Verizon May Soon Get to Enjoy a Lawsuit Over Its Sneaky Use of Perma-Cookies

from the privacy-schmivacy dept

Over the last few years, Verizon has been ramping up its behavioral tracking efforts via programs like Verizon Selects and its Relevant Mobile Ad system, which track wireless and wireline subscriber web behavior to deliver tailored ads and sell your information to third parties. Unknown until a few weeks ago however was the fact that as part of this initiative, Verizon has started using what many are calling controversial "stealth," "super" or "perma" cookies that track a user's online behavior covertly, without users being able to disable them via browser settings.

Lawyer and Stanford computer scientist Jonathan Mayer offered up an excellent analysis noting that Verizon was actively modifying its users' traffic to embed a unique identifier traffic header, or X-UIDH. This header is then read by marketing partners (or hey, anybody, since it's stamped on all of your traffic) who can then build a handy profile of you. It's a rather ham-fisted approach, argues Mayer, who notes that while you can opt-out of Verizon selling your data, you can't opt out of having your traffic embedded with the unique identifier. He also offered up a handy graphic detailing precisely how these headers work:

As the story grew the last few weeks, ProPublica noted that Twitter's mobile advertising arm is already one of several clients using Verizon's "header enrichment" system, though Twitter didn't much want to talk about it. Several tools like this one have popped up since, allowing users to test their wireless connections (note it doesn't work if your cellular device is connected to Wi-Fi, and may be masked by the use of Google Mobile Chrome, Opera Mini, or if viewed through apps like Flipboard).

Kashmir Hill at Forbes also has a great article exploring the ramifications of the system and asked Verizon and AT&T (who has started trials of a similar system) what consumer protections are in place. Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information. But as we've noted time and time again, there's really no such thing as an anonymized data set, and security consultant Ken White argues that only part of the data in the headers is modified, if at all:
"White has been tracked for the past 6 days across 550 miles with a persistent code from both Verizon and AT&T. He has a smartphone with Verizon service and a hotspot with AT&T service. In AT&T’s case, the code has four parts; only one part changes, he says. “It’s like if you were identified by a birth month, a birth year, a birth day, and a zip code, and they remove one of those things,” said White. You’d still be able to reasonably track that person with the other three. Verizon’s code meanwhile hasn’t changed for him, and it’s been almost a week."
Amusingly, I remember back in 2008 when concerns about deep packet inspection and behavioral ads were heating up, Verizon declared there really wasn't any need for consumer protections or privacy rules governing such technologies, because, the company claimed, public shame and the oodles of competition in the broadband space would somehow keep them honest:
"A couple of years back during the debate on net neutrality, I made the argument that industry leadership through some form of oversight/self-regulatory model, coupled with competition and the extensive oversight provided by literally hundreds of thousands of sophisticated online users would help ensure effective enforcement of good practices and protect consumers."
Yet here we have an example where the behavior Verizon was engaged in was so surreptitious, even some of the best networking and security experts in the business didn't notice Verizon was doing it until two years after the effort was launched. Apparently, holding Verizon accountable is going to take a little more than a public scolding in the town square. The EFF has stated they're taking a look at possible legal action against Verizon for violating consumer privacy law.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 7 Nov 2014 @ 8:07am

    We need TLS everywhere

    TLS guarantees the end-to-end principle. What I send is what the server receives, no more, no less. What the server sends is what I receive, no more, no less.

    reply to this | link to this | view in chronology ]

    • icon
      Gumnos (profile), 7 Nov 2014 @ 8:17am

      Re: We need TLS everywhere

      reply to this | link to this | view in chronology ]

    • icon
      Cdaragorn (profile), 7 Nov 2014 @ 8:32am

      Re: We need TLS everywhere

      TLS cannot guarantee that. It can only guarantee that nothing in your message will be altered.

      Verizon is using a Man-in-the-middle attack here, and all they are doing is adding to your message. TLS has no control over that.

      Think of it as if you sent a letter, then the mail man wrote a message and put your letter and their message into a new envelope and mailed that. There's nothing you can do to stop it.

      reply to this | link to this | view in chronology ]

      • icon
        elemecca (profile), 9 Nov 2014 @ 4:25am

        Re: Re: We need TLS everywhere

        That's... just not true, at least for a properly set up TLS connection. They can't add to, remove from, or change anything that goes over a TLS channel in a way that either party will accept without knowing the session key. It doesn't just guarantee that nothing in a particular HTTP request will be altered, as you seem to imply. It guarantees that nothing sent over the TLS connection will be altered. Even were that not true, the header would need to be inserted into the middle of the user's HTTP request and would thus require alteration of the message itself.

        If Verizon has a CA cert that's trusted by mobile browsers they could be MITM-ing the TLS negotiation. That's even plausible for phones distributed by Verizon. If that were the case, though, it'd be called out by the researchers who've been reporting on this. We'd also see calls for it to be removed from the trust roots.

        Gumnos' concerns about TLS-stripping attacks are much more likely to be valid, although the particular case mentioned probably wasn't malicious.

        reply to this | link to this | view in chronology ]

    • identicon
      Jack Sprat, 7 Nov 2014 @ 8:32pm

      Re: We need TLS everywhere

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 7 Nov 2014 @ 8:07am

    Hope they get screwed

    It will be interesting to see just how far they will be able to go in invading our privacy.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Nov 2014 @ 8:48am

      Re: Hope they get screwed

      They didn't invade your privacy, you did read the T&C didn't you?

      You're quite free to choose another provider or to not use the internet, after all.

      The concept of (unfettered) internet access as a human right suddenly starts to sound attractive instead of flaky.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 7 Nov 2014 @ 9:10am

        Re: Re: Hope they get screwed

        Just because the behavior is allowed in the ToS doesn't mean it isn't an invasion of privacy.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Nov 2014 @ 9:39am

          Re: Re: Re: Hope they get screwed

          If you agree to be invaded have you been invaded?

          Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?

          Questions, questions.

          reply to this | link to this | view in chronology ]

          • icon
            John Fenderson (profile), 7 Nov 2014 @ 10:03am

            Re: Re: Re: Re: Hope they get screwed

            "If you agree to be invaded have you been invaded?"

            I disagree with the assumption that because something is in the ToS, you have agreed to it. I know that it's true legally, but practically it's almost never the case.

            "Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?"

            That's an oddly worded question. Of course you can agree to have your privacy invaded. But just because you agree to it doesn't magically stop it from being an invasion of privacy.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Nov 2014 @ 2:24pm

          Re: Re: Re: Hope they get screwed

          "Just because the behavior is allowed in the ToS doesn't mean it isn't an invasion of privacy."

          Also, it may not be legal/enforceable even if it's in the ToS.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2014 @ 12:38pm

        Re: Re: Hope they get screwed

        "They didn't invade your privacy, you did read the T&C didn't you?"
        "Consent" means nothing if it is not appropriately informed. The fact that no one knew about this illustrates that there was no informed consent.
        "You're quite free to choose another provider or to not use the internet, after all."
        Isn't there some sort of state-imposed monopoly on these services? Meaningful participation in contemporary society necessitates use of the internet. Most of us are "free" not to use the internet in only the most technical sense, that is, not at all.

        Laws are not necessarily reasonable, ethical or legitimate. Current privacy and data protection laws are radically inadequate and require urgent reform. Thanks to
        lobby dollars / political donations (political bribes) from Google et al, combined with the toxic influence of the security state, this is unlikely
        to occur for years.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2014 @ 8:12am

    'you can't opt out of having your traffic' read.

    all Verizon and others need is to allow others to read where you have been and they will obviously get paid. what is so annoying about this is that it's your data that they are giving access to, for a fee, and you not only dont get asked, you dont get paid either!!

    reply to this | link to this | view in chronology ]

    • identicon
      Liariasnoallowed, 7 Nov 2014 @ 8:43am

      Personal

      What if I want to send a love letter to my wife or girlfriend?

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 7 Nov 2014 @ 8:47am

      Re:

      "you not only dont get asked, you dont get paid either!!"

      Getting paid wouldn't make the tracking any less objectionable.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Nov 2014 @ 11:36am

      Re:

      I agree customers should be asked if they want to opt in too this theft ring , the tolls have already been paid by the customer this is double dipping ,invasion of privacy , and like reading your mail before it hits the receivers house, any and all money should be passed on to the consumer for past interceptions of data.

      reply to this | link to this | view in chronology ]

  • identicon
    Sheriff Fatman, 7 Nov 2014 @ 8:13am

    Bah, that's nothing. A couple of years back, the UK mobile-phone network O2 was caught injecting 3G users' phone numbers into HTTP requests.

    reply to this | link to this | view in chronology ]

  • identicon
    beech, 7 Nov 2014 @ 8:14am

    Any fines leveled against Verizon will be less than the profit they made off selling this information, so Verizon will have incentive to find other sneaky ways to turn profit

    reply to this | link to this | view in chronology ]

    • icon
      Karl Bode (profile), 7 Nov 2014 @ 8:29am

      Re:

      Sadly you're right. They'll have made a billion long before getting a $50 million fine.

      reply to this | link to this | view in chronology ]

    • icon
      Charles (profile), 7 Nov 2014 @ 8:31am

      Re:

      I agree with you. But why are not fines greater than the profit from whatever shady practice is being investigated? Perhaps it is the too cozy relationship between the regulated and the regulators.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2014 @ 8:56am

        Re: Re:

        How do you determine what they made?

        I doubt Verizon is going to make it easy for you...

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Nov 2014 @ 9:41am

          Re: Re: Re:

          Indeed, so forget the fines and file criminal charges. Our legal code is so byzantine there's almost no doubt they broke a number laws doing this. All that's left is doing some research and taking them to court.

          reply to this | link to this | view in chronology ]

  • icon
    Cdaragorn (profile), 7 Nov 2014 @ 8:34am

    Classic Man in the Middle

    This is disgusting. This technique well known as a man in the middle attack and should be prosecuted as such. The fact that they're your provider does not give them the freedom to alter your messages like this.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 7 Nov 2014 @ 8:48am

      Re: Classic Man in the Middle

      This is yet another areas where Title II classification would help. If you're a common carrier, you aren't allowed to alter the communications that you're carrying.

      reply to this | link to this | view in chronology ]

      • identicon
        derpwagon, 7 Nov 2014 @ 8:59am

        Re: Re: Classic Man in the Middle

        This isn't for wireline, it's wireless only (for now). Title II is only being considered for wireline. You'd need to get wireless included.

        So for now, Title II won't do anything.

        reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 7 Nov 2014 @ 10:00am

      Re: Classic Man in the Middle

      Why is it that when haxxorz do MITM attacks they get imprisoned for years and years for a CFAA violation but when a company does it, wotcha gonna do, eh?

      reply to this | link to this | view in chronology ]

  • icon
    radix (profile), 7 Nov 2014 @ 8:48am

    Uhh...

    You can either have targeted ads, semi-targeted ads, or generic ads.

    Nobody uses generic ads, since they're useless. There's really not even an offline equivalent. You always know something about your audience, even if it's as little as where they are when they see the ad.

    Semi-targeted ads are like a billboard, when you know the location it's being seen, or a TV spot where you have a good idea about the demographics of the viewing audience.

    Targeted ads are usually thought of as online, but any mailers you get from retailers you frequent are basically the same thing. Or coupons that print on your receipt at checkout. They know what you bought previously and will push similar products.

    Injecting identifiers, for the purpose of delivering advertising, is INHERENTLY targeting. Any attempt to claim it's not is a flat-out lie. And not even a good one. It's a three-year-old with ice cream all over his face telling you the dog did it.

    Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information.


    W. T. F.

    If a profile expired every day, or even every week, it would be WORTHLESS. The entire point of doing this is that it's trackable.

    Claiming otherwise doesn't take big brass balls, it takes a small withered brain.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2014 @ 8:48am

    Does this count toward overage/bandwidth?

    reply to this | link to this | view in chronology ]

    • icon
      Karl Bode (profile), 7 Nov 2014 @ 8:51am

      Re:

      This is just a string of text, so not much bandwidth is consumed. Ads in general though do erode your usage allotment. AT&T is experimenting with a system that will let advertisers and content companies pay them an additional premium for their content and ads NOT counting against the usage cap, however.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Nov 2014 @ 9:02am

        Re: Re:

        This is just a string of text, so not much bandwidth is consumed.

        Is this excuse valid when it comes time to pay for overages? :)

        I understand that it is just a string of text, but depending on how they measure bandwidth, it could add up...

        reply to this | link to this | view in chronology ]

        • icon
          Karl Bode (profile), 7 Nov 2014 @ 9:51am

          Re: Re: Re:

          No, I imagine Verizon won't be sympathetic. :) They want you to reach your shared data cap limit any way possible and start incurring those $10-15 per GB overage fees.

          reply to this | link to this | view in chronology ]

        • icon
          Eldakka (profile), 9 Nov 2014 @ 4:48pm

          Re: Re: Re:

          The extra header(s) are inserted into the packet after it's left your phone and and reached the telco. Therefore depending on where the actual metering of your data usage is done, it may not be included, as it may be inserted after it's already metered your packet.

          Of course, it may also be inserted before the metering, so it might be included...

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2014 @ 8:50am

    Enjoy it Verizon! It's our pleasure. Want some more?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2014 @ 9:42am

    I cancelled my Verizon account the moment I confirmed this tracking. They apparently dont like being told this in person when they ask why you're leaving. I doubt I'm the first to state that as a reason for immediate termination of service (curious how many have left as a result of this discovery).

    They should be fined per customer whose privacy they violated and not just a flat rate of 50 million which is essentially nothing to them.

    reply to this | link to this | view in chronology ]

  • identicon
    TDR, 7 Nov 2014 @ 10:17am

    Verizon should be forced to forfeit all their profits from this past fiscal year and have then evenly distributed amongst their victims/customers.

    reply to this | link to this | view in chronology ]

    • identicon
      MAM, 7 Nov 2014 @ 2:19pm

      Re:

      Thanks, but no thanks. You are assuming that most of us care, and I can assure you we don't. I do not need, nor do I care, what Verizon does with this information. We have the right and ability to ignore ads. Your statement sounds like a Class Action attempt, which I believed is not allowed based on it's T&C.

      reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 7 Nov 2014 @ 10:45am

    Security consultant Ken White

    This is someone completely different from the Popehat guy, right?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2014 @ 11:02am

    why not just convert their sheep to a static IPv6 address and steal/sell the DNS and network activity?

    that would be much harder to detect, and work across apps (not sure if every single app uses the standard web api/rest/http protocol).

    reply to this | link to this | view in chronology ]

  • identicon
    Claire Rand, 7 Nov 2014 @ 12:43pm

    phorm for this

    UK providers have phorm for trying this sort of rubbish as well. Would be nice to see _someone_ getting an actual punishment for it.

    Prosecution over here fell apart with "no criminal intent" decided after attempting a long grass exercise as the alternative was hammering the former national phone carrier who got caught.

    Guess that encryption hurts this sort of thing, and certain agencies don't want people encrypting things may have something to do with it. Plus not wanting a court to rule that this sort of stealth stuff is illegal.

    reply to this | link to this | view in chronology ]

  • identicon
    MedicalQuack, 7 Nov 2014 @ 2:01pm

    Pool old lonely blogger I am..

    I'm not really complaining but I found the Stanford write up and tweeted it to Kashmir at Forbes and then what do you know I see the same image I used in my original blog there too.

    Ok so I'm whining that nobody wants to recognize me (grin). I read your feeds here too and reference you in tweets and some blogs too.

    There's my original at the link...

    http://ducknetweb.blogspot.com/2014/10/verizon-wireless-packaging-and-selling.html

    But just for that though, here's a new page I made up on my privacy campaign and worth a look at the Congressional testimony video there too:)

    http://www.youcaring.com/other/help-preserve-our-privacy-/258776

    You can make it up by donating if you want..I'm just kidding and wiping the tear of out my eye:) I'm a former developer in healthcare, and don't write anymore but try to put some bottom line stuff out there when I can:)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Nov 2014 @ 2:47pm

    State Actor

    Remind me again why a private company is charging us for their services, then turning around and selling literally everything they can about our use of their service. When they give the government access to records that should be protected, we should be able to shut down that company, not have it protected by new unconstitutional laws. Neither company should be open for business, much less colluding with the letters to "fight" whatever the buzzword excuse of the day is.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 7 Nov 2014 @ 10:55pm

    Delicious Lie

    "Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information."

    These companies don't care about user information. Therefore, they don't do that rotation to protect the users: they do that because, if they didn't, the advertising company would build its own database of tracking codes. To prevent that the code is rotated, requiring the advertising company to make yet another paid request to learn the identity of the person.

    I'm sure Verizon was deliciously amused that this feature permitted them to lie that they were protecting "user information".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2014 @ 5:38am

    When you lie down with dogs, don't be surprised when you get up with fleas.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2015 @ 5:40pm

    Verizon is a cancerous bleeding sore. They give me the wrong 411 number, block emergency calls, block alarm contacts, screw with my emails. They block every attemp to contact someone with over 20 percent brain function and charge 300 percent to be a bag of shit.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Feb 2015 @ 8:45am

    my TLS connections via Verizon e-mail stopped working appx November 2014. Now I know why. What a bunch of douchebags.

    Fortunately we have alternatives, and I will send more of my money to Google to encourage them to develop access here.

    reply to this | link to this | view in chronology ]

  • identicon
    Robby, 18 Feb 2016 @ 10:15pm

    Alrighty than.

    These assholes are doing this shit to me. I encountered this exact header on CNN's website. They are selling my information no matter where I am. AOL which is under their parent company of Verizon seems like a likely suspicion. If this starts crossing further lines which I'm constantly drawing and being lenient. I am actually going to file a privacy lawsuit for the main asshole responsible for this. Either they back their nosy behinds the fuck up or I'm taking action on the main perpetrating asshole who is responsible for this. This privacy lawsuit would only target the individuals employed by this company and any other douchebags connected with this hostile intrusion or the company itself. People better start shaping up and getting in line before this gets more serious. If you do not respect privacy then you will be sued. Cease and desist people. This will be far reaching too. I'm going to put preliminary work in for this lawsuit. I received a call from my lawyer about this issue and I didn't respond back since I was giving people a second chance. But this is over I am getting to the bottom of this with my lawyers and if they are reading this you will be sued. This is only going to target only a few specific individuals who are responsible for this. And believe me we have all the evidence for a lawsuit which my parents helped me and my lawyers gather. This has gone on for too long and those who don't respect privacy are in over their heads.

    reply to this | link to this | view in chronology ]

    • identicon
      Robby, 18 Feb 2016 @ 10:19pm

      Re: Alrighty than.

      These people should have thought harder about this. But this is it. I have reached a limit and it is not only affecting me but those close to me and trying their best to help me. It was dumb to think there wouldn't be a whistleblower at some point but hey I'm not the one wasting the time on this issue.

      reply to this | link to this | view in chronology ]

  • identicon
    Robby, 19 Feb 2016 @ 12:29pm

    Still at it

    The marketers and associated companies are STILL employing their dirty marketing and frauds schemes. The latest fraud scheme gaining access to all my emails in my inbox to marketers thereby giving permission to a website hidden as a spam clearing software. I'm mad happy these companies and marketers are still doing this especially when there will be a hefty bcompensation given to me. This is so awesome.

    reply to this | link to this | view in chronology ]

  • identicon
    Robby, 19 Feb 2016 @ 6:13pm

    Edit: Update

    Forgot to add that on top of the large corporations this will also target the individual responsible for being the primary igniting source for this. This is a serious infiltration of my human and civil rights. Whoever is responsible for this you will pay. You will pay for everything you have done to me. The mental torture, the hospital bills, the student loans, the stress you have put on all of those that surround me every single place I go. You will pay for this targeted action. I promise it and guarantee it. I am going forward with this as long as it doesn't harm the one individual I care about and the members of my immediate family. Otherwise, its fairgame. You brought this on yourself.

    reply to this | link to this | view in chronology ]

  • identicon
    Daniel, 19 Feb 2016 @ 9:35pm

    ...

    I will never do something if it hurts the girl I love. If you are reading this I won't do it if there is any chance at all that it will involve any action on you. I still love you and I don't want anything bad to ever happen to you because you are incredibly sweet to me. If I wanted to ever take any action I want to meet you and date you first so you can also talk to me if it is a good idea to take any legal action or if you think it would be a bad idea and waste of time. I don't want you to become entangled in this. I want you to be a part of my success but what I am saying is that I don't want my success to be controlled by these asshole marketers especially if we start a family. We have to protect ourselves so that when we do have a child/children we do not want these stupid marketers to have any negative effect on us. My love before I ever consider going to Ethiopia I really do want you to come with me. That is why I told my mom I would start working before I even consider going overseas because I know that once I start working things will fall into place. Do not ever think for a second that after all this and everything you have done for me that I would ever leave you in the dust. I told my mother I would work just for that reason. I will work for myself and so you will know that I care about you and I love you and no dumb marketers will ever get in between us no matter what they do and how hard they try to ruin mine or your life. Please don't think I'll leave you. Once we start dating we will grow closer and I am going to do everything I can to make sure I start caring for myself. Let us take it day by day

    reply to this | link to this | view in chronology ]

  • identicon
    Daniel, 21 Feb 2016 @ 5:19pm

    Hahjjaj

    Now someone can remotely control my Kindle so webpages from my history can pop up. Lolololol guess we all sensitive in a way now aren't we?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.