Turn Temporarily Pauses Their Use Of Verizon's Sneaky 'Zombie' Cookie

from the we-love-privacy-so-much-we're-killing-it dept

Last week we noted how an ad clearinghouse company by the name of Turn was found to be abusing Verizon’s sneaky new stealth cookie, just a few months after Verizon claimed their new technology couldn’t be abused by third parties. Verizon’s basically modifying wireless user traffic streams and injecting a unique identifier traffic header, or UIDH. This header allows Verizon (and any third-party website that uses it) to track, collect and broadcast your online behaviors regardless of browser settings, and while Verizon’s opt-out preferences opt you out of behavioral ads, they don’t stop Verizon from fiddling with your traffic.

A great investigation by ProPublica found that Turn had been using Verizon’s header for some time to re-enable cookie tracking, and that Turn’s opt-out functionality didn’t work either (despite repeated claims that it did). Turn initially penned a blog post that tried to downplay the story by claiming it was “disappointed” in ProPublica for failing to “educate the public.” With that clearly not working, Turn has now posted a second blog entry that states it’s suspending the program for “re-evaluation.” As with so many PR responses, Turn just can’t help itself when it comes to insisting this is still largely a matter of ProPublica being misleading and the public being confused:

“We appreciate the opportunity that Ms. Angwin provided us to discuss the method prior to publishing her and Mr. Migas?s story. While we were disappointed with certain inaccuracies in the story and missed opportunities to further educate the public, we value the work that ProPublica is doing to bring attention to the broad issues of data privacy. Had Mr. Mayer offered us the same opportunity, we could also have helped to address some of the inaccuracies and misconceptions evident in his piece. I?m a strong believer in the power of direct dialogue and I have reached out to Mr. Mayer so that it can begin.”

In other words, we’re so in love with consumer privacy we’ve been helping pioneer a technology that helps make consumer privacy choices entirely moot! Verizon meanwhile continues to happily modify user traffic, and when the company can be bothered to address concerns about the program, it largely tries to lay the blame at the foot of other companies for using Verizon’s technology. Verizon’s program FAQ, for example, implies that everything would be fine if companies would just use Verizon’s UIDH header as it intended:

“Recent news reports have raised concerns about how TURN is using the UIDH for purposes outside of Verizon’s advertising programs. TURN has announced its intent to discontinue this practice and we will work with other partners to ensure that their use of UIDHs is consistent with the purposes we intended.”

Of course Turn is just one company, and since the UIDH is broadcast to every site and service a Verizon Wireless user visits, there will soon be a large number of other companies (many impervious to public outrage) joining the party. The EFF continues to urge Verizon to shutter the program, and Verizon pretty clearly continues to not give a damn.

Filed Under: ,
Companies: turn, verizon

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Turn Temporarily Pauses Their Use Of Verizon's Sneaky 'Zombie' Cookie”

Subscribe: RSS Leave a comment
Zonker says:

Re: Re:

Verizon: “I want to sneak this zombie cookie past users of our internet service.”
DM: “Make a stealth check.”
Verizon: Rolls a 1 – critical failure.
DM: “You fail. ProPublica discovers the cookie and announces its presence to the world. That is the end of the round. Next turn.”
Turn: “Yes!”
DM: “Dammit, you named yourself Turn just to mess with us, didn’t you?”
Turn: “Absolutely!”
DM: “Well, it’s Turn’s turn anyway. So what are you going to do?”
Turn: “I’m going to cast… Turn Undead! Teeheehee!”
DM: “Groan! That joke was old the first time you used it, Turn. OK, roll to see if you succeed.”
Turn: Rolls a 1 – critical failure.
DM: “Your attempt to turn the zombie cookie fails. The public knows and mocks you for it.”
Turn: “That’s OK, I was really doing it for their safety. Not to dominate them or anything.”
DM: “Roll your bluff check.”
Turn: “But, I’m not bluffing!”
DM: “Yes you are. I’m not an idiot. You do this all the time, griefer.”
Turn: sigh “Very well…”

Anonymous Coward says:

Re: Re: Re:

Thank you, Sir Zonker. Puns and wordplay (even — nay, especially — the most obvious and painful) must be recognized and invoked, lest they fester and grow too powerful in the dark recesses of our minds. I was not up to the task, unable to muster a single comment that didn’t make overly clumsy use of the word “cleric.” You sir, have saved us all.

John Fenderson (profile) says:

What irritates me about Turn's response

They did it in their first blog post and again in the new one, talking about opting out:

That choice can be made via our website, or via industry tools like the NAI or the DAA opt-out pages, including eDAA and DAA Canada.

They say this as if that’s actually a reasonable solution that resolves any issues for people who don’t want to be spied on. It does not. The industry tools to opt-out are wholly inadequate, and intentionally so. To point to them as if it were some sort of validation is disingenuous.

Almost as disingenuous as implying that if everyone were just “educated” then nobody would have a problem with what they were doing.

Edward Teach says:

X-UIDH Firefox plugin?

Does a firefox plug-in exist that inserts randomly-generated X-UIDH headers into outgoing HTTP requests? Given that we don’t know which corporate entities look for and use X-UIDH headers, if everyone generated them randomly, all of the “cookies” would be useless.

I’m beginning to think that’s the way to deal with all problems of this nature. If we all listen all the way through for “Rachel from Carholder Services” to finish her spiel, and then pressed 1 and waited for a “service” rep, and then led that service rep on for a while, maybe while making rude noises, all phone spam would be useless. Similarly, if all accused people held out for a jury trial, we’d see some legal reform pronto. Everyone who’s capable should run SMTP or HTTP or WordPress or Joomla honeypots, so that all petty cybercriminals would get bogged down in false hacking attempts.

John Fenderson (profile) says:

Re: X-UIDH Firefox plugin?

“Everyone who’s capable should run SMTP or HTTP or WordPress or Joomla honeypots, so that all petty cybercriminals would get bogged down in false hacking attempts.”

This is actually a pretty common thing already.

As a side-note, I did something a bit similar to this when I used to run a reasonably popular website: I included honeypot email addresses that weren’t visible to actual users but were visible to bots. When email got sent to any of the honeypot addresses, it was guaranteed to be spam and was used to refine my spam filters.

Anonymous Coward says:

Re: X-UIDH Firefox plugin?

There are quite a few descriptions of the UIDH system out there (although a lot of discussion focuses on how orgs like Turn abuse it, rather than Verizon’s injection of it), but one thing still confuses me. Since Verizon inserts the X-UIDH header downstream, does it simply overwrite a pre-existing X-UIDH since such a header would almost certainly have been added by the user as a dummy value?

If it doesn’t overwrite or validate an already-present UIDH, sending a fake one would be trivial with plugins (or better, a localhost proxy so that all apps making http requests would be taken care of at once).

Honestly, the patent https://www.google.com/patents/US8763101 almost certainly answers this question… but I can’t bring myself to muddle through the 90% of it that is nothing but legal ambiguity and obfuscation. Hell, I’m surprised there aren’t any references to “reversing the polarity to generate a tachyon field.”

[more...] says:

Re: Re: X-UIDH Firefox plugin?

Well, poisoning the well with spoofed UIDHs sent via non-Verizon connections will help. Actual Verizon connections, though, aren’t that easy.

I finally decided to crank up a hotspot on a Verizon phone and connect thru it. Started up Fiddler and made a request for a page that spits back the request headers. Verizon had added an X-UIDH. OK. I built an identical request, but with an X-UIDH: header added in with a value of “gibberish”. It didn’t make it. The destination page response showed my X-UIDH: as “MTkxNzE2ODc…,” same as the original request. Same results using variations on a theme.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...