Ad Company Using Verizon Tracking Header To Recreate Deleted Cookies

itwbennett writes The story began a few months ago when it was reported that both Verizon and AT&T were injecting unique identifiers in the Web requests of their mobile customers. AT&T has since stopped using the system, but Verizon continues. Now, Stanford computer scientist Jonathan Mayer has found that one advertising company called Turn, which tracks users across the Web when they visit major sites including Facebook, Twitter, Yahoo, BlueKai, AppNexus, Walmart and WebMD, uses the Verizon UIDH to respawn its own tracking cookies.

Even worse...

[monkeyzoo]

“If a Verizon customer tethered with their phone, their notebook could get stuck with the zombie value. (The ultimate in cross-device advertising!) And the zombie value could spread between cookie stores on a device, including between the web browser and individual apps. (The ultimate in inter-app advertising!)”

Re:

[colordotmatrix]

Which leads to World War Z!!!!!

See, there IS an app for everything!!!!

Re:

[ArsonSmith]

Even this kind of invasive privacy violation and data gathering isn't as bad as that movie was.

Re:

[Zontar The Mindless]

Still stuck on last year's meme? I hear that you can get help for that [memegenerator.net] now.

Re:Que calls for net neutrality...

[fightinfilipino]

So Verizon inject encrypted cookies that identify the user, then sell the decryption key to add companies, so they can track users. I'd be reviewing the terms and conditions of the internet service. Surely they don't allow tampering? People should shame Verizon publicly and leave them, but calls for net neutrality laws are misguided. Verizon makes money from this, so they should end up cheaper than competitors who don't do this. Customers are free to choose to have less privacy for a cheaper service. Regulation isn't needed.

the "market" does not correct for corrupt practices like these, despite every libertarian fantasy to the contrary.

you can change government providers!

[Anonymous Coward]

But you can change government providers.

There's another government provider to the north of the US and another government provider to the south of the US. Along with more than a hundred other government providers. There's also plenty of other local and regional government providers if your problem is just with your local provider.

Re:

[operagost]

Your assertion is based on... what?

Re:

[Anonymous Coward]

Monopolies... Past experience. It is not an assertion, but fact backed by empirical evidence.

Re:Que calls for net neutrality...

[PopeRatzo]

Your assertion is based on... what?

What is the "free market" mechanism for dealing with corporate intrusions that are unknown to the consumer?

When you have third parties making money off of your data without your permission, and you are not their customer, which free market recourse is available to you?

The "free market" is just a myth used to make people like you think you have some agency in an economy where you are the consumable. There is no such thing as a free market. It has never existed, and can never exist. It's a fairy tale told to slaves.

Re:

[0123456]

What is the "free market" mechanism for dealing with corporate intrusions that are unknown to the consumer

Competitors.

Phone companies can only get away with crap like this because the government gave them a monopoly on parts of the EM spectrum.

But, hey, feel free to blame the EVIL FREE MARKET if it gets you hot in your pants.

Re:

[PopeRatzo]

Genius, how is competition going to help dealing with corporate intrusions that are unknown to the consumer because the consumer really isn't the customer in these third-party transactions?

"Competition" only helps when you have sufficient information to make a decision.

And yes, I blame the EVIL FREE MARKET THAT DOES NOT EXIST for your lack of reading comprehension.

Re:Que calls for net neutrality...

[jfengel]

And even if it were to eventually... it certainly isn't right now. Your privacy has been invaded for weeks or months. That is a fait accompli; no market reaction can undo that.

That's the thing I find baffling about the libertarian fantasists. Even if in some kind of long-term it were to eliminate some kind of abuse, it can't reverse the effects of that abuse. Pollutants stay in the environment. People injured by dangerous products remain injured. Patients who die from counterfeit medicines stay dead. You can't sue your way whole.

There are many other reasons why the market isn't nearly as frictionless as libertarian theorists like to imagine. But right here, in this case, we've got an example: you will never regain the privacy that you lost because of this. Even if you switch providers, and that forces them to change the policy, it won't return the privacy you've already lost. Markets simply aren't frictionless, and that friction makes the notion that "the market fixes everything" just plain false.

That's not to say we need infinite regulations on everything. The right level of regulation is difficult and complex, and has to be worked out as a compromise. I'm just pointing out that "oh, it'll all be OK, we never need to do anything at all" isn't a helpful contribution to that compromise.

Re:

[myforwik]

Ummm the customers and Verizon have a contract. It's either broken or it isn't. It's only corruption if they are breaking the contract and rigging the justice system so no one can get at them for breach. I'd say it's much more likely people are just lazy and don't read any of the terms and conditions they agree to. In many countries there are free/cheap isp's who work by injecting ads. Under net neutrality these wouldn't exist.

Re:

[DarkOx]

The market only fails because we essentially have a duopoly of nationwide carriers and that is ONLY possible because of regulation, in the first place.

Admittedly its very likely without the likes of the FCC the idea of nation wide cellular carrier being able to exist at all is unlikely. Just think VZW and AT&T had to negotiate with every locality and try to get spectrum easements in the same band but...this isn't the point.

You don't get to have it both ways any more than Libertarians do, you can't blam

it's actually the opposite

[rsilvergun]

We have a dualapoly because of a lack of regulation. at&t and Verizon have been buying up competitors for years. There's a funny video of one of the guys from The Daily Show showing how AT&T undid their breakup through mergers

Does correct

[SuperKendall]

the "market" does not correct for corrupt practices like these

Public shaming stopeed AT&T from doing this.

In my corner of the "market", things like these led me to switch from Verizon to T-Mobile.

Your confusion seems to be that the "market" must correct instantly, instead of over time.

The benefit of market correction is it's more natural in reaction, and proportionate to the problem.

The model you'd prefer is a regulatory approach, which at this point is inherently corrupt and alarmist - your approach br

Re:

[countach74]

An outcome that does not yield your personal preference of goodness or morality is not proof of the market not working. Rather, this sort of thing conveys that people just don't care.

Re:

[Anonymous Coward]

It's all supply and demand. They don't price their products based on cost, but on how much people are willing to pay. Just like apple doesn't set it's prices based on the cost of components.

It would probably have been more correct to say: Verizon makes money from this, so they should end up making more money than competitors who don't do this.

Verizon just keeps getting better.....

[colordotmatrix]

Oh, I'm sorry, that must have been one of my OTHER personalities!!!!

lumascape

[Anonymous Coward]

if you haven't ever waded thru pcap traffic of adfraud, you may not be familiar with this steaming shitpile.

http://www.lumapartners.com/wordpress/wp-content/uploads/2012/04/Display-LUMAscape_2012-04-05.jpg

turn, bluekai, and appnexus are all companies in the lumascape group.

Re:Easy fix

[myforwik]

If they are injecting headers, that still won't work. Every http request will be identifying you. You need to browse in https and comfirm that your Verizon phone isn't using some dodgy built in Verizon CA. It is always a good idea to browse in privacy mode, especially because bank sites and other sites could have flaws like cross site scripting.

Re:

[in10se]

Someone didn't RTFA. Neither of those things will prevent this. The tracking is injected into the HTTP headers by the ISP. Even if you don't accept their cookie, they can still track you.

Re:Easy fix

[DarkOx]

I wonder if we could fuck with this services though by creating a Mozilla addon that inserts this header and fills it with some random garbage on each request. If enough people used it maybe we could DOS their database by filling it with UUID seen only once?

Re:

[JohnFen]

I wonder if we could fuck with this services though by creating a Mozilla addon that inserts this header and fills it with some random garbage on each request. If enough people used it maybe we could DOS their database by filling it with UUID seen only once?

No, that wouldn't work. The header is inserted well after the request leaves your phone. If you insert the header yourself first, it will just get overwritten once you've sent it.

Re:

[The MAZZTer]

He's suggesting non-Verizon users do this to protect Verizon users.

Re:

[JohnFen]

Ahh, I understand. You'd also have to not be an AT&T user. Best bet is to actually test for header injection first, since we don't really know all the carriers that do this. Particularly with the small carriers, since they are just reselling service from the major carriers.

Re:

[dkman]

Only if you're request is going through Verizon. If it were a Firefox Addon I would be sending these fake headers from my PC which isn't going through Verizon.

You may say "why do I care if I don't use Verizon?" and I'll respond with "and first they came for the Jews". If you think that's a big jump, well maybe it is, but you need to protect rights for all of the people or you don't deserve the rights you have.

Re:

[toddestan]

The idea is that people not using Verizon could do this, and pollute their databases with garbage data. It likely wouldn't affect their ability to track actual Verizon users, but it could make it more difficult to do so by burying them in garbage. Only problem is that I can think of a couple of easy technical solutions to easily filter out most of the "noise".

Re:

[Kazoo the Clown]

How about creating a proxy server that sanitizes the header. You browse to https://myproxyserver.com/get?... [myproxyserver.com] and it pulls up the page after cleaning the headers. And it patches all the links on the page to also go through the proxy so you can simply surf away... I'd think such servers might exist already...

Re:

[Kazoo the Clown]

Oops, I didn't intend to create a plug for that site, I didn't know it actually existed and is some kind of proxy service...

Re:

[psyclone]

For fake domains and URLs you should always use the RFC approved "example.tld" such as https://myproxy.example.org/ [example.org]...

Re:

[mlts]

The header injections work no matter what. Visit lessonslearned.org/sniff as proof of this.

It isn't too tough to fix -- use an encrypted VPN.

Re:

[Agripa]

It isn't too tough to fix -- use an encrypted VPN.

I have used a VPN to my home machine to avoid these kinds of issues but my home ISP could always start doing the same thing.

Start the doxxing ...

[Anonymous Coward]

All of these greedy assholes who run these companies which exist to violate our privacy?

They've all given up any right to privacy and to be treated like humans.

Start doxxing the fuckers. Release their home addresses, phone numbers, baking information. release every mother fucking piece you can find on them, their families, their friends, their business partners.

If they want to make their living by trading on our personal information without our consent, then they utterly deserve to be driven into the grou

Re:

[myforwik]

Or you could just... Use another carrier and educated users so they could make an informed decision. Also your anger is misplaced. You focus it on just one of the several parties involved. If you are being tracked, you are visiting sites that knowingly deal with these people and get income from dealing with these people. So your actions would just harm the very sites you seem to want to visit so much. Wouldn't it be a better idea to just not go to sites who use these ad companies? Not use the network of

Re:

[Agripa]

Start doxxing the fuckers. Release their home addresses, phone numbers, baking information. release every mother fucking piece you can find on them, their families, their friends, their business partners.

And then attach a note identifying your "tracking brick" and start throwing it through their windows.

Only iOS?

[sdguero]

I just tried this URL on three Verizon phones:

http://uidh.crud.net/ [crud.net] On all browsers on the Android phones, no ehader was detected. THe iphone we tested, there was a header insertion.

I assume this is due ot a "no track" setting at the browser application level. Interesting that androids browsers have it enabled but iphone browser does not.

Re:

[LessThanObvious]

It shows up on mine. I did not previously, but from what I understand it depends on the tower to which you are connected as much as the phone. I have already done Verizon's opt-out which of course does not turn it off, but rather just stops them from selling the data.

Anyone have good reason to believe there is an alternate carrier that actually has decent respect for privacy? I'd like to ditch Verizon as soon as my contract is up.

Re:

[dkman]

I use Ting. It's a smaller service that piggybacks on Sprints network. They seem really good. I haven't dug to this level to make sure they don't do anything screwy, but if nothing else they aren't charging what Verizon does. You don't need to pick service levels, you only pay for as much as you use. I could have 3 phones on Ting and pay 1/2 of what I'd pay for 1 phone on Verizon.

Re:

[JohnFen]

I assume this is due ot a "no track" setting at the browser application level.

The browser has nothing to do with this at all, and there's nothing a browser (or any other software you can run on the phone) can do about it short of using a VPN.

When you did your tests on the Android phone, are you quite certain that you weren't using the WiFi connection? The tracking header is only inserted into traffic that goes over the cell network.

Re:

[sdguero]

Yes, quite certain WIFI was disabled on all devices tested. I also tested the android phones in two different geographical locations in San Diego.

Only the iphone/safari that I tested showed header insertion.

I found this on reddit, some people reporting that same thign I'm seeing...

https://www.reddit.com/r/priva... [reddit.com]

Re:Only iOS?

[JohnFen]

There are only three possible explanations for this: the two phones were using different carriers, or they were being tested in different geographical locations, or the cell carrier itself is making the distinction for some weird reason. The header injection itself is totally unrelated to the phone, the operating system, or what the software on the phone does.

VPN to some endpoint

[Virtucon]

VPN to some endpoint outside of VZ's network.

Simple(r) answer

[Rick Zeman]

"So, what’s a Verizon subscriber to do?,"

Dump Verizon.

It's worse-Verizon also injects for non-customers!

[BUL2294]

Verizon also injects the UIDH header even for those who aren't Verizon customers--like those of Straight Talk, a reseller that uses Verizon's network.

From https://www.eff.org/deeplinks/... [eff.org]

Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers. Notably, Verizon appears to inject the X-UIDH header even for customers of Straight Talk, a mobile network reseller (known as a MVNO) that uses Verizon's network. Customers of Straight Talk don't necessarily have a relationship with Verizon.

Dark Lord of the Sith says...

[petergriffinismyhero]

Man, those guys at Verizon are getting the job done. I gotta step up my game.