Verizon May Soon Get to Enjoy a Lawsuit Over Its Sneaky Use of Perma-Cookies

from the privacy-schmivacy dept

Over the last few years, Verizon has been ramping up its behavioral tracking efforts via programs like Verizon Selects and its Relevant Mobile Ad system, which track wireless and wireline subscriber web behavior to deliver tailored ads and sell your information to third parties. Unknown until a few weeks ago however was the fact that as part of this initiative, Verizon has started using what many are calling controversial “stealth,” “super” or “perma” cookies that track a user’s online behavior covertly, without users being able to disable them via browser settings.

Lawyer and Stanford computer scientist Jonathan Mayer offered up an excellent analysis noting that Verizon was actively modifying its users’ traffic to embed a unique identifier traffic header, or X-UIDH. This header is then read by marketing partners (or hey, anybody, since it’s stamped on all of your traffic) who can then build a handy profile of you. It’s a rather ham-fisted approach, argues Mayer, who notes that while you can opt-out of Verizon selling your data, you can’t opt out of having your traffic embedded with the unique identifier. He also offered up a handy graphic detailing precisely how these headers work:

As the story grew the last few weeks, ProPublica noted that Twitter’s mobile advertising arm is already one of several clients using Verizon’s “header enrichment” system, though Twitter didn’t much want to talk about it. Several tools like this one have popped up since, allowing users to test their wireless connections (note it doesn’t work if your cellular device is connected to Wi-Fi, and may be masked by the use of Google Mobile Chrome, Opera Mini, or if viewed through apps like Flipboard).

Kashmir Hill at Forbes also has a great article exploring the ramifications of the system and asked Verizon and AT&T (who has started trials of a similar system) what consumer protections are in place. Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information. But as we’ve noted time and time again, there’s really no such thing as an anonymized data set, and security consultant Ken White argues that only part of the data in the headers is modified, if at all:

“White has been tracked for the past 6 days across 550 miles with a persistent code from both Verizon and AT&T. He has a smartphone with Verizon service and a hotspot with AT&T service. In AT&T?s case, the code has four parts; only one part changes, he says. ?It?s like if you were identified by a birth month, a birth year, a birth day, and a zip code, and they remove one of those things,? said White. You?d still be able to reasonably track that person with the other three. Verizon?s code meanwhile hasn?t changed for him, and it?s been almost a week.”

Amusingly, I remember back in 2008 when concerns about deep packet inspection and behavioral ads were heating up, Verizon declared there really wasn’t any need for consumer protections or privacy rules governing such technologies, because, the company claimed, public shame and the oodles of competition in the broadband space would somehow keep them honest:

“A couple of years back during the debate on net neutrality, I made the argument that industry leadership through some form of oversight/self-regulatory model, coupled with competition and the extensive oversight provided by literally hundreds of thousands of sophisticated online users would help ensure effective enforcement of good practices and protect consumers.”

Yet here we have an example where the behavior Verizon was engaged in was so surreptitious, even some of the best networking and security experts in the business didn’t notice Verizon was doing it until two years after the effort was launched. Apparently, holding Verizon accountable is going to take a little more than a public scolding in the town square. The EFF has stated they’re taking a look at possible legal action against Verizon for violating consumer privacy law.

Filed Under: , , ,
Companies: at&t, verizon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Verizon May Soon Get to Enjoy a Lawsuit Over Its Sneaky Use of Perma-Cookies”

Subscribe: RSS Leave a comment
Cdaragorn (profile) says:

Re: We need TLS everywhere

TLS cannot guarantee that. It can only guarantee that nothing in your message will be altered.

Verizon is using a Man-in-the-middle attack here, and all they are doing is adding to your message. TLS has no control over that.

Think of it as if you sent a letter, then the mail man wrote a message and put your letter and their message into a new envelope and mailed that. There’s nothing you can do to stop it.

elemecca (profile) says:

Re: Re: We need TLS everywhere

That’s… just not true, at least for a properly set up TLS connection. They can’t add to, remove from, or change anything that goes over a TLS channel in a way that either party will accept without knowing the session key. It doesn’t just guarantee that nothing in a particular HTTP request will be altered, as you seem to imply. It guarantees that nothing sent over the TLS connection will be altered. Even were that not true, the header would need to be inserted into the middle of the user’s HTTP request and would thus require alteration of the message itself.

If Verizon has a CA cert that’s trusted by mobile browsers they could be MITM-ing the TLS negotiation. That’s even plausible for phones distributed by Verizon. If that were the case, though, it’d be called out by the researchers who’ve been reporting on this. We’d also see calls for it to be removed from the trust roots.

Gumnos’ concerns about TLS-stripping attacks are much more likely to be valid, although the particular case mentioned probably wasn’t malicious.

John Fenderson (profile) says:

Re: Re: Re:2 Hope they get screwed

“If you agree to be invaded have you been invaded?”

I disagree with the assumption that because something is in the ToS, you have agreed to it. I know that it’s true legally, but practically it’s almost never the case.

“Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?”

That’s an oddly worded question. Of course you can agree to have your privacy invaded. But just because you agree to it doesn’t magically stop it from being an invasion of privacy.

Anonymous Coward says:

Re: Re: Hope they get screwed

“They didn’t invade your privacy, you did read the T&C didn’t you?”

“Consent” means nothing if it is not appropriately informed. The fact that no one knew about this illustrates that there was no informed consent.

“You’re quite free to choose another provider or to not use the internet, after all.”

Isn’t there some sort of state-imposed monopoly on these services? Meaningful participation in contemporary society necessitates use of the internet. Most of us are “free” not to use the internet in only the most technical sense, that is, not at all.

Laws are not necessarily reasonable, ethical or legitimate. Current privacy and data protection laws are radically inadequate and require urgent reform. Thanks to
lobby dollars / political donations (political bribes) from Google et al, combined with the toxic influence of the security state, this is unlikely
to occur for years.

Anonymous Coward says:

‘you can’t opt out of having your traffic’ read.

all Verizon and others need is to allow others to read where you have been and they will obviously get paid. what is so annoying about this is that it’s your data that they are giving access to, for a fee, and you not only dont get asked, you dont get paid either!!

Anonymous Coward says:

Re: Re:

I agree customers should be asked if they want to opt in too this theft ring , the tolls have already been paid by the customer this is double dipping ,invasion of privacy , and like reading your mail before it hits the receivers house, any and all money should be passed on to the consumer for past interceptions of data.

radix (profile) says:


You can either have targeted ads, semi-targeted ads, or generic ads.

Nobody uses generic ads, since they’re useless. There’s really not even an offline equivalent. You always know something about your audience, even if it’s as little as where they are when they see the ad.

Semi-targeted ads are like a billboard, when you know the location it’s being seen, or a TV spot where you have a good idea about the demographics of the viewing audience.

Targeted ads are usually thought of as online, but any mailers you get from retailers you frequent are basically the same thing. Or coupons that print on your receipt at checkout. They know what you bought previously and will push similar products.

Injecting identifiers, for the purpose of delivering advertising, is INHERENTLY targeting. Any attempt to claim it’s not is a flat-out lie. And not even a good one. It’s a three-year-old with ice cream all over his face telling you the dog did it.

Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information.

W. T. F.

If a profile expired every day, or even every week, it would be WORTHLESS. The entire point of doing this is that it’s trackable.

Claiming otherwise doesn’t take big brass balls, it takes a small withered brain.

Eldakka (profile) says:

Re: Re: Re: Re:

The extra header(s) are inserted into the packet after it’s left your phone and and reached the telco. Therefore depending on where the actual metering of your data usage is done, it may not be included, as it may be inserted after it’s already metered your packet.

Of course, it may also be inserted before the metering, so it might be included…

Anonymous Coward says:

I cancelled my Verizon account the moment I confirmed this tracking. They apparently dont like being told this in person when they ask why you’re leaving. I doubt I’m the first to state that as a reason for immediate termination of service (curious how many have left as a result of this discovery).

They should be fined per customer whose privacy they violated and not just a flat rate of 50 million which is essentially nothing to them.

MAM says:

Re: Re:

Thanks, but no thanks. You are assuming that most of us care, and I can assure you we don’t. I do not need, nor do I care, what Verizon does with this information. We have the right and ability to ignore ads. Your statement sounds like a Class Action attempt, which I believed is not allowed based on it’s T&C.

Claire Rand says:

phorm for this

UK providers have phorm for trying this sort of rubbish as well. Would be nice to see _someone_ getting an actual punishment for it.

Prosecution over here fell apart with “no criminal intent” decided after attempting a long grass exercise as the alternative was hammering the former national phone carrier who got caught.

Guess that encryption hurts this sort of thing, and certain agencies don’t want people encrypting things may have something to do with it. Plus not wanting a court to rule that this sort of stealth stuff is illegal.

MedicalQuack (user link) says:

Pool old lonely blogger I am..

I’m not really complaining but I found the Stanford write up and tweeted it to Kashmir at Forbes and then what do you know I see the same image I used in my original blog there too.

Ok so I’m whining that nobody wants to recognize me (grin). I read your feeds here too and reference you in tweets and some blogs too.

There’s my original at the link…

But just for that though, here’s a new page I made up on my privacy campaign and worth a look at the Congressional testimony video there too:)

You can make it up by donating if you want..I’m just kidding and wiping the tear of out my eye:) I’m a former developer in healthcare, and don’t write anymore but try to put some bottom line stuff out there when I can:)

Anonymous Coward says:

State Actor

Remind me again why a private company is charging us for their services, then turning around and selling literally everything they can about our use of their service. When they give the government access to records that should be protected, we should be able to shut down that company, not have it protected by new unconstitutional laws. Neither company should be open for business, much less colluding with the letters to “fight” whatever the buzzword excuse of the day is.

Coyne Tibbets (profile) says:

Delicious Lie

“Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information.”

These companies don’t care about user information. Therefore, they don’t do that rotation to protect the users: they do that because, if they didn’t, the advertising company would build its own database of tracking codes. To prevent that the code is rotated, requiring the advertising company to make yet another paid request to learn the identity of the person.

I’m sure Verizon was deliciously amused that this feature permitted them to lie that they were protecting “user information”.

Robby says:

Alrighty than.

These assholes are doing this shit to me. I encountered this exact header on CNN’s website. They are selling my information no matter where I am. AOL which is under their parent company of Verizon seems like a likely suspicion. If this starts crossing further lines which I’m constantly drawing and being lenient. I am actually going to file a privacy lawsuit for the main asshole responsible for this. Either they back their nosy behinds the fuck up or I’m taking action on the main perpetrating asshole who is responsible for this. This privacy lawsuit would only target the individuals employed by this company and any other douchebags connected with this hostile intrusion or the company itself. People better start shaping up and getting in line before this gets more serious. If you do not respect privacy then you will be sued. Cease and desist people. This will be far reaching too. I’m going to put preliminary work in for this lawsuit. I received a call from my lawyer about this issue and I didn’t respond back since I was giving people a second chance. But this is over I am getting to the bottom of this with my lawyers and if they are reading this you will be sued. This is only going to target only a few specific individuals who are responsible for this. And believe me we have all the evidence for a lawsuit which my parents helped me and my lawyers gather. This has gone on for too long and those who don’t respect privacy are in over their heads.

Robby says:

Still at it

The marketers and associated companies are STILL employing their dirty marketing and frauds schemes. The latest fraud scheme gaining access to all my emails in my inbox to marketers thereby giving permission to a website hidden as a spam clearing software. I’m mad happy these companies and marketers are still doing this especially when there will be a hefty bcompensation given to me. This is so awesome.

Robby says:

Edit: Update

Forgot to add that on top of the large corporations this will also target the individual responsible for being the primary igniting source for this. This is a serious infiltration of my human and civil rights. Whoever is responsible for this you will pay. You will pay for everything you have done to me. The mental torture, the hospital bills, the student loans, the stress you have put on all of those that surround me every single place I go. You will pay for this targeted action. I promise it and guarantee it. I am going forward with this as long as it doesn’t harm the one individual I care about and the members of my immediate family. Otherwise, its fairgame. You brought this on yourself.

Daniel says:


I will never do something if it hurts the girl I love. If you are reading this I won’t do it if there is any chance at all that it will involve any action on you. I still love you and I don’t want anything bad to ever happen to you because you are incredibly sweet to me. If I wanted to ever take any action I want to meet you and date you first so you can also talk to me if it is a good idea to take any legal action or if you think it would be a bad idea and waste of time. I don’t want you to become entangled in this. I want you to be a part of my success but what I am saying is that I don’t want my success to be controlled by these asshole marketers especially if we start a family. We have to protect ourselves so that when we do have a child/children we do not want these stupid marketers to have any negative effect on us. My love before I ever consider going to Ethiopia I really do want you to come with me. That is why I told my mom I would start working before I even consider going overseas because I know that once I start working things will fall into place. Do not ever think for a second that after all this and everything you have done for me that I would ever leave you in the dust. I told my mother I would work just for that reason. I will work for myself and so you will know that I care about you and I love you and no dumb marketers will ever get in between us no matter what they do and how hard they try to ruin mine or your life. Please don’t think I’ll leave you. Once we start dating we will grow closer and I am going to do everything I can to make sure I start caring for myself. Let us take it day by day

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...