Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Verizon Advertising Privacy The Internet

Fixing Verizon's Supercookie 111

New submitter ferro lad sends a story about Verizon's so-called supercookie, a unique identifier they add to web traffic going across their network to help advertisers target their ads better. A new article at Slate demonstrates how Verizon could fix the identifier so that ad companies would have a harder time misusing it — something they've already been shown to do. "...with just a tiny amount of effort, Verizon could maintain its current business while substantially preventing the misuse of its UID headers." Of course, for privacy-conscious users, the ability to get rid of them altogether would be preferable. Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers. Previously, users could opt out of having their data shared with advertisers, but the unique identifier itself remained with their web traffic. It's not a complete solution — the tracking should be opt-in to begin with — but it's a step in the right direction.
This discussion has been archived. No new comments can be posted.

Fixing Verizon's Supercookie

Comments Filter:
  • by MarkH ( 8415 ) on Friday January 30, 2015 @02:42PM (#48941899)

    Adding cookie headers into isp traffic only possible for http. If ISP terminating https traffic that is a bit GCHQ/NRA level.

  • On tracking (Score:2, Insightful)

    There is no such thing as 'opt in'. That is a total fantasy. Your traffic is always being tracked by cookies, government spies, whatever. Even https exists to serve this purpose. Certificates are just another cookie.

    • I use Ghostery [ghostery.com] and Adblock Plus [adblockplus.org] on my PC and devices, I feel like I've opted out.
      • Use Request Policy instead of Ghostery -- it makes advertisers opt-in rather than opt-out. Besides killing any non-first-party tracking dead, it hardly leaves anything for Adblock to clean up.

    • How is a certificate anything like a cookie? Cookies are unique to clients. Certificates are unique to servers. You can't use a server's SSL cert to track its users. And, unless Verizon has figured out a way to crack SSL connections in real time, they can't be injecting any headers into web requests made through HTTPS.
    • Re:On tracking (Score:5, Insightful)

      by mcrbids ( 148650 ) on Friday January 30, 2015 @04:16PM (#48942475) Journal

      Your traffic is always being tracked by cookies, government spies, whatever.

      Please stop with the "sky is falling" routine - it only makes the problem worse and the stakes are too high to just throw your hands up in the air and give up in blissful ignorance.

      Even https exists to serve this purpose. Certificates are just another cookie.

      I suspect that, at a basic level, you have a fundamental misunderstanding as to what a "certificate" is and does.

      1) A cookie is an identifier that allows you to tie numerous http(s) sessions together by domain. It can thus be used to track you by having many sites contain images or content from a common domain. (EG: doubleclick.com)

      2) A certificate is used to negotiate a private session with a single domain. It's provided by the server and validated by the client to set up an encrypted connection. It allows you, the user, to verify that you are connected with the correct domain and *not* a nefarious person. The use of HTTPS and certificates foils the Verizon "supercookie" as they have no meaningful way to pierce the encryption provided between you and, say, Google.com.

      • This is nothing like 'the sky is falling' routine. And you never heard me say to surrender. It is only a point of information to act on. It's a simple fact that you are being tracked. And certificates still require a third party. And to me, a self signed certificate is a cookie. To be verified requires that you identify yourself. You can't be anonymous and certified/verified at the same time, unless it's a one-time cert. My only recommendation is to develop something better, not to give up.

  • by QuietLagoon ( 813062 ) on Friday January 30, 2015 @02:47PM (#48941931)

    ... Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers....

    Yeah, you'll probably need to keep an opt-out cookie on your device in order to opt-out.

    • Yeah, you'll probably need to keep an opt-out cookie on your device in order to opt-out.

      I know you're kidding, but since Verizon is making it difficult to opt-out of the super cookie, that means that even the absence of the super cookie coming from a Verizon IP will be used as a way to uniquely identify you. It would be like going out in your neighborhood and being the only one wearing a ski mask in the middle of summer. It will just make advertisers notice you more. Expect to see many more ads for off-shore accounts, libertarian politics, mail-order brides, guns, and bitcoins, if you opt-out

    • X-VERIZON-TRACK=2397123483
      X-IGNORE-VERIZON-TRACK=1

  • ...or you can just use a Windows Phone and disable the advertising ID as part of the OS in the Settings menu.
    • Re:Windows Phone (Score:5, Informative)

      by Bugler412 ( 2610815 ) on Friday January 30, 2015 @02:58PM (#48942027)
      nope, that only disables the advertising ID in the phone used by apps as an identifier. Does nothing for the "supercookie" that Verizon inserts into the traffic, much like a man in the middle attack, at the network level. Easily and personally verified.
    • Re:Windows Phone (Score:5, Informative)

      by gstoddart ( 321705 ) on Friday January 30, 2015 @03:00PM (#48942041) Homepage

      Are you clueless or something?

      Verizon's controversial technology basically involves attaching tracking numbers whenever customers view Web pages. Generally, to visit a Web page, my computer (or phone, tablet, etc.) sends a request message to the website with that page. Think of this like a very (very!) fast version of sending a letter through the mail, requesting some information.

      Now imagine if the Postal Service assigned an identification number to me, and every time I sent one of those letters, a postal worker opened up the envelope and stamped the ID number inside. That is more or less what Verizon has been doing: Every time a Verizon Wireless customer requests a Web page, Verizon rewrites the request in transit to include a tracking number identifying the customer.

      There is no way to disable this, and certainly not with your damned Windows phone.

      Verizon is directly injecting this crap into your request, on their servers, independent of what YOU do.

      Basically Verizon are acting like a bunch of greedy assholes, and setting every request you make to be something uniquely identifiable as you.

    • by dissy ( 172727 )

      ...or you can just use a Windows Phone and disable the advertising ID as part of the OS in the Settings menu.

      Or you could read at the very least the one sentence title of the story.

      Verizon inserts the cookie, long after the traffic has left your phone and your phone has any ability to do shit all about it.

      The only thing your phone could do or be effected by is if it also added a cookie with the same header name, in which case Verizon deletes your data and replaces it with their own.

      It should be a requirement that you can read before you are allowed to write and post...

    • Description:

      Resetting your advertising ID makes it harder for apps to connect your past activities with your future ones

      Says nothing about disabling the ability of apps to track or store your past activities

    • by Shados ( 741919 )

      someone's confusing the device's id used for marketing by products like MixPanel, Localytics, maybe Omniture (dunno if web analytics used on native apps tap into it) with the verizon supercookie.

      Not the same thing. At all.

    • just because you have another advertising ID as part of your operating system doesn't mean that if you disable that then the verizon inserted id would be removed. the verizon id doesn't care what settings you turn on or off on your phone, it gets inserted to the data stream after the phone.

      unless your phone has a setting for "force https on everything", then you're fucked. and you know what's funny? on windows phone you cannot do that, you don't have even the option of a 3rd party browser that would do that

  • VPN. (Score:5, Insightful)

    by Guspaz ( 556486 ) on Friday January 30, 2015 @02:55PM (#48941989)

    Spend $5 or $10 a month on a VPN or a VPS and encrypt all your web traffic. As soon as your ISP is actively inspecting and modifying your traffic, it can't be trusted.

    You shouldn't have to do this, true, but it's a solution to the present problem.

    • by itzly ( 3699663 )

      Can you trust a VPN ?

      • Probably more than you can trust Verizon. Also, you can set up your own VPN server on Amazon's Cloud or another VPS provider. Sure there's always the chance that somebody would mess with your http connection, as you aren't really in control of the machine when using a VPS or other cloud provider. Although I think that any VPS/Cloud service that started manipulating the data traversing their servers would become very unpopular very quickly, and could also switch providers. It isn't so easy to switch cellu
      • by mlts ( 1038732 )

        If worried about existing VPS offerings, there is always the old standby, a VPS or a cloud instance. It is more money and work, and the VPS owners can always snoop the traffic going in, but if one wants to pack their own parachute, this works.

        These days, I just use a local VPN. I'm not needing something NSA-proof, so what they have is more than enough, as I'm using their services to protect against attacks by a Wi-Fi AP (which are surprisingly common [1].)

        [1]: One coffee shop near me always tries to repl

      • Someone, like maybe torrent freak, did an exhaustive survey of seemingly EVERY VPN. They were specifically asking about what logs the company keeps and what laws govern their operation. A stunning majority of them log virtually everything you do, keep the logs for months, and are conveniently incorporated in the US. (Convenient for spying, not convenient for privacy).

        OF COURSE there was absolutely no way to prove the one's that claim to be reputable aren't actually the worst of all. But it is worth at le

        • by Guspaz ( 556486 )

          Yeah, so I pay $10 a month for my own VPS, and run my own VPN on it. I have full control over what exactly gets logged, and data retention laws don't apply.

    • VPN's have always seemed to be the sensible way of keeping your data secured, but after the recent Snowden leaks showing their progress sabotaging them, total privacy now seems to be a myth.

  • by MerlynEmrys67 ( 583469 ) on Friday January 30, 2015 @02:57PM (#48942015)
    I don't care that you traffic shape my traffic -> But it is immoral and should be illegal to change it. Why do we allow ISPs like this to change the traffic flowing through their systems to the destination.
    I am not talking about adding an MPLS tag that gets inserted on insertion into the provider and stripped before it leaves the other side, I am talking adjusting my traffic to add content to the L4+ content. The ISP should only adjust things at L3 and below. Everything above that should never be touched (Ok - Large scale NAT I can live with - Lets move that to L5+)
  • Are there Google Chrome or Firefox add-ons that can deal with this issue, or is it injected into the request header on Verizon's side?

    • injected at the network layer, nothing you can do to prevent it locally. Perhaps salt it with false UIDs that look like Verizons to confuse the system, but you can't prevent their addition of the supercookie.
  • Verizon is completely nuts if they don't think there will be a backlash!!!!!!!!

    • You are completely nuts if you think there will be any significant amount** of backlash.

      ** Significant meaning fines, large numbers of customers quitting, or anything else that will impact bottom line of VZ

    • by plover ( 150551 )

      Verizon is completely nuts if they don't think there will be a backlash!!!!!!!!

      From who? Thirteen enraged nerds on Slashdot? Their average customer doesn't understand the difference between their phone and their browser; they certainly won't get up in arms over a "super-cookie".

      Verizon could easily afford to piss off every paranoiac on the planet, and they'd still have so much money they'll need to buy another dump truck to haul this month's profit to the bank. They have no real reason to change, so I'd recommend a strategy other than OMGPANIC!

    • We just switched the 2nd of our 2 smartphones from Verizon to AT&T. Want to inject a tracking supercookie into our web traffic, Verizon? Good luck now that we are no longer your customers, assholes.
  • Make a complaint to the FCC about it. Complain about their DNS hijacking while you are at it. Opt-out is not neutral!

    • I've done the FCC complaint, FTC complaint, contacted a lawyer for possible civil action or even class action (not practical since you can't "prove" damage), contacted the FBI for a CFAA violation, all of it. No results at all. Voting with my wallet when the contract expires and using nothing but HTTPS and VPN otherwise until then.
      • I would suggest that exploitation would be damage. Unless there is an overt consent for VZ to profit from your browsing habits, it is nothing short of exploitation.

        • my attorney examined it, while exploitation was a possible angle, assigning a value to it for a civil suit was damned near impossible, or gave results that were only in the fraction of a penny zone per user. Making the whole suit process impractical even for a millions of users class action, unless you are able to find a "white night" attorney willing to take it on based on principal alone (EFF?), not likely.
      • by MobyDisk ( 75490 )

        Wow, good work. I reported the DNS hijacking stuff years ago but I never thought of talking to the FTC. That actually makes more sense, because this is a monopoly issue more than a telecommunications issue.

  • Comment removed based on user account deletion
  • by Anonymous Coward

    Verizon's unique identifier they add to web traffic going across their network to help advertisers target their ads

    If I was'nt stealing the neighbors WiFi I`d be soooo pissed!I

  • Anyone check if the header still gets added (updated) if it's already present? If not, a browser extension or local proxy, like Proxomitron, could add the header with a random value.

  • What they suggested in the article is not a privacy "fix" -- they suggest that Verizon encrypt the cookie so advertisers have to feed the cookie back to Verizon so Verizon can decrypt it to let them track me.

    The problem is that I don't want Verizon to track my web usage at all. I know they can track my web use by looking at the sites I visit (and I don't want them to do that either), byt the cookie lets advertisers send more data to Verizon than they'd capture from web host tracking -- if go to "https://so

  • This one isn't too hard; the best way to "fix" this is stop using Verizon and supporting their horrible company. I had them for a few years and always had excellent cell service, but everything else sucked balls. I switched to T-Mobile's pay-as-you-go plan and have saved a ton of money without supporting the cellular devil.

    (I realize that there are contracts etc., but seriously, if you can you should drop them like a hot potato.)

  • Under the treaty signed for Data they have to respect the Canadian Citizens right to not be tracked, including the Canadian Constitutional Right to Privacy, even if a Canadian is in the US. Since many Canadians use border cell towers in the US, they would be liable to be sued if they did not provide some method not to be tracked.

    Once again, Canada saves American rights.

  • Has anyone tried adding multiples of their own version of this header to outgoing traffic upstream of verizons gateway, to see what happens?
    Not having Verizon here in Canada I cannot try this, but it would be interesting to see if doing so with a true random nonce would defeat their tracking by adding confusion, as to which header was the real verizon one and which the customers.

    Also F*** verizon, go full VPN on all your mobile traffic from now on.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...