Verizon’s mobile persistent cookie is more trick than treat

31 Oct 2014 | Author: | No comments yet »

Secretive, unblockable Verizon perma-cookies kick up privacy concerns.

Verizon Wireless has kicked up something of a privacy scandal in recent days over how it tampers with user’s web traffic sent via the company’s wireless network.Wired and Forbes reported earlier this week that the two largest cellphone carriers in the United States, Verizon and AT&T, are adding the tracking number to their subscribers’ Internet activity, even when users opt out. Hoping to cash in on lucrative advertising dollars from mobile devices, Verizon inserts a unique string of letters and numbers into individual users’ HTTP requests that can be used to identify a specific device. If the cell phone provider systematically overcharges you or doesn’t deliver, say, on its promise of “unlimited data,” your only remedy — unless the government steps in — is forced arbitration, a private negotiation between the company and the customer where a non-judicial party decides your fate.

These strings, called a Unique Identifier Header (UIDH), are inserted into almost every web request a Verizon user makes on the company’s network, security researchers say. MoPub, acquired by Twitter in 2013, bills itself as the “world’s largest mobile ad exchange.” It uses Verizon’s tag to track and target cellphone users for ads, according to instructions for software developers posted on its website. This controversial type of tracking, known in industry jargon as header enrichment, is the latest step in the mobile industry’s quest to track users on their devices. It’s why the Federal Trade Commission, not customers, just sued AT&T for allegedly slowing down Internet speeds on customers’ smartphones — even though customers were complaining about the practice for years.

The policies are aimed primarily at restricting customers from class action lawsuits, but they also forbid customers from taking cell phone providers to just about any kind of court — except small claims court, familiar to most Americans as the setting for The People’s Court; hardly the venue for exacting justice against multibillion dollar corporations. Verizon’s UIDH scheme is much harder to deal with or even discover, because the company inserts the UIDH into your web request at the network level. “ISPs are trusted connectors of users and they shouldn’t be modifying our traffic on its way to the Internet,” Jacob Hoffman-Andrews, a senior staff technologist with the Electronic Frontier Foundation, told Wired. But under pressure from privacy critics, both companies took steps to secure these Device IDs, and began allowing their users to delete them, in the same way they could delete cookies in their desktop Web browser.

So before you applaud the company for such a progressive policy, consider the likelihood that someone who just bought a new phone would also have the forethought to consider the best potential legal strategy against the company they bought the phone from. If a customer really envisioned becoming entangled in a legal dispute with a company over a purchase, they wouldn’t probably simply avoid doing business with that company. In 2010, two European telecom engineers proposed an Internet standard for telecom companies to track their users with a new kind of unique identifier. Pretty soon, the ad network could build a profile about users based on this information. “Any website can easily track a user,” Jonathan Mayer, a computer scientist and lawyer at Stanford said in a recent blog post regarding UIDHs. “Regardless of cookie blocking and other privacy protections.

No relationship with Verizon is required.” Verizon told Wired that users can opt-out of having their device tracked as part of the company’s advertising scheme. In April, the General Mills’ cereal brand changed its terms of service so that simply liking the cereal on Facebook voided a consumer’s right to sue. In the spring of 2012, AT&T applied for a patent for a method of inserting a “shortlived subscriber identifier” into Web traffic of its mobile subscribers and Verizon applied for a patent for inserting a “unique identification header” into its subscriber’s traffic. The Verizon patent claims this header is specifically meant to “provide content that is targeted to a subscriber.” Inserting the identifiers requires the telecom carrier to modify the information that flows out of a user’s phone.

In the fall of 2012, Verizon notified users that it would begin selling “aggregating customer data that has already been de-identified” — such as Web-browsing history and location — and offered users an opt-out. In 2013, AT&T launched its version — a plan to offer “anonymous AT&T data” to allow advertiser to “deliver the most relevant messages to consumers.” The company also updated its privacy policy to offer an opt-out.

A second option is to turn to encryption such as using SSL (HTTPS) for sites you visit or connecting to the Internet through a virtual private network. Meanwhile, Verizon’s service – Precision Market Insights – has become popular among ad tracking companies that specialize in building profiles’ of user behavior and creating customized ads for those users. Companies that buy the Verizon service can ask Verizon for additional information about the people whose unique identifiers they observe. “What we’re excited about is the carrier level ID, a higher-level recognition point that lets us track with certainty when a user, who is connected to a given carrier, moves from an app to a mobile Web landing page,” an executive from an ad tracking company Run told an industry trade publication. And in a promotional video for Verizon’s service, ad executive Chris Smith at Turn, touted “the accuracy of the data,” that the company receives from Verizon.

A Verizon spokeswoman said, “We do not provide any data related to the [unique identifier] without customer consent and we change the [unique identifier] on a regular basis to prevent third parties from building profiles against it.” She declined to say how often Verizon changes the identifier. Last week, security engineer Kenn White noticed an Ad Age news article about Verizon’s mobile marketing program and set up a test server to see if he was being tracked. He found that he needed to visit four different webpages to opt out, including one web page not even on AT&T’s domain:

In May, a Verizon executive made a presentation describing how Google’s proposal could “limit value-add services that are based on access to header” information.

Here you can write a commentary on the recording "Verizon’s mobile persistent cookie is more trick than treat".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site