirms that the appearance of the header has indeed declined on AT&T's network. But while AT&T appears to have smelled the looming lawsuit on the wind, Verizon so far has stood tough on their use of the technology. Verizon says that the company's program continues but as with any program, Verizon is "constantly evaluating." Years ago when Verizon was fighting tougher privacy rules, the company proclaimed that "public shame" would keep them honest.

This particular privacy abuse took two years for savvy network engineers and security consultants to even spot, and so far there's no indication that two weeks of public scolding have done anything to thwart Verizon's ambitions. Cue the class actions and regulatory wrist slaps.

Filed Under: permacookies, privacy, super cookies, tracking
Companies: at&t, verizon