Your ISP May Be Up to No Good
Verizon has been quietly tracking the Internet activity of more than 100 million cellular customers by inserting “supercookies” into their cell phone web browsing — powerful markers that even sophisticated users find it difficult to evade. The tracker functions even if a customer uses a private browsing mode or clears cookies. Privacy advocates say this tracking can expose our Internet behavior to outsiders, including to government intelligence services, and also may violate federal telecommunications and wiretapping laws. (AT&T’s program is not as sophisticated, and is still being developed and tested, so is not yet being deployed.)
Verizon’s Precision Market Insights division appends a per-device token known as the Unique Identifier Header (X-UIDH) to each Web request (HTTP) sent through its cellular network from a particular mobile device. This allows Verizon to link a website visitor to Verizon’s own internal profiles. The intent is to allow client websites to target ads at specific segments of the consumer market. Working much like a “supercookie,” the tracker allows third party advertisers and websites to assemble a comprehensive and permanent profile of a user’s web browsing habits — without their knowledge, consent, or ability to turn it off. The “do not track” setting in web browsers is ignored. Not only Verizon customers are affected; any mobile device connected to a Verizon cell tower and sending HTTP Requests will get an X-UIDH header.
Although Verizon intends this tracker to expand its advertising programs, it has huge privacy implications as well. What worries privacy advocates about Verizon’s own use of the X-UIDH header is what the header allows others to find out about Verizon users. The X-UIDH header reinvents the “cookie” in an insecure way that compromises our privacy.
Jonathan Meyer, a lawyer and computer scientist at Stanford, describes How Verizon’s Advertising Header Works
In short, Verizon is packaging and selling subscriber information, acting as a data broker on real-time advertising exchanges. Questionable. By default, the information appears to consist of demographic and geographic segments. If a user has opted into “Verizon Selects,” then Verizon also shares behavioral profiles built by deep packet inspection.
Whatever the merits of Verizon’s new business model, the technical design has two substantial shortcomings. First, the X-UIDH header functions as a temporary supercookie. Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required.
Second, while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user.
Much better designs are possible. Verizon doesn’t need to supercookie its wireless subscribers to sell their advertising segments. And it certainly doesn’t need to send a supercookie if a user isn’t participating.
You can test whether the header is injected in your traffic by using your mobile phone’s data connection (not via WiFi) to visit amibeingtracked.com.
The Electronic Frontier Foundation has raised its concerns with the Federal Communications Commission, and is contemplating formal legal action to block Verizon.
The only sure way to thwart the X-UIDH supercookie is to use a VPN, the Tor Network, or an encrypted proxy. Any of those choices are difficult when using mobile devices, and probably beyond the sophistication of the average mobile device user.
It is time for customers to insist that Verizon and other companies stop tampering with our Internet traffic without our knowledge or consent. Internet service providers’ forays into using data they collect as part of their service for secondary purposes threatens everyone’s privacy. ISPs have been trusted gateways to the Internet, and intercepting or modifying Internet traffic violates that trust — doubly so when modifications disable security measures we are using to try to protect ourselves.