Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Verizon Advertising Cellphones Privacy The Internet Wireless Networking

Verizon Injects Unique IDs Into HTTP Traffic 206

An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.
This discussion has been archived. No new comments can be posted.

Verizon Injects Unique IDs Into HTTP Traffic

Comments Filter:
  • by Anonymous Coward on Friday October 24, 2014 @04:29PM (#48225379)

    This should be illegal. People have a right to try and avoid being tracked. There has to be a way to prevent this. I'm a sysadmin, not a network guru, so I will defer to those smarter than me here...

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      third party VPN paid for by a cash card

      • by Anonymous Coward

        Or just browse https only

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          To be honest, I don't think this does anything. I think a VPN might be the only current way to avoid this, as your traffic in a VPN tunnel is theoretically not seen by the routers that pass it. I'm not sure if deep packet inspection tools could add the unique ID. I'm not a network engineer, so I don't know for sure. I do know that VPNs of today are rapidly becoming easier to circumvent by those who would do so.

          • I don't think you could modify packets that are in an ssl stream and not have ssl detect it and reject the 'broken' packets.

            https is mostly secure (other than MitM attacks on certs) and vpn's are also very secure.

            I have a vpn and while I use it mostly at home, there is an android client (even for my ancient 2.x android o/s) for the vpn provider I have and so I could get as complete privacy as possible on my phone, while doing inet things.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          TLS from end to end ...

        • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Friday October 24, 2014 @08:12PM (#48226863) Homepage Journal
          And lose access to several websites. Slashdot, for example, redirects HTTPS hits to HTTP for non-subscribers because ad networks have been slow to implement HTTPS. And a lot of shared web hosts don't support HTTPS because their policies haven't been updated in the six months since the last major Server Name Indication-ignorant desktop web browser (IE on Windows XP) reached end of support in April. But HTTPS support is the second biggest reason I stopped going to TV Tropes in favor of All The Tropes (after licensing [slashdot.org]).
    • by 0dugo0 ( 735093 )

      Rig as many webservers as possible to give users with that header a nag screen

    • Re: (Score:2, Insightful)

      by slinches ( 1540051 )

      Don't use Verizon as your ISP?

      • by Charliemopps ( 1157495 ) on Friday October 24, 2014 @04:51PM (#48225575)

        Don't use Verizon as your ISP?

        Personally, I use Verizon and have no other choice for a wireless provider. AT&T has plans to build another tower here in 2021, and it's not like their the champions of my privacy either.

        • That's the problem with monopolies (natural or otherwise). Still, there is an option to sign up for just the phone plans without wireless data and use wired or satellite ISPs for internet access.

          You could also go the route of circumventing the problem (using the methods others have already suggested) with a bit of added effort/cost, but in that case there's no disincentive to help persuade Verizon to stop the program.

          • by tepples ( 727027 )

            Still, there is an option to sign up for just the phone plans without wireless data

            Are you sure Verizon will even activate voice-only service on a smartphone? AT&T sure won't [slashdot.org].

            and use wired or satellite ISPs for internet access.

            And if the DSL ILEC for your area is also Verizon, too bad.

      • by Anonymous Coward on Friday October 24, 2014 @04:58PM (#48225629)

        Unacceptable. Verizon licensed the spectrum from citizens, and therefore has certain obligations.

        This is what should occur. Make use of any spectrum contingent upon a series of consumer friendly policies. Failure to comply requires turning the spectrum and any technology that uses it or assists in its use over to auction. Then establish a rule that prohibits anyone over a pay grade access to any industry that uses spectrum for a predetermined duration.

        If you set the concequesnces high enough than ideas like this get shot down in the board room.

        • bullshit. They bought it from the government, whose representation of its citizens occurs roughly every 5 years for a fortnight. Apart from that time, they do what they like. And even in that fortnight they just tell you what you wanted to hear anyway.

          • USA, so more like every two years for the federal government (this is an election year for congress, though not for the presidency) and it lasts a lot longer than a fortnight (which, it should be mentioned, is a word only very rarely used on this side of the pond) due to the degree of campaigning that people do here (though it's definitely a bigger deal on the presidential years).

            No argument on the "tell you what you wanted to hear anyway" part, though! Something so far removed from the few very carefully c

      • by nazsco ( 695026 )

        > Don't use Verizon as your ISP?

        How quaint. A foreigner.

        well lad, in the US of A, you have the freedom of choosing the ISP that was selected to monopolize your burrough.

        Or you can use the one mobile provider that has good coverage in your city instead, if you don't want to use that pre-selected ISP.

    • by whoever57 ( 658626 ) on Friday October 24, 2014 @05:10PM (#48225701) Journal

      There has to be a way to prevent this

      As a sysadmin, you should know that it is easy and cheap to rent a VPS (Virtual Private Server). Then, run squid on the server, or do some fancy routing to send all your web traffic out via a VPN to your VPS. Since most VPS services offer a minimum of 1TB of monthy data, there should not be any excess data usage charges.

    • You still have the right.

      You just need to decide to not be a Verizon customer.

      • In order to stop being a Verizon customer, someone who requires home or mobile Internet access for his way of life might have to move his family away from territory serviced by Verizon, either as the DSL ILEC or as the only wireless carrier with acceptable coverage. Consensus in comments to previous Slashdot articles is that almost nobody is willing to spend the time and money to move just to change ISPs.
    • by jandar ( 304267 )

      In my jurisdiction is altering data (stored or transmitted) without censent a felony. The action of Verizon is hacking and would here be punishable as such.

  • by Anonymous Coward on Friday October 24, 2014 @04:34PM (#48225437)

    Will tell them to go fuck themselves on this, and make them stop...

  • Free market? (Score:5, Insightful)

    by NotInHere ( 3654617 ) on Friday October 24, 2014 @04:36PM (#48225449)

    They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

    • Re:Free market? (Score:4, Insightful)

      by fox171171 ( 1425329 ) on Friday October 24, 2014 @04:48PM (#48225553)

      They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

      Except it will be the other way around. Pay more to not be tracked.

    • Re:Free market? (Score:4, Insightful)

      by Anonymous Coward on Friday October 24, 2014 @04:52PM (#48225579)

      I think the free market solution would simply be having enough ISPs so that if one pulls stuff like this you can just switch to another. Some sort of "competition". I suggest we find out why there is only one fast ISP per area, and fix that problem.

      • by Bob9113 ( 14996 )

        I suggest we find out why there is only one fast ISP per area,

        Here's a hint: It's the same reason there is only one electricity provider in most areas. Generally, it is not cost efficient to run multiple sets of wires, but everyone wants electricity.

        and fix that problem.

        The solution is the same as with electricity. We've tried all the other solutions, many, many, many times over, and we keep coming back to the same small set of best answers; all over the world, in all kinds of cultures and every shade of We

      • It's called a natural monopoly. It occurs when the capital cost of entering a market is so high as to render doing to prohibitive for all but the first entry.

        Verizon or another of the major ISPs comes first. That means they pay for laying cables, renting mast space, installing equipment and lobbying local government for the appropriate rights. It costs them a fortune, but they can be assured of a return because they'll have 100% of the market - there's no other option for potential customers.

        When another IS

      • Ultimately, utility monopolies arise from cities' ownership of their roads [mises.org]. The solution is for a city to bury empty conduits when it repairs the roads, and then competing ISPs can blow their wires through those conduits.
    • Re:Free market? (Score:5, Insightful)

      by Charliemopps ( 1157495 ) on Friday October 24, 2014 @04:53PM (#48225593)

      They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

      No because they'll quickly value this service at $50 a month to force you into it.

      They should not be altering my HTTP requests. It's wiretapping, plane and simple.

      • by nazsco ( 695026 )

        last time i heard about US ISP/mobile provider shenanigans there was a debate on net neutrality (which the tel cos were wining) arguing that they were not common carriers.

        well, that just goes to prove that they are not common carriers. they can even monetize on the service they are already selling you. they don't consider your communication protected in any way.

        it is like opening a restaurant and selling your scraps to feed cows. except that they are the only restaurant in town. and after 12sec they take aw

  • Does it only apply to Verizon Wireless?

    Does anyone know if FIOS internet uses the same system? I don't have a Verizon Wireless account.

  • HTTPS Everywhere (Score:5, Insightful)

    by watermark ( 913726 ) on Friday October 24, 2014 @04:42PM (#48225513)

    They can't inject into secure traffic. HTTPS solves this problem too.

    • by Burz ( 138833 )

      I intend to use a proxy in addition to HTTPS-E.

    • by Charliemopps ( 1157495 ) on Friday October 24, 2014 @04:54PM (#48225607)

      They can't inject into secure traffic. HTTPS solves this problem too.

      Good idea, I just need to figure out what the http address for slashdot is...

      • by cbhacking ( 979169 ) <been_out_cruisin ... nospAM.yahoo.com> on Friday October 24, 2014 @05:03PM (#48225655) Homepage Journal

        Slashdot actually supports HTTPS just fine. They simply redirect you back to HTTP immediately! Try it yourself: https://slashdot.org/ [slashdot.org] - 302, Location: http://slashdot.org/index2.pl [slashdot.org] - 302, Location: http://slashdot.org/ [slashdot.org]

        I wish I was joking...

        • Slashdot actually supports HTTPS just fine. They simply redirect you back to HTTP immediately! Try it yourself: https://slashdot.org/ [slashdot.org] - 302, Location: http://slashdot.org/index2.pl [slashdot.org] - 302, Location: http://slashdot.org/ [slashdot.org]

          I wish I was joking...

          Any idea why they do this? Of all the sites to not to https...

          • Educated guess?
            The sites made up of custom code written before HTTPS was really all that common. It's such a mess that adding it now would require just as much work as just flat out rewriting the whole site. Last time they tried a site redesigned all the neck beards on here started shooting rocksalt at them and screaming "GET OFF MY LAW!!!"

            I suspect this site barely pays for itself. I do not anticipate any large site redesigns ever.

            • Soylent News runs on Slashcode (although a fork of an earlier version, I think). HTTPS works just fine, as does Unicode and probably a few other things broken on Slashdot. No IPv6 yet but I'm sure it's coming. It's all on Github so it would be fairly trivial to merge it in to Slashdot.

            • TLS (or lack thereof) is, or at least should be, completely transparent to the Perl-based web application powering the site. In fact, the HTTP request itself doesn't even specify anything about the protocol. The request line has the path and stuff after it, and the Host header has the domain name, but doesn't mention the protocol. The absolute minimum they should do would be to return *exactly* the same content over HTTPS that they do over HTTP for a given request (remember, the HTTP traffic is the same whe

          • by _merlin ( 160982 )

            Any idea why they do this? Of all the sites to not to https...

            CPU load. SSL/TLS greatly increases CPU demands on the server(s). For a high-traffic site that costs real money.

            • There are tons of reports (just google them) of the server side cpu load being minimal to encrypt traffic. My guess is either the load balancing setup they have doesn't support SSL or their 3rd party ad network doesn't.

              In general, I think sites don't support https because of a) the extra cost of a cert, b) they don't care, c) the extra cost of a dedicated IP (SNI isn't supported on IE on XP). You can say "screw XP" all you want, but a good 20% still (of at least my traffic) comes from IE on XP.

          • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Saturday October 25, 2014 @08:43AM (#48228709) Homepage Journal
            For all users other than subscribers and karma-capped users who have checked "Disable Advertising", Slashdot is funded by advertisements. Using an HTTP ad network from an HTTPS site would be blocked as mixed content, and HTTPS support among ad networks is very new. AdSense, for example, didn't support HTTPS until September of last year.
        • Well I have a free (albeit older) Slashdot account and it doesn't redirect me to http when i follow the https link above.

          I think they're just limiting non-logged in access to http, not subscriber (paid) only access.

          -Harodotus
    • They can't inject into secure traffic. HTTPS solves this problem too.

      For cellular at least, Verizon keeps pretty tight control over what devices they allow on their network. All they would need to do is to start shipping phones with a Verizon root cert installed that can't be removed. Phone trusts the cert, Verizon proxy performs MITM on SSL traffic...

      • Re:HTTPS Everywhere (Score:4, Interesting)

        by TheGratefulNet ( 143330 ) on Friday October 24, 2014 @08:54PM (#48227033)

        quite a valid point!

        just like you can NEVER trust a windows (or mac or even linux box) that was not setup by you, especially if its a corporate box that was given to you pre-installed.

        almost every company of mid-size or larger preinstalled MitM certs for their spying firewalls. they don't tell employees that, but netadmins and sysadmins pretty much all know this.

        I work at a large networking company and they didn't tell me WHAT they do or HOW they'd spy on me, but I found out via a friend (in germany) exactly what they are doing. in .de, you have to disclose to the employees a lot more than the US requires you to do, and he relayed the info to me about how our corp laptops come preinstalled with corp spyware. ability to active mic, camera, screen caps, all that bullshit in addition to traffic logging.

        I'm a network mgmt guy and when I was out interviewing for jobs (the last few years) almost all of them involved DPI and MitM attacks, even though they tried to explain it away as 'troubleshooting information' and 'for the users benefit'. quite bullshitty but they said it with a straight face, like they believe their own BS.

        you guys have to start realizing that corp america is all about privacy invasion; of customers and employees, alike. if you have a corp laptop, do NOT login to your home email systems and keep your work laptops entirely clean of anything personal and home related. yeah, even if you see the lock icon on the browser, it means nothing anymore, in a corp LAN.

        • And people wonder why I buy my own hardware for work, don't use a company-supplied laptop or phone, and always connect to the corporate net using a VM and never from the host OS...

  • Step #6 image should have been this instead:

    https://doodleaday.files.wordpress.com/2012/03/doodle-1016-money-bags.jpg

    I think it illustrates whats happening more appropriately...

    • Step #6 image should have been this instead:

      https://doodleaday.files.wordpress.com/2012/03/doodle-1016-money-bags.jpg

      I think it illustrates whats happening more appropriately...

      Except, it's more like pennies. That's what's hilarious about all this privacy invading nonsense we've been subjected to. It's not valuable. They do not make more money with it. Sure, at first it sounds like a great idea. But the mountains of data it generates quickly become completely useless and you just end up sitting on it all and doing nothing with it. I've dealt with marketing people and seen them install their huge data tracking software packages that they paid fortunes for. Several years later and t

    • Appropriate that you share the link HTTPS :)

  • by chefmonkey ( 140671 ) on Friday October 24, 2014 @04:52PM (#48225583)

    I wonder... if we wrote addons for popular browsers that would inject bogus X-UIDH headers into every request, whether we could make this kind of inappropriate privacy intrusion prohibitively expensive. If it works as he surmises, maybe we can overwhelm Verizon's ad exchange platform with meaningless data.

    • This plan. I like this plan! Put a random value in the header on every request. If you're not on Verizon, it'll look like you are (but as a different person every time). If you *are* on Verizon, you may just confuse the software that is adding those headers, or that is logging them. Poison their tracking data with meaningless garbage, and make it *cost* Verizon money to try and track us.

      Well, that and use HTTPS everywhere possible, of course. But that requires that the sites you use allow people to do so (*AHEM* Slashdot, looking at you...)

      Oh, and don't use Verizon. That's the best way to hit them in the pocketbook, by far. I like the idea of sending the header even when you don't use Verizon though, as a general-purpose "fuck you!" to them.

      • by Burz ( 138833 )

        No, not this plan! Since the modified tag is only transmitted from Verizon to advertising sites, Verizon could very easily just strip out all X-UIDH headers coming from you before adding their own.

    • by Mr. Sanity ( 1161283 ) on Saturday October 25, 2014 @01:32AM (#48227795)

      Since they're the ones adding the header, the client setting the header is futile. Verizon's version will clobber it.

      However, if you happen to run some intermediary servers that handle traffic once a backbone layer is crossed, then you can clobber their value.

  • by rogoshen1 ( 2922505 ) on Friday October 24, 2014 @05:07PM (#48225681)

    God. it's like you people don't even appreciate the value added service they are *GIVING* away here. Who wouldn't want to see more perfectly tailored and targeted ads -- some of which even include *VIDEO* again, completely for free.

    You have to pay for cable right? The same thing applies, you're getting the service you paid for (TV shows, home shopping channels) with the added bonus of free to view advertisements.

    In both cases they're simply giving away high quality, hopefully relevant audio and video. I think that's super generous of them.

    And for no charge! And yet, you people still bitch. Absolutely shameful.

    • by sconeu ( 64226 )

      +1.

      The sad part is that some idiots will not see the implied <SARCASM> tags.

      • My browser doesn't render sarcasm tags properly. It's really annoying.
        • ... I have this sudden urge to write a browser extension. I'm not sure *how* I want it to render <sarcasm> tags, but I think I do want it to do so. Just in case.

  • by jtara ( 133429 ) on Friday October 24, 2014 @05:28PM (#48225837)

    Don't want your carrier messing with your traffic?

    Use HTTPS.

  • Hello Vodafone (Score:5, Informative)

    by wabrandsma ( 2551008 ) on Friday October 24, 2014 @05:43PM (#48225943)
    From: Using Browser Properties for Fingerprinting Purposes [utwente.nl].

    Vodafone injects the X-VF-ACR header: 'Vodafone Anonymous Customer Recognition'. It is unclear what this header exactly does; all headers that have been seen start with the string "204004DYNMVFNLACR", followed by 16 X's, and are followed by a BASE64-encoded 256-byte cyphertext, which we were unable to decrypt. It has been suggested that this string might contain the SIM-card identifier (IMSI) or other personal information, as was found in a research conducted by Mulliner in 2010 [14]. Vodafone did not respond to requests of explaining this header. Nevertheless, the presence of this header, certainly identifies customers of Vodafone as being customers of Vodafone.

  • Just another reason not to spend your money with Verizon.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...