Two And A Half Years Later, Verizon Finally Lets People Opt Out Of Its Stealth Zombie Cookie

from the that-took-a-while dept

Back in 2008, Verizon proclaimed that we didn't need additional consumer privacy protections (or opt in requirements, or net neutrality rules) because consumers would keep the company honest. "The extensive oversight provided by literally hundreds of thousands of sophisticated online users would help ensure effective enforcement of good practices and protect consumers," Verizon said at the time. Six years later and Verizon found itself at the heart of a massive privacy scandal after it began covertly injecting unique user-tracking headers into wireless data packets.

The headers not only allow Verizon to ignore browser privacy settings to track online behavior, it allows third parties to do so as well (something Verizon initially denied). Worse, perhaps, while users could opt out of the personalized ads delivered by the system, they couldn't actually opt out of having their online behavior tracked. Initially, Verizon responded to the controversy by repeatedly downplaying it, but as it became clear regulators and lawyers were contemplating action, Verizon stated in February that it would finally let users opt out.

As of last week, Verizon's mobile advertising FAQ now states that users can choose whether they want to let Verizon manipulate their traffic and spy on them:
"Verizon Wireless has updated its systems so that we will stop inserting the UIDH after a customer opts out of the Relevant Mobile Advertising program or activates a line that is ineligible for the advertising program. Government and enterprise lines are examples of ineligible lines. The UIDH will still appear for a short period of time after a customer opts out of the Relevant Mobile Advertising program or activates an ineligible line. If a customer chooses to participate in Verizon Selects, the UIDH will be present even if the customer has also opted out of the RMA program."
Users can either opt out of the company's snoopvertising via the privacy settings at the Verizon website, or by calling 866-211-0874.

So was Verizon right in that the public would keep the company honest? While that did ultimately happen here, it's worth noting that it took the nation's best security researchers two years to even notice that Verizon was embedding the headers. It took Verizon another six months (and a pretty merciless and sustained beating from the media and privacy advocates) before it finally allowed users to opt out of the traffic manipulation. And, while groups like the EFF would prefer the system be opt in, this is likely where Verizon's latest privacy scandal gets put to bed.

It makes you wonder just how long it will take the public to discover Verizon's next great innovation in snoopvertising?

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    Tom Betz (profile), 6 Apr 2015 @ 2:03pm

    There's a catch to the "opt-out"

    You can't opt out using the toll-free number if the login to your Verizon Wireless account uses capital letters in the password. When I called 866-211-0874, it demanded my account password.

    And, of course, there is no web-based opt-out on the VZW web site.

    So for me to pot out, I have to change my password first.

    reply to this | link to this | view in chronology ]

  • icon
    TheResidentSkeptic (profile), 6 Apr 2015 @ 2:03pm

    This really makes a good point.

    "...Government and enterprise lines are examples of ineligible lines. ..."

    Says it quite clearly, doesn't it? -

    One set of rules for the government and its corporate owners;

    One for the riff-raff who just can't be trusted.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Apr 2015 @ 4:14pm

      Re: This really makes a good point.

      "The UIDH will still appear for a short period of time after a customer opts out of the Relevant Mobile Advertising program or activates an ineligible line. If a customer chooses to participate in Verizon Selects, the UIDH will be present even if the customer has also opted out of the RMA program."

      That says even more.... for a "short period of time" government and corporate lines will also be tracked... and it'll all get turned back on again if someone enables Verizon Selects.

      Makes me think it's almost worth using the tracking header myself to look for recently activated corporate and government handsets :)

      reply to this | link to this | view in chronology ]

  • icon
    Tom Betz (profile), 6 Apr 2015 @ 2:09pm

    They changed the Privacy Policy Opt-Out page.

    There is no longer even a mention of the X-UIDH opt out there. The last time I looked, it listed the toll-free opt-out number (that requires a password to use) and a link to sign up for Verizon Selects (which uses the X-UIDH).

    That's it.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 6 Apr 2015 @ 2:23pm

      Kicking and screaming the whole way

      "Sure we'll let you opt out of our intrusive spying program... should you manage to find the contact information, change your password, call a number that may or may not be listed, and provide the secret code of the day(which changes every 24 hours, and is likewise never listed), and lastly personally meet our CEO or CFO and give them the double-secret handshake.

      Once you've done all that, we will be glad to opt you out of the system, and the process should only take a couple of month to get through the system."

      reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 6 Apr 2015 @ 9:44pm

      Re: They changed the Privacy Policy Opt-Out page.

      There is no longer even a mention of the X-UIDH opt out there.

      "This program uses a unique identifier, also known as a Unique Identifier Header or UIDH, that is inserted into certain web traffic to deliver ads to your mobile device... The UIDH discussed above will stop being inserted in web traffic from your device after you opt out of the Relevant Mobile Advertising program."

      reply to this | link to this | view in chronology ]

    • icon
      Karl Bode (profile), 7 Apr 2015 @ 5:55am

      Re: They changed the Privacy Policy Opt-Out page.

      It's worth noting that some people tell me the portion needed to opt out doesn't show up if you ad blocker enabled on the page...

      reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 6 Apr 2015 @ 2:30pm

    It was the government, not consumer threat

    Verizon couldn't care less what regular people think, and they didn't change this policy because of the massive outcry over it. They changed the policy because it became clear that the government was starting to look for scalps. While the former undeniably led to the latter, it was the latter that actually mattered. If all that happened was vitriol from the masses, nothing would have changed at all.

    Verizon was wrong when it said that public pushback would keep them honest.

    reply to this | link to this | view in chronology ]

    • identicon
      Just Another Anonymous Troll, 7 Apr 2015 @ 9:16am

      Re: It was the government, not consumer threat

      Verizon was lying when it said that public pushback would keep them honest
      Fixed.

      reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 6 Apr 2015 @ 2:36pm

    The Principle of Opt-Out

    If it's opt-out, it's abusive.

    Nobody in the history of ever has needed to deceptively force people to do something that they really wanted to do; that's reserved exclusively for things that nobody wants. Whether it's telemarketing or spyware or spam or anything else doesn't matter: the principle holds.

    Prediction: in eight months, Verizon will quietly reset all the opt-out preferences to "no". Fifteen months later when that's discovered, they'll deny it. Four months after that they'll call it a "glitch". Seven months after that they'll say that the opt-out "expired". A year after that they'll make everybody do this song-and-dance again. And why not? It's not like their executives will be prosecuted and tossed in federal prison for this: if anything, they'll get bonuses.

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 6 Apr 2015 @ 2:42pm

    Have they actually done this or are they just saying they are?

    Considering how long they have been lying about this to people's faces are you really just going to take them at their word on this?

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 6 Apr 2015 @ 3:07pm

      Re:

      Many people have reported that the UIDH header has been removed following their opting out, so it looks like they're really doing it. As always, you can test your own situation by going to a site like amibeingtracked.com.

      reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 6 Apr 2015 @ 3:51pm

    Opt-out vs. opt-in.

    I've noticed that I've become conditioned in our tickbox-rife world. Whenever I see an opt-in option, I expect it's either the Right Thing To Do, or something that generally benefits me.

    [ ] Can we use your usage data (anonymized) to improve the product?

    [ ] Do you want access to the command-line console?

    [ ] Can we send you our newsletter? (Might contain spam. Only to you.)

    Whenever I see opt-out options, generally they tend to be of dubious benefit to me.

    [X] Can we sell your personal data to our affiliates?

    [X] Can we use your likeness to endorse our products?

    [X] YES! Please track down all my FACEBOOK friends and send them spam! Say it's from me!

    And I remember how Windows Genuine Advantage which didn't even announce itself or give an opt-out choice was exactly the sort of thing you didn't want on your computer.

    Verizon may have had better results with opt-in.

    [ ] YES! I totally want Verizon's stealth zombie cookie!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Apr 2015 @ 4:06pm

    Plain and simple

    This is like telling a stalker that you've 'opted-out' of being stalked.

    I'm pretty positive that if it were an 'opt-in' option that nobody would do it - which speaks loud and clear on how pervasive it really is.

    reply to this | link to this | view in chronology ]

  • icon
    afn29129 (profile), 6 Apr 2015 @ 4:15pm

    Been replaced

    If 6 months or 2 yrs from now it's discovered that the Supercookies had been replaced by something even more undetectable (DPI,etc).. color me very very unsurprised.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Apr 2015 @ 9:14am

    No Opt-out for Prepaid

    Verizon Prepaid customers can not use the web based form to opt out.

    reply to this | link to this | view in chronology ]

  • icon
    jeffreynye (profile), 7 Apr 2015 @ 6:13pm

    I was already opted out

    I followed the link to the privacy settings and was surprised to see that I was already opted out of this program. I guess it's possible that someone else on my account opted out, but based on who they are that strikes me as awfully unlikely.

    reply to this | link to this | view in chronology ]

  • identicon
    Mike, 10 Apr 2015 @ 12:25pm

    Oh boy

    Our benevolent Verizon overlords allowing us to not be spied on? How kind of them.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Home Cooking Is Killing Restaurants
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.