Remember That Undeletable Super Cookie Verizon Claimed Wouldn't Be Abused? Yeah, Well, Funny Story…
from the your-privacy-preferences-now-mean-absolutely-nothing dept
A few months ago, we noted how Verizon and AT&T were at the bleeding edge of the use of new “stealth” supercookies that can track a subscriber’s web activity and location, and can’t be disabled via browser settings. Despite having been doing this for two years, security researchers only just noticed that Verizon was actively modifying its wireless users’ traffic to embed a unique identifier traffic header, or X-UIDH. This identifier effectively broadcasts user details to any website they visit, and the opt-out settings for the technology only stopped users from receiving customized ads — not the traffic modification and tracking.
AT&T responded to the fracas by claiming it was only conducting a trial, one AT&T has since claimed to have terminated. Verizon responded by insisting that the unique identifier was rotated on a weekly basis (something researchers found wasn’t true) and that the data was perfectly anonymous (though as we’ve long noted anonymous data sets are never really anonymous). While security researchers noted that third-party websites could use this identifier to build profiles without their consent, Verizon’s website insisted that “it is unlikely that sites and ad entities will attempt to build customer profiles” using these identifiers.
As such, you’ll surely be shocked to learn that sites and ad entities are building customer profiles using these identifiers.
Not only that, they’re using the system to resurrect deleted tracking cookies and share them with advertising partners, making consumer opt-out preferences moot. According to security researcher Jonathan Mayer (and tested and confirmed by ProPublica), an online advertising clearinghouse by the name of Turn has been using Verizon’s modifications when auctioning ad placement to websites like Google, Facebook and Yahoo for some time. When asked, Verizon pretends this is news to the company:
“When asked about Turn’s use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, “We’re reviewing the information you shared and will evaluate and take appropriate measures to address.” Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn’s use of the Verizon tracking number and said “they were quite satisfied.”
Like Verizon’s implementation of the program, Turn lets users opt out of receiving targeted ads, but users have no way of really opting out of being tracked or having their packets manipulated without prior consent. As the EFF notes, your only option is to use a VPN for all your traffic, or to use a browser add-on like AdBlock, which doesn’t fully address the issues with the use of a UIDH header. Amusingly, Turn tries to claim to ProPublica that it’s actually using Verizon’s UIDH to respect user behavioral ad opt out preferences, but the website found that repeatedly wasn’t working:
“Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out. But when ProPublica tested that claim on the industry’s opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed.”
Even if Turn’s being honest, there are plenty of companies that aren’t going to bother being ethical. Verizon, which in 2008 insisted that consumer privacy protections weren’t necessary because public shame would keep them honest, pretty clearly isn’t interested in stopping the practice without legal or regulatory intervention. So yeah, again, we’ve got a new type of supercookie that tracks everything you do, can’t be opted out of, and is turning consumer privacy completely on its ear, but there’s absolutely nothing here you need to worry your pretty little head about.
Filed Under: mobile data, privacy, super cookie, tracking, wireless, x-uidh
Companies: at&t, turn, verizon
Comments on “Remember That Undeletable Super Cookie Verizon Claimed Wouldn't Be Abused? Yeah, Well, Funny Story…”
Guess I’ll start hunting for “how to modify hosts file on my phone”. I was content leaving things be, but since they’re pulling this kind of crap, I’ll push that big damn red button.
Re: Re:
That will not help with a cookie inserted by an ISP between you and the endpoint. The ISP is actually modifying traffic between you and the web sir, however HTTPS will defeat this, unless your ISP mounts a man in the middle attack.
Re: Re: Re:
e/sir/siter
Re: Re: Re:
Yes it will, because with a blocking hosts file, the ad networks won’t get requests to have an ID attached to in the first place.
Re: Re: Re: Re:
AFAIK … regardless of WHAT you block (cookies, dom, scripts, adverts, domains, etc) .. the website you visit is given your unique ID and you cannot stop this. What the web-server does with it is to talk to “turn” etc and build a profile on you (even if you don’t get served any adverts). Any notion that the ad networks don’t get back any info is ludicrous. There would definitely be server-side tracking going on. And I’m betting the NSA is loving this.
Re: Re: Re:2 Re:
There is one thing you can block to stop this….HTTP!
Only visit sites with httpS and they cannot insert these super cookies.
Re: Re: Re:2 Re:
I’m not concerned about techdirt.com (as an example) getting my tracking id. It’s a site I visit, they’re free to track me in exchange for their services. Google analytics (as another example), however, is not. A hosts file will absolutely block GA from getting any traffic from my phone, let alone anything with a unique id. And if techdirt.com tries to send my id and other info to GA on the server side, then, well, that website likely won’t be around for long (server side inter-server communication will destroy your scalability).
Re: Re: Re:
“however HTTPS will defeat this”
Exactly!
We need all sites to use https.
If you have ads on your site, ensure they are also served over https.
Its not even expensive, you can get certificates for under $10/year.
Re: Re: Re:
Verizon is the man in the middle.
Re: Better research...
Why don’t you just research how well AT&T, Sprint or T-Mobile will work for you instead? Why give ONE MORE RED CENT to this company, who obviously values their interests over the concerns of their PAYING customers?
Re: Re: Better research...
AT&T and Sprint (and very likely T-Mobile, but I haven’t tested that) use the same tracking header as Verizon, so no luck there.
By the way, if you want to test your own carrier for this, browse to http://amibeingtracked.com over your cell connection.
Re: Re: Re: Better research...
AT&T claim it was a trial and that they stopped. I hadn’t heard that Sprint is doing this as well?
Re: Re: Re:2 Better research...
AT&T still does it in my area (I just tested). I don’t know if Sprint ever acknowledged it, but determined it for myself with a friend’s phone.
Re: Re: Re:3 Better research...
All ya gotta do, is put your mind to it. Knuckle down, buckle down, do it, do it, do it. I hear using WiFi works. Slipping Masnick a mickie is sometimes successful.
Re: Re: Re:3 Better research...
I wanted to correct my comment. My friend wasn’t using Sprint after all, but Verizon. My mistake.
Re: Re: Re: Better research...
FYI
using that site, t-mob in florida is indicating i am not being tracked…
YMMV
Re: Re: Re: Better research...
according to the website you suggest, my Sprint account isn’t tracked.
Re: Re: Re: Better research...
I just tested it with T-Mobile and it said “Congratulations, you’re not being tracked by your carrier” so I’m stoked about that.
Re: Re: Better research...
Non-competition clauses between American ISP’s make changing service an exercise in ‘how much more do I want to pay for worse service’, if an alternative option exists at all.
A few years back, I moved into an apartment complex in an area I new supplied ATT broadband. I know because I asked the businesses 300 yards from my front door. So when I went to sign up for ATT broadband, they told me it wasn’t available in my area. I explained that I knew that was untrue and asked why I was being offered restricted service.
I was told that because my area wasn’t considered profitable enough (read: not upper-middle class) ATT could only offer me DSL service.
The funny part is, I moved to what appeared to be the end of the same apartment complex where the higher class people had been gentrified, and I got ATT broadband no problem. This was in the same apartment complex.
ISPs abuse any and all rules to maximize profit, always. If they CAN sell your info, they WILL and HAVE sold your info.
Re: Re: Re: Better research...
Non-competition clauses between American ISP’s make changing service an exercise in ‘how much more do I want to pay for worse service’, if an alternative option exists at all.
True, but this is about cell phones, not home broadband.
Re: Re: Better research...
Nice little informative article. Now when people ask why I would switch to T-Mobile even though Verizon has better coverage I can just link them here.
Re: Re:
Using a hosts file, firewall, or security browser plugin is not nearly effective enough. There are only two solutions: never browse the web over the cell network, or use a VPN when you do so.
Re: Re: Re:
Will a Tor strip out the X-UIDH header in transit through their system? My guess would be “Yes”, but I don’t really know.
Re: Re: Re: Re:
Any encrypted link prevent them inserting the super cookies, unless they are acting as a man in the middle and decrypt and the re encrypt the packets..
Re: Re: Re: Re:
Yes, using TOR is functionally equivalent to using a VPN.
Re: Re:
What I did was install DDWRT on my home router, and install the Hosts file there. That way it applies to ALL devices behind my router. Then I setup my phone to VPN into my home. Now Verizon can’t see ANY of my traffic (except voice and TextMessage) and my phone doesn’t receive ads.
Re: Re:
The headers are injected down steam. hosts had nothing to do with it.
Re: Re:
Root your phone, get a copy of the f-droid repo manager and install ad-away: it edits the hosts file to send all ad traffic back to the local loop. Good stuff. Unfortunately (or not, your call) it doesn’t permit you to whitelist sites and services you care to support.
Re: Re: Re:
Correction: it does allow you to whitelist servers if you care to. It also allows you to blacklist whatever you want as well: you can directly edit the hosts file however you like.
Luckily it doesn’t feast on your brain… Yet.
can be = will be
*sigh* If it can be abused, it will be abused. A good test is how the perpetrator reacts to the inverse: if they have no plans to abuse something, they won’t mind removing the parts that can be abused. If they object to that or back-peddle, you can bet they’ve got plans to abuse it to within an inch of it’s life and they don’t want to admit to them.
Rogers (Canada) inserts
I’ll keep an eye on it see if mine changes
Re: Re:
Defeat this tracking with HTTPS Everywhere.
https://www.eff.org/https-everywhere
Re: X-Up-Subno
More than 2 weeks later. My X-Up-Subno has not changed
Is indexing and licensing making sense yet?
I’ve been on the campaign as just as you wrote above, who in the heck is mining and selling our data? We don’t know and the Presidential voluntary actions of companies and banks to regulate themselves with data selling, it’s joke. It was be like expecting banks to regulate themselves…old Obama living in that virtual world again…they confuse virtual values with the real world as do too many others.
http://ducknetweb.blogspot.fr/2014/03/virtual-worlds-real-world-we-have.html
Here’s my campaign and shortly I’ll add a radio show link that I did today on privacy. Lawyers are messing up privacy efforts as they still think verbiage can control things and code in the world…their perceptions are nutty as heck. I invited the FTC to listen to the radio podcast as well since I write them almost every week on this topic:) Here’s the campaing and if anyone kicks in a few dollars it’s appreciated but not necessary.
http://www.youcaring.com/other/help-preserve-our-privacy-/258776
Lies, lies, and more lies. That pretty much sums up Verizon and Turns statements. Their words are meaningless.
If it can be abused, it will be abused and anyone who says otherwise is a two-bit liar.
I can save them a lot of time and money in conducting their review: the only possible appropriate measure available is to stop injecting these tracking numbers.
This sort of response from companies that track users makes me angrier at those companies than if they just said “suck it, you can’t opt out”. My objection to the tracking is not the advertising. It’s the tracking itself.
Re: Re:
Are you a child molester?
I have to think of that case where some mother furiously reacted to some supermarket sending her 16-year old daughter diaper and baby clothes advertisements only to figure out afterwards that the browsing habits analysis leading to that targeted advertising had been pretty much on-spot.
N O W, that makes me suspect that the “does not want to be spied upon -> child molester and/or terrorist” conclusion that NSA and its bosses come up in every political argument with is a lot less sophisticated than what advertising companies can come up with, never mind the gigantic data sets they are working with.
So it would seem just sensible if the task of proposing stings and FBI operations was taken off the NSA and given to Walmart and Toys’r’us. That should cut costs considerably while improving accuracy to a degree where some suspects might possibly even be arrested before they complete their attack: something that all the spying somehow so far failed to accomplish.
Re: Re: Re:
why don’t we just have a device implanted into our brain that determines if out thoughts are acceptable and gives us a shock to encourage us to think the right way…./s
And yes i had to mark this as sarcasm as they really would do this if they could.
Re: Re: Re: Re:
closer than you think, turk…
at the risk of being dismissed as a loony:
WHO here thinks that WHEN (not IF) nanobots are just a LITTLE bit more advanced then they are now, the spooks will want to put one up the butt of EVERY person they want to ‘track’ ? ? ?
AGAIN, we have KIND OF/SORT OF made our own problem in this regard, in that we have not objected to surveillance on the grounds it is immoral, illegal, etc; but on the grounds that it is obtrusive, breaks the tubes, etc…
so, now we are left without a leg to stand on (butt to sit on?) when The They ™ have nanobots they can deploy up our butt, because they are TOTALLY unobtrusive and unnoticeable, WHAT POSSIBLE OBJECTION COULD YOU HAVE, CITIZEN…
(you should have nothing to hide, blah blah blah…)
Re: Re: Re:2 Re:
“WHO here thinks that WHEN (not IF) nanobots are just a LITTLE bit more advanced then they are now, the spooks will want to put one up the butt of EVERY person they want to ‘track’ ? ? ?”
Not me! It’s much more likely that such nanobots would be introduced through inhalation than anally. 🙂
Re: Re: Re:
“some mother furiously reacted to some supermarket sending her 16-year old daughter diaper and baby clothes advertisements”
Yes, that wasn’t just some supermarket, that was Target. And they made their determination based on the kid’s purchasing history, not her browsing habits.
The rest of your comment is right, although I think it’s a reasonable assumption that the NSA (and CIA and FBI, etc.) have all this data as well.
Hm, how about actually copying the inserted multiple times, with random numbers? That way, will outfits like know which one to choose? I doubt it.
In other words: spam the spammer!
Re: Re:
Should have read: ‘… outfits like Turn…
‘
Re: Re:
With the right code and properly implemented db, that would make you more trackable.
John’s right. Don’t browse the web on a cellphone if this can’t be tolerated. If you’re getting or sending stuff from within intrusive or nosy regimes (who isn’t?), you need to know this. If Turn can do it, so can GCHQ & NSA.
Re: Re: Re:
I don’t see how, if enough people started doing it (e.g. via a browser plug-in).
Maybe you misunderstood? what I had in mind was something like this:
If the original insert is (simplified for clarity)
/TAG id=1234/
… a few lines, with random ids, could be added beforehand (e.g.):
/TAG id=4321/
/TAG id=3412/
/TAG id=1324/
/TAG id=3142/
….
You get the picture.
Ha, if the plug-in could be pooled to use actual ids, it would confuse the collection no end. (I realise no-one would like to give that away, of course.)
Biggest issue I can see is not being able to control the placement, as the actual tracking id would be either first of last. Don’t know of-hand of a work-round for this.
Anyway, just a thought experiment, nothing more.
It goes without saying that this behaviour should be abandoned forthright!
Re: Re: Re: Re:
I don’t know how the ID numbers used in the X-UIDH headers are computed, but it’s a reasonable bet that it’s either an encrypted data blob or includes some sort of data integrity check encoded into it. Unless you know how to replicate that, then made-up numbers would be easily detected and rejected before they get anywhere near a database. If X-UIDH tracking was implemented correctly, this checking is already taking place.
Re: Re: Re:2 Re:
Jonathan Mayer played with it a bit. His observations are here, and show how turn responds to fake X-UIDH: and Cookie: (self-generated uid) headers. It answered a couple of questions for me, but raised several new ones.
(http://webpolicy.org/2015/01/14/turn-verizon-zombie-cookie/)
Ayup
https://www.youtube.com/watch?v=2sIWyTSXiSM
Most of the time, I refuse to stay at a site that requires NoScript to temporarily allow to see the contents. If that is required, you can bet it is a datamining point. Likewise anything I can do to prevent datamining and ad presentation is blocked. I also run it through a VPN. I doubt all that will prevent datamining but it will slow a lot of it down.
I am not asked if I want to opt out. Giving a cookie to opt out is meaningless as soon as you clear the cookies for those that won’t pay attention to your desires to not be datamined. Most folks don’t realize you can whitelist cookies till it’s too late and it’s gone.
I’m totally fed up with all this spying, datamining, and trying to force ads on you.
HAcking
Come on anonymous when are you going to hack into their system and destroy them. Lets get their super secret secrets out in the open , and force them to stop things like this and actually protect their customers. Nobody in their right mind would give their isp the right to manipulate body in their right mind would believe any of their lies, but sadly it takes real people breaking into their system and producing the evidence to encourage consumers to believe how evil they really are.
Time to start surfing the internet on a BartPe/WinPE CD, or use a ThinClient.
Re: Re:
A VPN or HTTPS is sufficient. Also, these headers are only inserted when you’re browsing over the cell network, not when you’re using a WiFi or wired connection. So you could just avoid using your phone’s browser when you’re using the cell network for your internet service.
The firewall I use on my Android phone (DroidWall) makes this easy to enforce, as you can easily set it up so that specific applications are blocked from using the cell network but can use WiFi.
Re: Re: Re:
We have recently locked down our work internet to the point of being useless. I have been tethering my phone to my personal laptop. Still… there is an attraction to a read only OS. At least when I reboot a ThinClient or LiveCD I know its back to a clean state. Most of the time. 🙂
–
Thanks for the DroidWall info I will definitely check it out.
Re: Re:
I wonder what a thin client for a phone would look like. We’d want application stubs which are just front ends for cloud processing… oh, that’s a phone. Or maybe you just want your own private phone company and internet for the backend.
Re: Re: Re:
My phone is nothing like a front end for cloud processing. With the sole exception of Google Maps, nothing I do on my phone involves processing in the cloud.
The entire concept of an opt-out cookie, or notice, or opt-out in itself, is inherently intrusive and ridiculous. Particularly when one does not know about everything one might want to opt out of.
Want to really REALLY fuck with advertisers? let them have their way with tracking cookies, but use one of the myriad of services that let you visit thousands and thousands of random websites very quickly.
What this does, is to screw up utterly any chance the advertisers have of targetting actual customers as everyone appears to have completely random and arbitrary tastes and everyone they ever meet appears to have visited X and Y sites….
There are android, PC and Mac apps to do just this thing.
It completely renders null and void ALL tracking for advertising purposes by submerging your actual traffic in a vast cesspool of gibberish.
Guess it’s time for the management in Verizon to see the inside of cells.
Does this affect Verizon FiOS as well or just Verizon Wireless?
VPN
This is the sole reason I shelled out the money to use SurfEasy. Research what’s available for VPN services and use it. If they want to use my information without my permission, then these a-holes are going to work for it.
Unethical Practices
This was actually one of the -main- reasons I terminated my account with Verizon wireless on 1/10/2015
Tired of your bullshit Verizon :[
FCC, where are you?
If the FCC wants to regulate something, this would be worthy of that. They should stop this in its tracks. Could a hacker get ahold of this and figure a way to use this against us? Could businesses use it to discriminate? When people go on the internet they quite often don’t want people stalking them wherever they go. A little bit of privacy is nice from time to time.