Verizon Strikes $1.35 Million Settlement With FCC Over Its Use Of Stealth 'Zombie Cookies'
from the comes-around-goes-around dept
Last year you'll recall Verizon Wireless found itself in hot water after being caught modifying user packets to insert stealth tracking technology. By embedding each packet with a unique identifier traffic header, or X-UIDH. Verizon and its marketing partners were not only able to ignore user browser preferences and track their behavior around the Internet, they were then able to use this technology to build detailed user profiles. Verizon Wireless launched and operated the technology for two years before security researchers even noticed the program, and it required another six months of public pressure for Verizon to even offer an opt-out option.According to the FCC's full press announcement (pdf), the fairly measly $1.35 million settlement doesn't stop the program, which likely won't please many privacy advocates. Verizon Wireless will however need to transparently notify users of the system and get their explicit opt-in (a rare dinosaur in online tracking rules) consent before sharing any of this data with third parties. The FCC is quick to highlight how Verizon previously proclaimed the technology couldn't be abused by third parties to build detailed profiles of users -- right before it was.
The FCC's full order (pdf) indicates that the regulator is leaning heavily on both the transparency requirement embedded in the FCC's net neutrality rules, and the agency's authority under Title II of the Communications Act to enforce the settlement:
"Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose. Section 8.3 of the Commission’s rules, known as the Open Internet Transparency Rule, requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings."When the FCC reclassified ISPs as common carriers under Title II, ISPs became subject to Title II’s Section 222 privacy protections regarding "customer proprietary network information" (CPNI). That portion of Title II was written specifically for phone companies, so the FCC is planning (prompted in large part by Verizon's behavior) to update the CPNI rules to create new broadband consumer privacy protections. While the FCC politely lauds Verizon's cooperation in the investigation, these kinds of consumer protections are precisely what Verizon was trying to stop when it sued to cripple net neutrality (both in 2010 and again last year).
Granted Verizon could have easily avoided the new privacy rules. It has argued for years that tougher privacy protections for broadband weren't necessary because the industry could self-regulate. And regulators appeared to buy that claim for a while. But Verizon's decision to covertly fiddle with packets and track tens of millions of customers without bothering to tell any of them indicates just how well that plan actually worked in practice.
Filed Under: fcc, privacy, settlement, zombie cookies
Companies: verizon
