A few months ago, we noted how
Verizon and AT&T were at the bleeding edge of the use of new "stealth" supercookies that can track a subscriber's web activity and location, and can't be disabled via browser settings. Despite having been doing this for two years, security researchers only just noticed that Verizon was actively modifying its wireless users' traffic to embed a unique identifier traffic header, or X-UIDH. This identifier effectively broadcasts user details to any website they visit, and the opt-out settings for the technology only stopped users from receiving customized ads -- not
the traffic modification and tracking.
AT&T responded to the fracas by claiming it was only conducting a trial, one AT&T has since claimed to have terminated. Verizon responded by insisting that the unique identifier was rotated on a weekly basis (something researchers found wasn't true) and that the data was perfectly anonymous (though as we've long noted anonymous data sets are never really anonymous
). While security researchers noted that third-party websites could use this identifier to build profiles without their consent, Verizon's website
insisted that "it is unlikely that sites and ad entities will attempt to build customer profiles" using these identifiers.
As such, you'll surely be shocked to learn that sites and ad entities are building customer profiles using these identifiers.
Not only that, they're using the system to resurrect deleted tracking cookies and share them with advertising partners, making consumer opt-out preferences moot. According to security researcher Jonathan Mayer
(and tested and confirmed by ProPublica
), an online advertising clearinghouse by the name of Turn has been using Verizon's modifications when auctioning ad placement to websites like Google, Facebook and Yahoo for some time. When asked, Verizon pretends this is news to the company:
"When asked about Turn's use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, "We're reviewing the information you shared and will evaluate and take appropriate measures to address." Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn's use of the Verizon tracking number and said "they were quite satisfied."
Like Verizon's implementation of the program, Turn lets users opt out of receiving targeted ads, but users have no way of really opting out of being tracked or having their packets manipulated without prior consent. As the EFF notes
, your only option is to use a VPN for all your traffic, or to use a browser add-on like AdBlock, which doesn't fully address the issues with the use of a UIDH header. Amusingly, Turn tries to claim to ProPublica that it's actually using Verizon's UIDH to respect user behavioral ad opt out preferences, but the website found that repeatedly wasn't working:
"Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out. But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed."
Even if Turn's being honest, there are plenty of companies that aren't going to bother being ethical. Verizon, which in 2008 insisted that consumer privacy protections weren't necessary because public shame would keep them honest
, pretty clearly isn't interested in stopping the practice without legal or regulatory intervention. So yeah, again, we've got a new type of supercookie that tracks everything you do, can't be opted out of, and is turning consumer privacy completely on its ear, but there's absolutely nothing here you need to worry your pretty little head about.