Verizon May Soon Get to Enjoy a Lawsuit Over Its Sneaky Use of Perma-Cookies
from the privacy-schmivacy dept
Over the last few years, Verizon has been ramping up its behavioral tracking efforts via programs like Verizon Selects and its Relevant Mobile Ad system, which track wireless and wireline subscriber web behavior to deliver tailored ads and sell your information to third parties. Unknown until a few weeks ago however was the fact that as part of this initiative, Verizon has started using what many are calling controversial “stealth,” “super” or “perma” cookies that track a user’s online behavior covertly, without users being able to disable them via browser settings.
Lawyer and Stanford computer scientist Jonathan Mayer offered up an excellent analysis noting that Verizon was actively modifying its users’ traffic to embed a unique identifier traffic header, or X-UIDH. This header is then read by marketing partners (or hey, anybody, since it’s stamped on all of your traffic) who can then build a handy profile of you. It’s a rather ham-fisted approach, argues Mayer, who notes that while you can opt-out of Verizon selling your data, you can’t opt out of having your traffic embedded with the unique identifier. He also offered up a handy graphic detailing precisely how these headers work:
As the story grew the last few weeks, ProPublica noted that Twitter’s mobile advertising arm is already one of several clients using Verizon’s “header enrichment” system, though Twitter didn’t much want to talk about it. Several tools like this one have popped up since, allowing users to test their wireless connections (note it doesn’t work if your cellular device is connected to Wi-Fi, and may be masked by the use of Google Mobile Chrome, Opera Mini, or if viewed through apps like Flipboard).
Kashmir Hill at Forbes also has a great article exploring the ramifications of the system and asked Verizon and AT&T (who has started trials of a similar system) what consumer protections are in place. Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information. But as we’ve noted time and time again, there’s really no such thing as an anonymized data set, and security consultant Ken White argues that only part of the data in the headers is modified, if at all:
“White has been tracked for the past 6 days across 550 miles with a persistent code from both Verizon and AT&T. He has a smartphone with Verizon service and a hotspot with AT&T service. In AT&T?s case, the code has four parts; only one part changes, he says. ?It?s like if you were identified by a birth month, a birth year, a birth day, and a zip code, and they remove one of those things,? said White. You?d still be able to reasonably track that person with the other three. Verizon?s code meanwhile hasn?t changed for him, and it?s been almost a week.”
Amusingly, I remember back in 2008 when concerns about deep packet inspection and behavioral ads were heating up, Verizon declared there really wasn’t any need for consumer protections or privacy rules governing such technologies, because, the company claimed, public shame and the oodles of competition in the broadband space would somehow keep them honest:
“A couple of years back during the debate on net neutrality, I made the argument that industry leadership through some form of oversight/self-regulatory model, coupled with competition and the extensive oversight provided by literally hundreds of thousands of sophisticated online users would help ensure effective enforcement of good practices and protect consumers.”
Yet here we have an example where the behavior Verizon was engaged in was so surreptitious, even some of the best networking and security experts in the business didn’t notice Verizon was doing it until two years after the effort was launched. Apparently, holding Verizon accountable is going to take a little more than a public scolding in the town square. The EFF has stated they’re taking a look at possible legal action against Verizon for violating consumer privacy law.
Filed Under: behavioral tracking, perma-cookies, spying, tracking
Companies: at&t, verizon
Comments on “Verizon May Soon Get to Enjoy a Lawsuit Over Its Sneaky Use of Perma-Cookies”
We need TLS everywhere
TLS guarantees the end-to-end principle. What I send is what the server receives, no more, no less. What the server sends is what I receive, no more, no less.
Re: We need TLS everywhere
Unless the providers interfere with the TLS handshake negotiation…
Re: We need TLS everywhere
TLS cannot guarantee that. It can only guarantee that nothing in your message will be altered.
Verizon is using a Man-in-the-middle attack here, and all they are doing is adding to your message. TLS has no control over that.
Think of it as if you sent a letter, then the mail man wrote a message and put your letter and their message into a new envelope and mailed that. There’s nothing you can do to stop it.
Re: Re: We need TLS everywhere
That’s… just not true, at least for a properly set up TLS connection. They can’t add to, remove from, or change anything that goes over a TLS channel in a way that either party will accept without knowing the session key. It doesn’t just guarantee that nothing in a particular HTTP request will be altered, as you seem to imply. It guarantees that nothing sent over the TLS connection will be altered. Even were that not true, the header would need to be inserted into the middle of the user’s HTTP request and would thus require alteration of the message itself.
If Verizon has a CA cert that’s trusted by mobile browsers they could be MITM-ing the TLS negotiation. That’s even plausible for phones distributed by Verizon. If that were the case, though, it’d be called out by the researchers who’ve been reporting on this. We’d also see calls for it to be removed from the trust roots.
Gumnos’ concerns about TLS-stripping attacks are much more likely to be valid, although the particular case mentioned probably wasn’t malicious.
Re: We need TLS everywhere
See https://www.eff.org/https-everywhere
Hope they get screwed
It will be interesting to see just how far they will be able to go in invading our privacy.
Re: Hope they get screwed
They didn’t invade your privacy, you did read the T&C didn’t you?
You’re quite free to choose another provider or to not use the internet, after all.
The concept of (unfettered) internet access as a human right suddenly starts to sound attractive instead of flaky.
Re: Re: Hope they get screwed
Just because the behavior is allowed in the ToS doesn’t mean it isn’t an invasion of privacy.
Re: Re: Re: Hope they get screwed
If you agree to be invaded have you been invaded?
Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?
Questions, questions.
Re: Re: Re:2 Hope they get screwed
“If you agree to be invaded have you been invaded?”
I disagree with the assumption that because something is in the ToS, you have agreed to it. I know that it’s true legally, but practically it’s almost never the case.
“Is your privacy somehow a different entity from you such that you cannot consent or agree to have your privacy invaded?”
That’s an oddly worded question. Of course you can agree to have your privacy invaded. But just because you agree to it doesn’t magically stop it from being an invasion of privacy.
Re: Re: Re: Hope they get screwed
“Just because the behavior is allowed in the ToS doesn’t mean it isn’t an invasion of privacy.”
Also, it may not be legal/enforceable even if it’s in the ToS.
Re: Re: Hope they get screwed
“Consent” means nothing if it is not appropriately informed. The fact that no one knew about this illustrates that there was no informed consent.
Isn’t there some sort of state-imposed monopoly on these services? Meaningful participation in contemporary society necessitates use of the internet. Most of us are “free” not to use the internet in only the most technical sense, that is, not at all.
Laws are not necessarily reasonable, ethical or legitimate. Current privacy and data protection laws are radically inadequate and require urgent reform. Thanks to
lobby dollars / political donations (political bribes) from Google et al, combined with the toxic influence of the security state, this is unlikely
to occur for years.
‘you can’t opt out of having your traffic’ read.
all Verizon and others need is to allow others to read where you have been and they will obviously get paid. what is so annoying about this is that it’s your data that they are giving access to, for a fee, and you not only dont get asked, you dont get paid either!!
Re: Personal
What if I want to send a love letter to my wife or girlfriend?
Re: Re: Personal
Re: Re: Personal
If you really loved her, you wouldn’t be ashamed for the world to know about it…
/sarc
Re: Re:
“you not only dont get asked, you dont get paid either!!”
Getting paid wouldn’t make the tracking any less objectionable.
Re: Re:
I agree customers should be asked if they want to opt in too this theft ring , the tolls have already been paid by the customer this is double dipping ,invasion of privacy , and like reading your mail before it hits the receivers house, any and all money should be passed on to the consumer for past interceptions of data.
Bah, that’s nothing. A couple of years back, the UK mobile-phone network O2 was caught injecting 3G users’ phone numbers into HTTP requests.
Any fines leveled against Verizon will be less than the profit they made off selling this information, so Verizon will have incentive to find other sneaky ways to turn profit
Re: Re:
Sadly you’re right. They’ll have made a billion long before getting a $50 million fine.
Re: Re:
I agree with you. But why are not fines greater than the profit from whatever shady practice is being investigated? Perhaps it is the too cozy relationship between the regulated and the regulators.
Re: Re: Re:
How do you determine what they made?
I doubt Verizon is going to make it easy for you…
Re: Re: Re: Re:
Indeed, so forget the fines and file criminal charges. Our legal code is so byzantine there’s almost no doubt they broke a number laws doing this. All that’s left is doing some research and taking them to court.
Classic Man in the Middle
This is disgusting. This technique well known as a man in the middle attack and should be prosecuted as such. The fact that they’re your provider does not give them the freedom to alter your messages like this.
Re: Classic Man in the Middle
This is yet another areas where Title II classification would help. If you’re a common carrier, you aren’t allowed to alter the communications that you’re carrying.
Re: Re: Classic Man in the Middle
This isn’t for wireline, it’s wireless only (for now). Title II is only being considered for wireline. You’d need to get wireless included.
So for now, Title II won’t do anything.
Re: Re: Re: Classic Man in the Middle
Yes, I know. I was making a larger point. 🙂
Re: Classic Man in the Middle
Why is it that when haxxorz do MITM attacks they get imprisoned for years and years for a CFAA violation but when a company does it, wotcha gonna do, eh?
Uhh...
You can either have targeted ads, semi-targeted ads, or generic ads.
Nobody uses generic ads, since they’re useless. There’s really not even an offline equivalent. You always know something about your audience, even if it’s as little as where they are when they see the ad.
Semi-targeted ads are like a billboard, when you know the location it’s being seen, or a TV spot where you have a good idea about the demographics of the viewing audience.
Targeted ads are usually thought of as online, but any mailers you get from retailers you frequent are basically the same thing. Or coupons that print on your receipt at checkout. They know what you bought previously and will push similar products.
Injecting identifiers, for the purpose of delivering advertising, is INHERENTLY targeting. Any attempt to claim it’s not is a flat-out lie. And not even a good one. It’s a three-year-old with ice cream all over his face telling you the dog did it.
W. T. F.
If a profile expired every day, or even every week, it would be WORTHLESS. The entire point of doing this is that it’s trackable.
Claiming otherwise doesn’t take big brass balls, it takes a small withered brain.
Does this count toward overage/bandwidth?
Re: Re:
This is just a string of text, so not much bandwidth is consumed. Ads in general though do erode your usage allotment. AT&T is experimenting with a system that will let advertisers and content companies pay them an additional premium for their content and ads NOT counting against the usage cap, however.
Re: Re: Re:
This is just a string of text, so not much bandwidth is consumed.
Is this excuse valid when it comes time to pay for overages? 🙂
I understand that it is just a string of text, but depending on how they measure bandwidth, it could add up…
Re: Re: Re: Re:
No, I imagine Verizon won’t be sympathetic. 🙂 They want you to reach your shared data cap limit any way possible and start incurring those $10-15 per GB overage fees.
Re: Re: Re: Re:
The extra header(s) are inserted into the packet after it’s left your phone and and reached the telco. Therefore depending on where the actual metering of your data usage is done, it may not be included, as it may be inserted after it’s already metered your packet.
Of course, it may also be inserted before the metering, so it might be included…
Enjoy it Verizon! It’s our pleasure. Want some more?
I cancelled my Verizon account the moment I confirmed this tracking. They apparently dont like being told this in person when they ask why you’re leaving. I doubt I’m the first to state that as a reason for immediate termination of service (curious how many have left as a result of this discovery).
They should be fined per customer whose privacy they violated and not just a flat rate of 50 million which is essentially nothing to them.
Verizon should be forced to forfeit all their profits from this past fiscal year and have then evenly distributed amongst their victims/customers.
Re: Re:
Thanks, but no thanks. You are assuming that most of us care, and I can assure you we don’t. I do not need, nor do I care, what Verizon does with this information. We have the right and ability to ignore ads. Your statement sounds like a Class Action attempt, which I believed is not allowed based on it’s T&C.
Re: Re: Re:
“We have the right and ability to ignore ads.”
This isn’t about the ads.
Security consultant Ken White
This is someone completely different from the Popehat guy, right?
why not just convert their sheep to a static IPv6 address and steal/sell the DNS and network activity?
that would be much harder to detect, and work across apps (not sure if every single app uses the standard web api/rest/http protocol).
phorm for this
UK providers have phorm for trying this sort of rubbish as well. Would be nice to see _someone_ getting an actual punishment for it.
Prosecution over here fell apart with “no criminal intent” decided after attempting a long grass exercise as the alternative was hammering the former national phone carrier who got caught.
Guess that encryption hurts this sort of thing, and certain agencies don’t want people encrypting things may have something to do with it. Plus not wanting a court to rule that this sort of stealth stuff is illegal.
Pool old lonely blogger I am..
I’m not really complaining but I found the Stanford write up and tweeted it to Kashmir at Forbes and then what do you know I see the same image I used in my original blog there too.
Ok so I’m whining that nobody wants to recognize me (grin). I read your feeds here too and reference you in tweets and some blogs too.
There’s my original at the link…
http://ducknetweb.blogspot.com/2014/10/verizon-wireless-packaging-and-selling.html
But just for that though, here’s a new page I made up on my privacy campaign and worth a look at the Congressional testimony video there too:)
http://www.youcaring.com/other/help-preserve-our-privacy-/258776
You can make it up by donating if you want..I’m just kidding and wiping the tear of out my eye:) I’m a former developer in healthcare, and don’t write anymore but try to put some bottom line stuff out there when I can:)
State Actor
Remind me again why a private company is charging us for their services, then turning around and selling literally everything they can about our use of their service. When they give the government access to records that should be protected, we should be able to shut down that company, not have it protected by new unconstitutional laws. Neither company should be open for business, much less colluding with the letters to “fight” whatever the buzzword excuse of the day is.
Delicious Lie
“Both companies proclaimed that the characters in their headers are rotated on a weekly and daily basis to protect user information.”
These companies don’t care about user information. Therefore, they don’t do that rotation to protect the users: they do that because, if they didn’t, the advertising company would build its own database of tracking codes. To prevent that the code is rotated, requiring the advertising company to make yet another paid request to learn the identity of the person.
I’m sure Verizon was deliciously amused that this feature permitted them to lie that they were protecting “user information”.
When you lie down with dogs, don’t be surprised when you get up with fleas.
Verizon is a cancerous bleeding sore. They give me the wrong 411 number, block emergency calls, block alarm contacts, screw with my emails. They block every attemp to contact someone with over 20 percent brain function and charge 300 percent to be a bag of shit.
my TLS connections via Verizon e-mail stopped working appx November 2014. Now I know why. What a bunch of douchebags.
Fortunately we have alternatives, and I will send more of my money to Google to encourage them to develop access here.
Alrighty than.
These assholes are doing this shit to me. I encountered this exact header on CNN’s website. They are selling my information no matter where I am. AOL which is under their parent company of Verizon seems like a likely suspicion. If this starts crossing further lines which I’m constantly drawing and being lenient. I am actually going to file a privacy lawsuit for the main asshole responsible for this. Either they back their nosy behinds the fuck up or I’m taking action on the main perpetrating asshole who is responsible for this. This privacy lawsuit would only target the individuals employed by this company and any other douchebags connected with this hostile intrusion or the company itself. People better start shaping up and getting in line before this gets more serious. If you do not respect privacy then you will be sued. Cease and desist people. This will be far reaching too. I’m going to put preliminary work in for this lawsuit. I received a call from my lawyer about this issue and I didn’t respond back since I was giving people a second chance. But this is over I am getting to the bottom of this with my lawyers and if they are reading this you will be sued. This is only going to target only a few specific individuals who are responsible for this. And believe me we have all the evidence for a lawsuit which my parents helped me and my lawyers gather. This has gone on for too long and those who don’t respect privacy are in over their heads.
Re: Alrighty than.
These people should have thought harder about this. But this is it. I have reached a limit and it is not only affecting me but those close to me and trying their best to help me. It was dumb to think there wouldn’t be a whistleblower at some point but hey I’m not the one wasting the time on this issue.
Still at it
The marketers and associated companies are STILL employing their dirty marketing and frauds schemes. The latest fraud scheme gaining access to all my emails in my inbox to marketers thereby giving permission to a website hidden as a spam clearing software. I’m mad happy these companies and marketers are still doing this especially when there will be a hefty bcompensation given to me. This is so awesome.
Edit: Update
Forgot to add that on top of the large corporations this will also target the individual responsible for being the primary igniting source for this. This is a serious infiltration of my human and civil rights. Whoever is responsible for this you will pay. You will pay for everything you have done to me. The mental torture, the hospital bills, the student loans, the stress you have put on all of those that surround me every single place I go. You will pay for this targeted action. I promise it and guarantee it. I am going forward with this as long as it doesn’t harm the one individual I care about and the members of my immediate family. Otherwise, its fairgame. You brought this on yourself.
...
I will never do something if it hurts the girl I love. If you are reading this I won’t do it if there is any chance at all that it will involve any action on you. I still love you and I don’t want anything bad to ever happen to you because you are incredibly sweet to me. If I wanted to ever take any action I want to meet you and date you first so you can also talk to me if it is a good idea to take any legal action or if you think it would be a bad idea and waste of time. I don’t want you to become entangled in this. I want you to be a part of my success but what I am saying is that I don’t want my success to be controlled by these asshole marketers especially if we start a family. We have to protect ourselves so that when we do have a child/children we do not want these stupid marketers to have any negative effect on us. My love before I ever consider going to Ethiopia I really do want you to come with me. That is why I told my mom I would start working before I even consider going overseas because I know that once I start working things will fall into place. Do not ever think for a second that after all this and everything you have done for me that I would ever leave you in the dust. I told my mother I would work just for that reason. I will work for myself and so you will know that I care about you and I love you and no dumb marketers will ever get in between us no matter what they do and how hard they try to ruin mine or your life. Please don’t think I’ll leave you. Once we start dating we will grow closer and I am going to do everything I can to make sure I start caring for myself. Let us take it day by day
Hahjjaj
Now someone can remotely control my Kindle so webpages from my history can pop up. Lolololol guess we all sensitive in a way now aren’t we?