Verizon gives 120 million customers a cookie they can't delete

VerizonVerizon Wireless has been caught with their hand in the cookie jar, so to speak.

It emerged last week that the cellular provider has been adding a unique identifier to its cell phone customers' web traffic - the identifier can be used to track a user's actions in exactly the same way as a cookie can but, unlike a cookie, it can't be deleted.

An HTTP header containing a device-specific ID is tacked onto outgoing web traffic as it passes through Verizon's network, after it has left their users' phones and before it hits the internet.

The identifier is part of Verizon's Relevant Mobile Advertising program but, as annoying as targeted ads can be, that's not the reason I'm writing about it.

The problem with the identifier is a side-effect - the fact that it is sent to every website you visit, always. Even if you opt out of Relevant Mobile Advertising that pesky HTTP header gets added to every request that leaves your phone.

The ID itself doesn't contain any useful information but it can be used to determine that different requests for web pages, images and other files have come from the same device.

And that's exactly what you need if you want to track somebody online.

And unlike the cookies, Flash Cookies, Web Storage or ETags that are normally used for tracking you can't hide yourself by deleting it.

If you have taken steps to protect your privacy by using private browsing or by blocking or regularly deleting cookies then Verizon has unintentionally undone your good work and gifted every website you visit a hook to hang its tracking on.

The flaw was first noticed by a Jacob Hoffman-Andrews from the Electronic Frontier Foundation (EFF) who announced it with this Twitter equivalent of a 'face-palm':


Tweet

I don't know how I missed this: Verizon is rewriting your HTTP requests to insert a permacookie? Terrible.

The tweet links to an article on the Advertising Age website that explains how Verizon's advertising model works. Completely unintentionally, it nails the privacy problem too with this description:

It's a cookie alternative for a marketing space vexed by the absence of cookies.

Yes it is.

Since then Hoffman-Andrews's has suggested that Verizon isn't alone in fiddling with their customers' traffic.


Tweet

Looks like AT&T has a similar header, and I've heard reports about Sprint. Visit scooterlabs.com/echo from cell data to check.

It wouldn't be a surprise to learn that others are doing this - they certainly wouldn't be the first. In January 2012 mobile carrier O2 were caught adding uniquely identifiable HTTP headers to their customers' outgoing web traffic.

Only in O2's case it wasn't just a long, meaningless strings that were being used as IDs - it was customers' own phone numbers.

What Verizon has done is far from the worst thing that's happened on the internet but it is, at best, a careless snub to any of their customers who take steps to manage their online privacy.

So, if you're one of the 120 million customers who might be affected by this, what can you do to put your privacy choices back in your own hands?

Because the header is tacked on to HTTP requests that have already left your phone there are no apps or browser add-ons you can install on your phone that will remove it.

However it can't be added in the first place if you connect to the internet using a Virtual Private Network or Wi-Fi, or if you use the cell network but only browse websites that are available over HTTPS.

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , ,

7 Responses

  1. thecrud

    October 29, 2014 at 1:08 am #

    Nastier than Ebola.

    I am switching carriers when I move to the plus but they are not on the list.

  2. F#%K Verizon

    October 29, 2014 at 2:50 pm #

    "If you have taken steps to protect your privacy by using private browsing or by blocking or regularly deleting cookies then Verizon has unintentionally undone your good work and gifted every website you visit a hook to hang its tracking on."

    BULLSH1T! It isn't unintentional at all. What a stupid assumption or what a stupid paid idiot spokesperson. It's part of their targeted advertising and tracking devices is its intended purpose. Stupid stupid stupid. Your credibility is bad enough maybe you can be in White House press pool now.

    • Mark Stockley in reply to F#%K Verizon.

      October 29, 2014 at 5:33 pm #

      I don't think you understand what's happening here.

      Of course ISPs compromising users' privacy *with advertising* is a problem but that's not the point of the article, it's not news and I didn't defend it. I said:

      "The identifier is part of Verizon’s Relevant Mobile Advertising program but, as annoying as targeted ads can be, that’s not the reason I’m writing about it."

      Verizon add the header so they can conduct their advertising programme. The problem is that its effects are not confined to the advertising program. The ID can be used by websites who aren't part of the advertising program and that the ID persists even when users have opted out.

      The advertising program has been implemented so carelessly that it could be used to compromise the privacy of Verizon customers who aren't taking part.

    • T in reply to F#%K Verizon.

      October 29, 2014 at 10:28 pm #

      right on. just like when apple and on star got busted for tracking theor customers movements.

  3. Jim Carpenter

    October 29, 2014 at 6:49 pm #

    Nothing Verizon does would surprise me. If they will force sync a phone that has syncing turned off, they will do anything.

  4. J

    October 30, 2014 at 2:10 pm #

    I would venture a guess that Verizon is not the only one doing this. Privacy has been trampled in this country and our elected officials are complicit

  5. Maggie

    October 30, 2014 at 3:38 pm #

    Go here to access the email addresses of Verizon Wireless' Leadership Team and write to them to complain!

    http://www.verizonwireless.com/aboutus/leadership/executive.html

Leave a Reply