Over Easy: “Zombie Cookies” Have 9 Lives!
Last November at Over Easy we talked about a new kind of tracking cookie, in the form of a unique identifying number, that Verizon and AT&T were inserting into Web traffic from those carriers’ cell phones to monitor our behavior on our mobile devices where traditional tracking cookies are not as effective.
Verizon has been quietly tracking the Internet activity of more than 100 million cellular customers by inserting “supercookies” into their cell phone web browsing — powerful markers that even sophisticated users find it difficult to evade. The tracker functions even if a customer uses a private browsing mode or clears cookies. Privacy advocates say this tracking can expose our Internet behavior to outsiders, including to government intelligence services, and also may violate federal telecommunications and wiretapping laws.
Since that post, AT&T announced that it was no longer using those tracking numbers. Verizon, however, made no such announcement.
Thanks to ProPublica’s ongoing Dragnets investigations, we learn that an online company called Turn uses this tracking number to “respawn” cookies that users have attempted to delete. (My bold throughout.)
An online advertising clearinghouse relied on by Google, Yahoo and Facebook is using controversial cookies that come back from the dead to track the web surfing of Verizon customers.
It works like this: When a user visits a website that contains Turn tracking code, the company holds an auction within milliseconds for advertisers to target that user. The highest bidder’s ad instantly appears on the user’s screen as the web page loads. Turn says it receives 2 million requests for online advertising placements per second.
Now if you have read my previous posts here at Over Easy about all of the ways we are tracked, monitored, and targeted, you may be thinking, “So what else is new here?” A few things about this story jumped out at me from the ProPublica report:
Some users try to block such tracking by turning off or deleting cookies. But Turn says that when users clear their cookies, it does not consider that a signal that users want to opt out from being tracked.
The company says the only way to opt out is to install a Turn opt-out cookie on your device. BUT that cookie does not prevent Turn from collecting data on a user who opts out; its supposed purpose is only to prevent Turn from showing targeted ads to a user. ProPublica’s tests showed that Verizon users who installed the Turn opt-out cookie continued to receive the Turn tracking cookie. But despite the appearance of the tracking cookie, Turn still claims to honor the opt-out cookie.
But wait, there’s more!
Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out.
But ProPublica tested it against the Network Advertising Initiative’s Consumer Opt-out tool, and cookies still were present. Turn blamed a glitch and claimed to fix it, but it was not fixed. And the supposed fix does not address respawning of cookies that users have deleted, because Turn does not regard the act of cookie deletion an indication of user intent to opt out. The mind, she boggles!
There’s a handy informative chart near the bottom of the ProPublica article that compares Verizon cookies, “normal” HTML cookies, and Zombie cookies in several respects: (a) whether each assigns a tracking number (all do), (b) where the number is located, (c) whether you can find and delete it, and (d) who can see it and use it to track you. The chart concludes,
How about the NSA? Yep, they could use it.
Zombie Cookie illustration created by David Sleight and Hannah Birch at ProPublica