Privacy

by Karl Bode


Filed Under:
fcc, privacy, settlement, zombie cookies

Companies:
verizon



Verizon Strikes $1.35 Million Settlement With FCC Over Its Use Of Stealth 'Zombie Cookies'

from the comes-around-goes-around dept

Last year you'll recall Verizon Wireless found itself in hot water after being caught modifying user packets to insert stealth tracking technology. By embedding each packet with a unique identifier traffic header, or X-UIDH. Verizon and its marketing partners were not only able to ignore user browser preferences and track their behavior around the Internet, they were then able to use this technology to build detailed user profiles. Verizon Wireless launched and operated the technology for two years before security researchers even noticed the program, and it required another six months of public pressure for Verizon to even offer an opt-out option.

According to the FCC's full press announcement (pdf), the fairly measly $1.35 million settlement doesn't stop the program, which likely won't please many privacy advocates. Verizon Wireless will however need to transparently notify users of the system and get their explicit opt-in (a rare dinosaur in online tracking rules) consent before sharing any of this data with third parties. The FCC is quick to highlight how Verizon previously proclaimed the technology couldn't be abused by third parties to build detailed profiles of users -- right before it was.

The FCC's full order (pdf) indicates that the regulator is leaning heavily on both the transparency requirement embedded in the FCC's net neutrality rules, and the agency's authority under Title II of the Communications Act to enforce the settlement:
"Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose. Section 8.3 of the Commission’s rules, known as the Open Internet Transparency Rule, requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings."
When the FCC reclassified ISPs as common carriers under Title II, ISPs became subject to Title II’s Section 222 privacy protections regarding "customer proprietary network information" (CPNI). That portion of Title II was written specifically for phone companies, so the FCC is planning (prompted in large part by Verizon's behavior) to update the CPNI rules to create new broadband consumer privacy protections. While the FCC politely lauds Verizon's cooperation in the investigation, these kinds of consumer protections are precisely what Verizon was trying to stop when it sued to cripple net neutrality (both in 2010 and again last year).

Granted Verizon could have easily avoided the new privacy rules. It has argued for years that tougher privacy protections for broadband weren't necessary because the industry could self-regulate. And regulators appeared to buy that claim for a while. But Verizon's decision to covertly fiddle with packets and track tens of millions of customers without bothering to tell any of them indicates just how well that plan actually worked in practice.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    limbodog (profile), 7 Mar 2016 @ 11:57am

    Fines that low are really just a "cut" of the action.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2016 @ 11:59am

    and i suppose that's about 1% of the revenue Verizon raked in from the advertising!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2016 @ 12:05pm

    Does that even qualify as a slap on the wrist? Hell, does it even qualify as a mildly disapproving frown?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2016 @ 12:09pm

    Just blink to "opt in".

    There, that wasn't so hard, was it?

    reply to this | link to this | view in chronology ]

  • identicon
    DCL, 7 Mar 2016 @ 12:19pm

    How long before...

    ... we find out it was actually a government requested/mandated security/tracking program under guise of a advertising revenue stream.

    Think of the children!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2016 @ 12:22pm

    Where is my cut?

    I am a Verizon customer... why is it that I first get fucked by Verizon and then the FTC gets to profit while I still got fucked without any compensation?

    I know a lot of you tech dirter's like your government institutions but I have yet to see much of a benefit to all of these "regulations". I have however, notice a whole lot of monopolies and poor service with little choice in the market however.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2016 @ 12:28pm

    The first rule of how to run a business today is ..

    .. do not get caught.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Mar 2016 @ 12:30pm

      Re: The first rule of how to run a business today is ..

      2nd rule is to lobby for laws and fines that make it still profitable to break the law.

      Verizon breaks the law, Government profits, Citizens still wronged and not give any compensation. I am seeing a patternhere.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 7 Mar 2016 @ 12:29pm

    Hit hard or don't bother

    If the $1.35 million ended up being so much as 5% of what they gained from selling the data I would be greatly surprised, which means that the FCC might as well not have even bothered. What possible reason does Verizon have not do do the same thing in the future with a fine this pathetic after all, it's basically just a cost of business, a minuscule cost that ever so slightly lessens the profits gained.

    No, if the FCC or other similar agencies want to provide some real incentive for companies to follow the rules then they need to use a percentage based fine system, and start at 100%. If companies know that the absolutely smallest fine for violations will leave them no better off than before should they be caught, in addition to any other penalties, then they might care, but as it stands the penalties and motivations are entirely on the side of breaking as many of the rules as they can and then just paying the laughable fines should they get caught.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Mar 2016 @ 12:35pm

      Re: Hit hard or don't bother

      No fines! not even a $1.

      Jail Time, nothing other than Jail Time. Fines serve as nothing more than a catalyst for government to ignore a problem long enough to ensure that they catch them do just enough damage for citizens to ignorantly feel good about it while the company laughs all the way to bank shaking the had that fined them for their generosity.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Mar 2016 @ 7:47pm

      Re: Hit hard or don't bother

      hopefully there is a larger game afoot and the ftc is just flexing its muscles and setting legal president under the new laws. by charging this little they get a president they can then use as a hammer later for real fines that verizon may actually want to fight about. but then again reading to much techdirt has shaken my faith in humanity.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 7 Mar 2016 @ 12:34pm

    $1.35 million settlement

    Maybe I'm wrong but with such a detailed mining method they probably made much more than that. This is almost like punishing a kid for eating too much cake by giving them more cake.

    Verizon Wireless will however need to transparently notify users of the system and get their explicit opt-in (a rare dinosaur in online tracking rules) consent before sharing any of this data with third parties.

    Oh yes, I'd be delighted to have the privilege of being thoroughly tracked online while my data is subject to "outstanding" security practices. They'll need to word their "transparent notification" eloquently to get users to opt in to such thing. Then again how many tool bars have I seen installed on computers of the world?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Mar 2016 @ 12:53pm

      Re:

      Maybe I'm wrong but with such a detailed mining method they probably made much more than that. This is almost like punishing a kid for eating too much cake by taking a very small bite of the cake.

      Correction

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2016 @ 12:45pm

    New Rule

    If you get caught by the cops for robbing a bank, you must share some of the loot with the cops.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2016 @ 12:59pm

    I would almost guarantee Facebook uses something similar. Sometime in the middle of a Facebook session, try turning cookies off. Facebook will almost immediately log you off.

    You are the product when it comes to Facebook, and the moment they can't track your every move, they will shut you out. Not the kind of "free" application I'm interested in.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 9 Mar 2016 @ 6:59am

      Re:

      The difference is that you can turn your cookies off and have it be effective with Facebook.

      With ISPs, cookies don't enter into it. Verizon, for example, was tagging the traffic itself in a manner that you had little control over. Facebook cannot technically do this sort of thing. You have to be an ISP to pull it off.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Mar 2016 @ 1:34pm

    So as a Verizon user who has been affected by this terrible thing, how much money am I going to see from this settlement?

    reply to this | link to this | view in chronology ]

  • identicon
    James T, 7 Mar 2016 @ 1:48pm

    What happens to the data collected?

    As far as I can concerned any existing data in Verizon's direct or indirect control should be deleted.

    reply to this | link to this | view in chronology ]

  • identicon
    Kronomex, 7 Mar 2016 @ 2:28pm

    $1.35M, that must be about 0.001% of their yearly profit. What an effect that will have on their bottom line. It's a joke.

    reply to this | link to this | view in chronology ]

    • icon
      Jeremy2020 (profile), 7 Mar 2016 @ 3:12pm

      Re:

      don't worry, they'll tack on a new under the line fee for it...so the fine being this small is a huge benefit to Verizon Customers that were affected by this issue!

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.