Outnumbered And Outgunned, Marriott Sort Of Backs Off Stupid Plan To Ban Guest Device Wi-Fi

from the know-when-to-fold-'em dept

Back in October we noted how the FCC had fined Marriott $600,000 for using deauth man in the middle attacks to prevent customers from using tethered modems or mobile hotspots at the company's Gaylord Opryland Hotel and Convention Center in Nashville. Marriott's ingenious plan involved blocking visitors and convention attendees from using their own cellular connections so they'd be forced to use Marriott's historically abysmal and incredibly expensive wireless services (in some cases running up to $1,000 per device).

When pressed by the FCC, Marriott pretended this was all to protect the safety and security of their customers. The company also tried to claim that what it was doing was technically legal under the anti-jamming provisions of section 333 of the Communications Act, since the deauth attacks being used (which confuse devices into thinking they're connecting to bogus, friendly routers) weren't technically jamming cellular signals. The FCC didn't agree, and neither did industry giants like Microsoft, Google, AT&T and Verizon, who collectively filed opposition documents with the FCC arguing that Marriott was clearly violating the law.

After carefully surveying a battlefield scattered with millions of pissed off consumers, annoyed regulators, and angry, bottomless-pocketed technology giants, Marriott has apparently concluded that maybe its shallow ploy to make an extra buck isn't worth fighting over. In a statement posted to the company's website, Marriott states it's going to stop acting like a nitwit, maybe:

"Marriott International listens to its customers, and we will not block guests from using their personal Wi-Fi devices at any of our managed hotels. Marriott remains committed to protecting the security of Wi-Fi access in meeting and conference areas at our hotels. We will continue to look to the FCC to clarify appropriate security measures network operators can take to protect customer data, and will continue to work with the industry and others to find appropriate market solutions that do not involve the blocking of Wi-Fi devices."

You'll notice the selectively-worded statement doesn't completely put the issue to rest, and clings fast to the argument that Marriott is just really concerned about visitor security, suggesting this may not be the last we hear of this.

Filed Under: blocks, fcc, hotels, wifi
Companies: marriott

Remember That Undeletable Super Cookie Verizon Claimed Wouldn't Be Abused? Yeah, Well, Funny Story...

from the your-privacy-preferences-now-mean-absolutely-nothing dept

A few months ago, we noted how Verizon and AT&T were at the bleeding edge of the use of new "stealth" supercookies that can track a subscriber's web activity and location, and can't be disabled via browser settings. Despite having been doing this for two years, security researchers only just noticed that Verizon was actively modifying its wireless users' traffic to embed a unique identifier traffic header, or X-UIDH. This identifier effectively broadcasts user details to any website they visit, and the opt-out settings for the technology only stopped users from receiving customized ads -- not the traffic modification and tracking.

AT&T responded to the fracas by claiming it was only conducting a trial, one AT&T has since claimed to have terminated. Verizon responded by insisting that the unique identifier was rotated on a weekly basis (something researchers found wasn't true) and that the data was perfectly anonymous (though as we've long noted anonymous data sets are never really anonymous). While security researchers noted that third-party websites could use this identifier to build profiles without their consent, Verizon's website insisted that "it is unlikely that sites and ad entities will attempt to build customer profiles" using these identifiers.

As such, you'll surely be shocked to learn that sites and ad entities are building customer profiles using these identifiers.

Not only that, they're using the system to resurrect deleted tracking cookies and share them with advertising partners, making consumer opt-out preferences moot. According to security researcher Jonathan Mayer (and tested and confirmed by ProPublica), an online advertising clearinghouse by the name of Turn has been using Verizon's modifications when auctioning ad placement to websites like Google, Facebook and Yahoo for some time. When asked, Verizon pretends this is news to the company:

"When asked about Turn's use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, "We're reviewing the information you shared and will evaluate and take appropriate measures to address." Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn's use of the Verizon tracking number and said "they were quite satisfied."

Like Verizon's implementation of the program, Turn lets users opt out of receiving targeted ads, but users have no way of really opting out of being tracked or having their packets manipulated without prior consent. As the EFF notes, your only option is to use a VPN for all your traffic, or to use a browser add-on like AdBlock, which doesn't fully address the issues with the use of a UIDH header. Amusingly, Turn tries to claim to ProPublica that it's actually using Verizon's UIDH to respect user behavioral ad opt out preferences, but the website found that repeatedly wasn't working:

"Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out. But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed."

Even if Turn's being honest, there are plenty of companies that aren't going to bother being ethical. Verizon, which in 2008 insisted that consumer privacy protections weren't necessary because public shame would keep them honest, pretty clearly isn't interested in stopping the practice without legal or regulatory intervention. So yeah, again, we've got a new type of supercookie that tracks everything you do, can't be opted out of, and is turning consumer privacy completely on its ear, but there's absolutely nothing here you need to worry your pretty little head about.

Filed Under: mobile data, privacy, super cookie, tracking, wireless, x-uidh
Companies: at&t, turn, verizon