Turn Temporarily Pauses Their Use Of Verizon's Sneaky 'Zombie' Cookie
from the we-love-privacy-so-much-we're-killing-it dept
Last week we noted how an ad clearinghouse company by the name of Turn was found to be abusing Verizon’s sneaky new stealth cookie, just a few months after Verizon claimed their new technology couldn’t be abused by third parties. Verizon’s basically modifying wireless user traffic streams and injecting a unique identifier traffic header, or UIDH. This header allows Verizon (and any third-party website that uses it) to track, collect and broadcast your online behaviors regardless of browser settings, and while Verizon’s opt-out preferences opt you out of behavioral ads, they don’t stop Verizon from fiddling with your traffic.
A great investigation by ProPublica found that Turn had been using Verizon’s header for some time to re-enable cookie tracking, and that Turn’s opt-out functionality didn’t work either (despite repeated claims that it did). Turn initially penned a blog post that tried to downplay the story by claiming it was “disappointed” in ProPublica for failing to “educate the public.” With that clearly not working, Turn has now posted a second blog entry that states it’s suspending the program for “re-evaluation.” As with so many PR responses, Turn just can’t help itself when it comes to insisting this is still largely a matter of ProPublica being misleading and the public being confused:
“We appreciate the opportunity that Ms. Angwin provided us to discuss the method prior to publishing her and Mr. Migas?s story. While we were disappointed with certain inaccuracies in the story and missed opportunities to further educate the public, we value the work that ProPublica is doing to bring attention to the broad issues of data privacy. Had Mr. Mayer offered us the same opportunity, we could also have helped to address some of the inaccuracies and misconceptions evident in his piece. I?m a strong believer in the power of direct dialogue and I have reached out to Mr. Mayer so that it can begin.”
In other words, we’re so in love with consumer privacy we’ve been helping pioneer a technology that helps make consumer privacy choices entirely moot! Verizon meanwhile continues to happily modify user traffic, and when the company can be bothered to address concerns about the program, it largely tries to lay the blame at the foot of other companies for using Verizon’s technology. Verizon’s program FAQ, for example, implies that everything would be fine if companies would just use Verizon’s UIDH header as it intended:
“Recent news reports have raised concerns about how TURN is using the UIDH for purposes outside of Verizon’s advertising programs. TURN has announced its intent to discontinue this practice and we will work with other partners to ensure that their use of UIDHs is consistent with the purposes we intended.”
Of course Turn is just one company, and since the UIDH is broadcast to every site and service a Verizon Wireless user visits, there will soon be a large number of other companies (many impervious to public outrage) joining the party. The EFF continues to urge Verizon to shutter the program, and Verizon pretty clearly continues to not give a damn.
Filed Under: privacy, zombie cookie
Companies: turn, verizon
Comments on “Turn Temporarily Pauses Their Use Of Verizon's Sneaky 'Zombie' Cookie”
Evidently Title II can’t come soon enough.
Since this is all something that happens on their servers, how do we know that they’ve truly discontinued the practice? How would Verizon, for that matter?
Let’s see if I understand this correctly …
Had ProPublica properly “educated” the public then their abuse of the Verizon’s UIDH would not have been exposed and Turn would still be turning a profit by spying upon Verizon users. I’m surprised they have not claimed this to be felony interference with a business model.
Please publish the UIDH for all your executives and board members. Thanks in advance.
To better nsa you with
I believe them
Turn CLAIMS TO temporarily pause their use of Verizon’s Zombie cookie.
Note also that Verizon is doubtless being paid to provide this zombie cookie and has a profit motive to keep it functioning.
Re: I believe them
Which is why everyone involved should be fired and jailed for stalking, harrassment and illegal wiretapping.
What's their motto?
A Turn for the worse.
Somebody’d better make a D&D joke soon.
Verizon: “I want to sneak this zombie cookie past users of our internet service.”
DM: “Make a stealth check.”
Verizon: Rolls a 1 – critical failure.
DM: “You fail. ProPublica discovers the cookie and announces its presence to the world. That is the end of the round. Next turn.”
DM: “Dammit, you named yourself Turn just to mess with us, didn’t you?”
DM: “Well, it’s Turn’s turn anyway. So what are you going to do?”
Turn: “I’m going to cast… Turn Undead! Teeheehee!”
DM: “Groan! That joke was old the first time you used it, Turn. OK, roll to see if you succeed.”
Turn: Rolls a 1 – critical failure.
DM: “Your attempt to turn the zombie cookie fails. The public knows and mocks you for it.”
Turn: “That’s OK, I was really doing it for their safety. Not to dominate them or anything.”
DM: “Roll your bluff check.”
Turn: “But, I’m not bluffing!”
DM: “Yes you are. I’m not an idiot. You do this all the time, griefer.”
Turn: sigh “Very well…”
Re: Re: Re:
Thank you, Sir Zonker. Puns and wordplay (even — nay, especially — the most obvious and painful) must be recognized and invoked, lest they fester and grow too powerful in the dark recesses of our minds. I was not up to the task, unable to muster a single comment that didn’t make overly clumsy use of the word “cleric.” You sir, have saved us all.
How many times does it need to be said?
If it can be abused, it WILL be abused.
What irritates me about Turn's response
They did it in their first blog post and again in the new one, talking about opting out:
They say this as if that’s actually a reasonable solution that resolves any issues for people who don’t want to be spied on. It does not. The industry tools to opt-out are wholly inadequate, and intentionally so. To point to them as if it were some sort of validation is disingenuous.
Almost as disingenuous as implying that if everyone were just “educated” then nobody would have a problem with what they were doing.
X-UIDH Firefox plugin?
Does a firefox plug-in exist that inserts randomly-generated X-UIDH headers into outgoing HTTP requests? Given that we don’t know which corporate entities look for and use X-UIDH headers, if everyone generated them randomly, all of the “cookies” would be useless.
I’m beginning to think that’s the way to deal with all problems of this nature. If we all listen all the way through for “Rachel from Carholder Services” to finish her spiel, and then pressed 1 and waited for a “service” rep, and then led that service rep on for a while, maybe while making rude noises, all phone spam would be useless. Similarly, if all accused people held out for a jury trial, we’d see some legal reform pronto. Everyone who’s capable should run SMTP or HTTP or WordPress or Joomla honeypots, so that all petty cybercriminals would get bogged down in false hacking attempts.
Re: X-UIDH Firefox plugin?
“Everyone who’s capable should run SMTP or HTTP or WordPress or Joomla honeypots, so that all petty cybercriminals would get bogged down in false hacking attempts.”
This is actually a pretty common thing already.
As a side-note, I did something a bit similar to this when I used to run a reasonably popular website: I included honeypot email addresses that weren’t visible to actual users but were visible to bots. When email got sent to any of the honeypot addresses, it was guaranteed to be spam and was used to refine my spam filters.
Re: X-UIDH Firefox plugin?
There are quite a few descriptions of the UIDH system out there (although a lot of discussion focuses on how orgs like Turn abuse it, rather than Verizon’s injection of it), but one thing still confuses me. Since Verizon inserts the X-UIDH header downstream, does it simply overwrite a pre-existing X-UIDH since such a header would almost certainly have been added by the user as a dummy value?
If it doesn’t overwrite or validate an already-present UIDH, sending a fake one would be trivial with plugins (or better, a localhost proxy so that all apps making http requests would be taken care of at once).
Honestly, the patent https://www.google.com/patents/US8763101 almost certainly answers this question… but I can’t bring myself to muddle through the 90% of it that is nothing but legal ambiguity and obfuscation. Hell, I’m surprised there aren’t any references to “reversing the polarity to generate a tachyon field.”
Re: Re: X-UIDH Firefox plugin?
Well, poisoning the well with spoofed UIDHs sent via non-Verizon connections will help. Actual Verizon connections, though, aren’t that easy.
I finally decided to crank up a hotspot on a Verizon phone and connect thru it. Started up Fiddler and made a request for a page that spits back the request headers. Verizon had added an X-UIDH. OK. I built an identical request, but with an X-UIDH: header added in with a value of “gibberish”. It didn’t make it. The destination page response showed my X-UIDH: as “MTkxNzE2ODc…,” same as the original request. Same results using variations on a theme.