Remember That Undeletable Super Cookie Verizon Claimed Wouldn't Be Abused? Yeah, Well, Funny Story…

from the your-privacy-preferences-now-mean-absolutely-nothing dept

A few months ago, we noted how Verizon and AT&T were at the bleeding edge of the use of new “stealth” supercookies that can track a subscriber’s web activity and location, and can’t be disabled via browser settings. Despite having been doing this for two years, security researchers only just noticed that Verizon was actively modifying its wireless users’ traffic to embed a unique identifier traffic header, or X-UIDH. This identifier effectively broadcasts user details to any website they visit, and the opt-out settings for the technology only stopped users from receiving customized ads — not the traffic modification and tracking.

AT&T responded to the fracas by claiming it was only conducting a trial, one AT&T has since claimed to have terminated. Verizon responded by insisting that the unique identifier was rotated on a weekly basis (something researchers found wasn’t true) and that the data was perfectly anonymous (though as we’ve long noted anonymous data sets are never really anonymous). While security researchers noted that third-party websites could use this identifier to build profiles without their consent, Verizon’s website insisted that “it is unlikely that sites and ad entities will attempt to build customer profiles” using these identifiers.

As such, you’ll surely be shocked to learn that sites and ad entities are building customer profiles using these identifiers.

Not only that, they’re using the system to resurrect deleted tracking cookies and share them with advertising partners, making consumer opt-out preferences moot. According to security researcher Jonathan Mayer (and tested and confirmed by ProPublica), an online advertising clearinghouse by the name of Turn has been using Verizon’s modifications when auctioning ad placement to websites like Google, Facebook and Yahoo for some time. When asked, Verizon pretends this is news to the company:

“When asked about Turn’s use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, “We’re reviewing the information you shared and will evaluate and take appropriate measures to address.” Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn’s use of the Verizon tracking number and said “they were quite satisfied.”

Like Verizon’s implementation of the program, Turn lets users opt out of receiving targeted ads, but users have no way of really opting out of being tracked or having their packets manipulated without prior consent. As the EFF notes, your only option is to use a VPN for all your traffic, or to use a browser add-on like AdBlock, which doesn’t fully address the issues with the use of a UIDH header. Amusingly, Turn tries to claim to ProPublica that it’s actually using Verizon’s UIDH to respect user behavioral ad opt out preferences, but the website found that repeatedly wasn’t working:

“Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out. But when ProPublica tested that claim on the industry’s opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed.”

Even if Turn’s being honest, there are plenty of companies that aren’t going to bother being ethical. Verizon, which in 2008 insisted that consumer privacy protections weren’t necessary because public shame would keep them honest, pretty clearly isn’t interested in stopping the practice without legal or regulatory intervention. So yeah, again, we’ve got a new type of supercookie that tracks everything you do, can’t be opted out of, and is turning consumer privacy completely on its ear, but there’s absolutely nothing here you need to worry your pretty little head about.

Filed Under: , , , , ,
Companies: at&t, turn, verizon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Remember That Undeletable Super Cookie Verizon Claimed Wouldn't Be Abused? Yeah, Well, Funny Story…”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Re: Re:

AFAIK … regardless of WHAT you block (cookies, dom, scripts, adverts, domains, etc) .. the website you visit is given your unique ID and you cannot stop this. What the web-server does with it is to talk to “turn” etc and build a profile on you (even if you don’t get served any adverts). Any notion that the ad networks don’t get back any info is ludicrous. There would definitely be server-side tracking going on. And I’m betting the NSA is loving this.

Anonymous Coward says:

Re: Re: Re:2 Re:

I’m not concerned about (as an example) getting my tracking id. It’s a site I visit, they’re free to track me in exchange for their services. Google analytics (as another example), however, is not. A hosts file will absolutely block GA from getting any traffic from my phone, let alone anything with a unique id. And if tries to send my id and other info to GA on the server side, then, well, that website likely won’t be around for long (server side inter-server communication will destroy your scalability).

RoninTetsuro says:

Re: Re: Better research...

Non-competition clauses between American ISP’s make changing service an exercise in ‘how much more do I want to pay for worse service’, if an alternative option exists at all.

A few years back, I moved into an apartment complex in an area I new supplied ATT broadband. I know because I asked the businesses 300 yards from my front door. So when I went to sign up for ATT broadband, they told me it wasn’t available in my area. I explained that I knew that was untrue and asked why I was being offered restricted service.

I was told that because my area wasn’t considered profitable enough (read: not upper-middle class) ATT could only offer me DSL service.

The funny part is, I moved to what appeared to be the end of the same apartment complex where the higher class people had been gentrified, and I got ATT broadband no problem. This was in the same apartment complex.

ISPs abuse any and all rules to maximize profit, always. If they CAN sell your info, they WILL and HAVE sold your info.

TKnarr (profile) says:

can be = will be

*sigh* If it can be abused, it will be abused. A good test is how the perpetrator reacts to the inverse: if they have no plans to abuse something, they won’t mind removing the parts that can be abused. If they object to that or back-peddle, you can bet they’ve got plans to abuse it to within an inch of it’s life and they don’t want to admit to them.

medicalquack (user link) says:

Is indexing and licensing making sense yet?

I’ve been on the campaign as just as you wrote above, who in the heck is mining and selling our data? We don’t know and the Presidential voluntary actions of companies and banks to regulate themselves with data selling, it’s joke. It was be like expecting banks to regulate themselves…old Obama living in that virtual world again…they confuse virtual values with the real world as do too many others.

Here’s my campaign and shortly I’ll add a radio show link that I did today on privacy. Lawyers are messing up privacy efforts as they still think verbiage can control things and code in the world…their perceptions are nutty as heck. I invited the FTC to listen to the radio podcast as well since I write them almost every week on this topic:) Here’s the campaing and if anyone kicks in a few dollars it’s appreciated but not necessary.

John Fenderson (profile) says:

When asked about Turn’s use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, “We’re reviewing the information you shared and will evaluate and take appropriate measures to address.”

I can save them a lot of time and money in conducting their review: the only possible appropriate measure available is to stop injecting these tracking numbers.

Like Verizon’s implementation of the program, Turn lets users opt out of receiving targeted ads

This sort of response from companies that track users makes me angrier at those companies than if they just said “suck it, you can’t opt out”. My objection to the tracking is not the advertising. It’s the tracking itself.

David says:

Re: Re:

Are you a child molester?

I have to think of that case where some mother furiously reacted to some supermarket sending her 16-year old daughter diaper and baby clothes advertisements only to figure out afterwards that the browsing habits analysis leading to that targeted advertising had been pretty much on-spot.

N O W, that makes me suspect that the “does not want to be spied upon -> child molester and/or terrorist” conclusion that NSA and its bosses come up in every political argument with is a lot less sophisticated than what advertising companies can come up with, never mind the gigantic data sets they are working with.

So it would seem just sensible if the task of proposing stings and FBI operations was taken off the NSA and given to Walmart and Toys’r’us. That should cut costs considerably while improving accuracy to a degree where some suspects might possibly even be arrested before they complete their attack: something that all the spying somehow so far failed to accomplish.

art guerrilla (profile) says:

Re: Re: Re: Re:

closer than you think, turk…

at the risk of being dismissed as a loony:
WHO here thinks that WHEN (not IF) nanobots are just a LITTLE bit more advanced then they are now, the spooks will want to put one up the butt of EVERY person they want to ‘track’ ? ? ?

AGAIN, we have KIND OF/SORT OF made our own problem in this regard, in that we have not objected to surveillance on the grounds it is immoral, illegal, etc; but on the grounds that it is obtrusive, breaks the tubes, etc…

so, now we are left without a leg to stand on (butt to sit on?) when The They ™ have nanobots they can deploy up our butt, because they are TOTALLY unobtrusive and unnoticeable, WHAT POSSIBLE OBJECTION COULD YOU HAVE, CITIZEN…

(you should have nothing to hide, blah blah blah…)

John Fenderson (profile) says:

Re: Re: Re:

“some mother furiously reacted to some supermarket sending her 16-year old daughter diaper and baby clothes advertisements”

Yes, that wasn’t just some supermarket, that was Target. And they made their determination based on the kid’s purchasing history, not her browsing habits.

The rest of your comment is right, although I think it’s a reasonable assumption that the NSA (and CIA and FBI, etc.) have all this data as well.

tqk (profile) says:

Re: Re:

… how about actually copying the inserted multiple times, with random numbers?

With the right code and properly implemented db, that would make you more trackable.

John’s right. Don’t browse the web on a cellphone if this can’t be tolerated. If you’re getting or sending stuff from within intrusive or nosy regimes (who isn’t?), you need to know this. If Turn can do it, so can GCHQ & NSA.

CJ says:

Re: Re: Re:

I don’t see how, if enough people started doing it (e.g. via a browser plug-in).

Maybe you misunderstood? what I had in mind was something like this:

If the original insert is (simplified for clarity)
/TAG id=1234/

… a few lines, with random ids, could be added beforehand (e.g.):

/TAG id=4321/
/TAG id=3412/
/TAG id=1324/
/TAG id=3142/

You get the picture.

Ha, if the plug-in could be pooled to use actual ids, it would confuse the collection no end. (I realise no-one would like to give that away, of course.)

Biggest issue I can see is not being able to control the placement, as the actual tracking id would be either first of last. Don’t know of-hand of a work-round for this.

Anyway, just a thought experiment, nothing more.
It goes without saying that this behaviour should be abandoned forthright!

John Fenderson (profile) says:

Re: Re: Re: Re:

I don’t know how the ID numbers used in the X-UIDH headers are computed, but it’s a reasonable bet that it’s either an encrypted data blob or includes some sort of data integrity check encoded into it. Unless you know how to replicate that, then made-up numbers would be easily detected and rejected before they get anywhere near a database. If X-UIDH tracking was implemented correctly, this checking is already taking place.

Anonymous Coward says:

Most of the time, I refuse to stay at a site that requires NoScript to temporarily allow to see the contents. If that is required, you can bet it is a datamining point. Likewise anything I can do to prevent datamining and ad presentation is blocked. I also run it through a VPN. I doubt all that will prevent datamining but it will slow a lot of it down.

I am not asked if I want to opt out. Giving a cookie to opt out is meaningless as soon as you clear the cookies for those that won’t pay attention to your desires to not be datamined. Most folks don’t realize you can whitelist cookies till it’s too late and it’s gone.

I’m totally fed up with all this spying, datamining, and trying to force ads on you.

Anybody says:


Come on anonymous when are you going to hack into their system and destroy them. Lets get their super secret secrets out in the open , and force them to stop things like this and actually protect their customers. Nobody in their right mind would give their isp the right to manipulate body in their right mind would believe any of their lies, but sadly it takes real people breaking into their system and producing the evidence to encourage consumers to believe how evil they really are.

John Fenderson (profile) says:

Re: Re:

A VPN or HTTPS is sufficient. Also, these headers are only inserted when you’re browsing over the cell network, not when you’re using a WiFi or wired connection. So you could just avoid using your phone’s browser when you’re using the cell network for your internet service.

The firewall I use on my Android phone (DroidWall) makes this easy to enforce, as you can easily set it up so that specific applications are blocked from using the cell network but can use WiFi.

weneedhelp - NSI says:

Re: Re: Re:

We have recently locked down our work internet to the point of being useless. I have been tethering my phone to my personal laptop. Still… there is an attraction to a read only OS. At least when I reboot a ThinClient or LiveCD I know its back to a clean state. Most of the time. 🙂

Thanks for the DroidWall info I will definitely check it out.

Anonymous Coward says:

Want to really REALLY fuck with advertisers? let them have their way with tracking cookies, but use one of the myriad of services that let you visit thousands and thousands of random websites very quickly.

What this does, is to screw up utterly any chance the advertisers have of targetting actual customers as everyone appears to have completely random and arbitrary tastes and everyone they ever meet appears to have visited X and Y sites….

There are android, PC and Mac apps to do just this thing.

It completely renders null and void ALL tracking for advertising purposes by submerging your actual traffic in a vast cesspool of gibberish.

arcticlynx says:

FCC, where are you?

If the FCC wants to regulate something, this would be worthy of that. They should stop this in its tracks. Could a hacker get ahold of this and figure a way to use this against us? Could businesses use it to discriminate? When people go on the internet they quite often don’t want people stalking them wherever they go. A little bit of privacy is nice from time to time.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
10:50 NY AG Proves Broadband Industry Funded Phony Public Support For Attack On Net Neutrality (10)
06:24 The GOP Is Using Veterans As Props To Demonize Net Neutrality (22)
06:03 Telecom Using Veterans As Props To Demonize California's New Net Neutrality Law (12)
09:32 AT&T Whines That California Net Neutrality Rules Are Forcing It To Behave (11)
06:23 The New York Times (Falsely) Informs Its 7 Million Readers Net Neutrality Is 'Pointless' (51)
15:34 Facebook's Australian News Ban Did Demonstrate The Evil Of Zero Rating (18)
04:58 'Net Neutrality Hurt Internet Infrastructure Investment' Is The Bad Faith Lie That Simply Won't Die (11)
05:48 Dumb New GOP Talking Point: If You Restore Net Neutrality, You HAVE To Kill Section 230. Just Because! (66)
06:31 DOJ Drops Ridiculous Trump-Era Lawsuit Against California For Passing Net Neutrality Rules (13)
06:27 The Wall Street Journal Kisses Big Telecom's Ass In Whiny Screed About 'Big Tech' (13)
10:45 New Interim FCC Boss Jessica Rosenworcel Will Likely Restore Net Neutrality, Just Not Yet (5)
15:30 Small Idaho ISP 'Punishes' Twitter And Facebook's 'Censorship' ... By Blocking Access To Them Entirely (81)
05:29 A Few Reminders Before The Tired Net Neutrality Debate Is Rekindled (13)
06:22 U.S. Broadband Speeds Jumped 90% in 2020. But No, It Had Nothing To Do With Killing Net Neutrality. (12)
12:10 FCC Ignores The Courts, Finalizes Facts-Optional Repeal Of Net Neutrality (19)
10:46 It's Opposite Day At The FCC: Rejects All Its Own Legal Arguments Against Net Neutrality To Claim It Can Be The Internet Speech Police (13)
12:05 Blatant Hypocrite Ajit Pai Decides To Move Forward With Bogus, Unconstitutional Rulemaking On Section 230 (178)
06:49 FCC's Pai Puts Final Bullet In Net Neutrality Ahead Of Potential Demotion (25)
06:31 The EU Makes It Clear That 'Zero Rating' Violates Net Neutrality (6)
06:22 DOJ Continues Its Quest To Kill Net Neutrality (And Consumer Protection In General) In California (11)
11:08 Hypocritical AT&T Makes A Mockery Of Itself; Says 230 Should Be Reformed For Real Net Neutrality (28)
06:20 Trump, Big Telecom Continue Quest To Ban States From Protecting Broadband Consumers (19)
06:11 Senators Wyden And Markey Make It Clear AT&T Is Violating Net Neutrality (13)
06:31 Net Neutrali-what? AT&T's New Streaming Service Won't Count Against Its Broadband Caps. But Netflix Will. (25)
06:23 Telecom's Latest Dumb Claim: The Internet Only Works During A Pandemic Because We Killed Net Neutrality (49)
13:36 Ex-FCC Staffer Says FCC Authority Given Up In Net Neutrality Repeal Sure Would Prove Handy In A Crisis (13)
06:27 Clarence Thomas Regrets Brand X Decision That Paved Way For The Net Neutrality Wars (11)
06:17 The FCC To Field More Comments On Net Neutrality. Maybe They'll Stop Identity Theft And Fraud This Time? (79)
08:56 AT&T, Comcast Dramatically Cut Network Spending Despite Net Neutrality Repeal (16)
06:18 Ajit Pai Hits CES... To Make Up Some Shit About Net Neutrality (24)
More arrow