Verizon gives 120 million customers a cookie they can’t delete

Mark Stockley

VerizonVerizon Wireless has been caught with their hand in the cookie jar, so to speak.

It emerged last week that the cellular provider has been adding a unique identifier to its cell phone customers’ web traffic – the identifier can be used to track a user’s actions in exactly the same way as a cookie can but, unlike a cookie, it can’t be deleted.

An HTTP header containing a device-specific ID is tacked onto outgoing web traffic as it passes through Verizon’s network, after it has left their users’ phones and before it hits the internet.

The identifier is part of Verizon’s Relevant Mobile Advertising program but, as annoying as targeted ads can be, that’s not the reason I’m writing about it.

The problem with the identifier is a side-effect – the fact that it is sent to every website you visit, always. Even if you opt out of Relevant Mobile Advertising that pesky HTTP header gets added to every request that leaves your phone.

The ID itself doesn’t contain any useful information but it can be used to determine that different requests for web pages, images and other files have come from the same device.

And that’s exactly what you need if you want to track somebody online.

And unlike the cookies, Flash Cookies, Web Storage or ETags that are normally used for tracking you can’t hide yourself by deleting it.

If you have taken steps to protect your privacy by using private browsing or by blocking or regularly deleting cookies then Verizon has unintentionally undone your good work and gifted every website you visit a hook to hang its tracking on.

The flaw was first noticed by a Jacob Hoffman-Andrews from the Electronic Frontier Foundation (EFF) who announced it with this Twitter equivalent of a ‘face-palm’:


Tweet

I don’t know how I missed this: Verizon is rewriting your HTTP requests to insert a permacookie? Terrible.

The tweet links to an article on the Advertising Age website that explains how Verizon’s advertising model works. Completely unintentionally, it nails the privacy problem too with this description:

It’s a cookie alternative for a marketing space vexed by the absence of cookies.

Yes it is.

Since then Hoffman-Andrews’s has suggested that Verizon isn’t alone in fiddling with their customers’ traffic.


Tweet

Looks like AT&T has a similar header, and I’ve heard reports about Sprint. Visit scooterlabs.com/echo from cell data to check.

It wouldn’t be a surprise to learn that others are doing this – they certainly wouldn’t be the first. In January 2012 mobile carrier O2 were caught adding uniquely identifiable HTTP headers to their customers’ outgoing web traffic.

Only in O2‘s case it wasn’t just a long, meaningless strings that were being used as IDs – it was customers’ own phone numbers.

What Verizon has done is far from the worst thing that’s happened on the internet but it is, at best, a careless snub to any of their customers who take steps to manage their online privacy.

So, if you’re one of the 120 million customers who might be affected by this, what can you do to put your privacy choices back in your own hands?

Because the header is tacked on to HTTP requests that have already left your phone there are no apps or browser add-ons you can install on your phone that will remove it.

However it can’t be added in the first place if you connect to the internet using a Virtual Private Network or Wi-Fi, or if you use the cell network but only browse websites that are available over HTTPS.

Mark Stockley Mark Stockley is the founder of independent web consultancy Compound Eye and he's interested in literally anything that makes websites better.

7 Replies to “Verizon gives 120 million customers a cookie they can’t delete”

  1. "If you have taken steps to protect your privacy by using private browsing or by blocking or regularly deleting cookies then Verizon has unintentionally undone your good work and gifted every website you visit a hook to hang its tracking on."

    BULLSH1T! It isn't unintentional at all. What a stupid assumption or what a stupid paid idiot spokesperson. It's part of their targeted advertising and tracking devices is its intended purpose. Stupid stupid stupid. Your credibility is bad enough maybe you can be in White House press pool now.

    1. I don't think you understand what's happening here.

      Of course ISPs compromising users' privacy *with advertising* is a problem but that's not the point of the article, it's not news and I didn't defend it. I said:

      "The identifier is part of Verizon’s Relevant Mobile Advertising program but, as annoying as targeted ads can be, that’s not the reason I’m writing about it."

      Verizon add the header so they can conduct their advertising programme. The problem is that its effects are not confined to the advertising program. The ID can be used by websites who aren't part of the advertising program and that the ID persists even when users have opted out.

      The advertising program has been implemented so carelessly that it could be used to compromise the privacy of Verizon customers who aren't taking part.

  2. Nothing Verizon does would surprise me. If they will force sync a phone that has syncing turned off, they will do anything.

  3. I would venture a guess that Verizon is not the only one doing this. Privacy has been trampled in this country and our elected officials are complicit

  4. Go here to access the email addresses of Verizon Wireless' Leadership Team and write to them to complain!

    http://www.verizonwireless.com/aboutus/leadership/executive.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES