Fixing Verizon's Supercookie

New submitter ferro lad sends a story about Verizon's so-called supercookie, a unique identifier they add to web traffic going across their network to help advertisers target their ads better. A new article at Slate demonstrates how Verizon could fix the identifier so that ad companies would have a harder time misusing it — something they've already been shown to do. "...with just a tiny amount of effort, Verizon could maintain its current business while substantially preventing the misuse of its UID headers." Of course, for privacy-conscious users, the ability to get rid of them altogether would be preferable. Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers. Previously, users could opt out of having their data shared with advertisers, but the unique identifier itself remained with their web traffic. It's not a complete solution — the tracking should be opt-in to begin with — but it's a step in the right direction.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Gr8Apes]

Seems like "VPN" will solve that problem. Whether it engenders a new problem is a different story.

Re: You can't opt out of anything, ever

[bill_mcgonigle]

It'll decrease their backhaul capacity, but few people even care and fewer still will do something about it. Heck, it took me three months to bother renting a VPS to do it and I already had all the skills.

It isn't a cookie, actually

[TrollstonButterbeans]

It is added to the HTTP request on the Verizon server when you use the internet.

They add it to your internet communications, like adding a name-tag on to your luggage.

more reason for https as default for all sites

[MarkH]

Adding cookie headers into isp traffic only possible for http. If ISP terminating https traffic that is a bit GCHQ/NRA level.

Re: more reason for https as default for all sites

[bill_mcgonigle]

A CA is going to give Verizon a cert such that they can mint a cert for any domai. and remain trusted in device root stores? Don't be a fool - it's completely different than a corporate device. Google Diginotar.

Re:

[Grant_Watson]

The GP's point is that if you contract with the makers of the phones, you can insert your own root certificate and make yourself a CA without anyone else signing your root cert. You'd expect third-party browsers on Android to reject the MITM though, and I doubt whether you could suborn Apple into helping you on iOS; it's possible in principle, but it looks pretty unlikely to me.

On tracking

[fustakrakich]

There is no such thing as 'opt in'. That is a total fantasy. Your traffic is always being tracked by cookies, government spies, whatever. Even https exists to serve this purpose. Certificates are just another cookie.

Re:

[cultiv8]

I use Ghostery [ghostery.com] and Adblock Plus [adblockplus.org] on my PC and devices, I feel like I've opted out.

Re:

[ferro lad]

Yep, that's why it's such a big problem. I have FIOS as my ISV, and there's nothing that can be done. I'd dump them, and have complained, but they are probably the only realistic game in town. I think I can get a point to point microwave ISP, and used to use them in the early days of broadband, but don't even know if they're still in business following the FIOS blitz in our area. Unless Verizon stops this abhorrent practice, we're all being tracked and sold to the highest bidder. Thank about it.

Re:

[KiloByte]

Use Request Policy instead of Ghostery -- it makes advertisers opt-in rather than opt-out. Besides killing any non-first-party tracking dead, it hardly leaves anything for Adblock to clean up.

Re:

[fustakrakich]

Hey, if you got a buyer...

Re:

[davesque]

How is a certificate anything like a cookie? Cookies are unique to clients. Certificates are unique to servers. You can't use a server's SSL cert to track its users. And, unless Verizon has figured out a way to crack SSL connections in real time, they can't be injecting any headers into web requests made through HTTPS.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:On tracking

[mcrbids]

Your traffic is always being tracked by cookies, government spies, whatever.

Please stop with the "sky is falling" routine - it only makes the problem worse and the stakes are too high to just throw your hands up in the air and give up in blissful ignorance.

Even https exists to serve this purpose. Certificates are just another cookie.

I suspect that, at a basic level, you have a fundamental misunderstanding as to what a "certificate" is and does.

1) A cookie is an identifier that allows you to tie numerous http(s) sessions together by domain. It can thus be used to track you by having many sites contain images or content from a common domain. (EG: doubleclick.com)

2) A certificate is used to negotiate a private session with a single domain. It's provided by the server and validated by the client to set up an encrypted connection. It allows you, the user, to verify that you are connected with the correct domain and *not* a nefarious person. The use of HTTPS and certificates foils the Verizon "supercookie" as they have no meaningful way to pierce the encryption provided between you and, say, Google.com.

Re:

[fustakrakich]

This is nothing like 'the sky is falling' routine. And you never heard me say to surrender. It is only a point of information to act on. It's a simple fact that you are being tracked. And certificates still require a third party. And to me, a self signed certificate is a cookie. To be verified requires that you identify yourself. You can't be anonymous and certified/verified at the same time, unless it's a one-time cert. My only recommendation is to develop something better, not to give up.

Opting out...

[QuietLagoon]

... Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers....

Yeah, you'll probably need to keep an opt-out cookie on your device in order to opt-out.

Re:

[stephanruby]

Yeah, you'll probably need to keep an opt-out cookie on your device in order to opt-out.

I know you're kidding, but since Verizon is making it difficult to opt-out of the super cookie, that means that even the absence of the super cookie coming from a Verizon IP will be used as a way to uniquely identify you. It would be like going out in your neighborhood and being the only one wearing a ski mask in the middle of summer. It will just make advertisers notice you more. Expect to see many more ads for off-shore accounts, libertarian politics, mail-order brides, guns, and bitcoins, if you opt-out

Re:

[SuricouRaven]

X-VERIZON-TRACK=2397123483
X-IGNORE-VERIZON-TRACK=1

Windows Phone

[DogDude]

...or you can just use a Windows Phone and disable the advertising ID as part of the OS in the Settings menu.

Re:Windows Phone

[Bugler412]

nope, that only disables the advertising ID in the phone used by apps as an identifier. Does nothing for the "supercookie" that Verizon inserts into the traffic, much like a man in the middle attack, at the network level. Easily and personally verified.

Re:Windows Phone

[gstoddart]

Are you clueless or something?

Verizon's controversial technology basically involves attaching tracking numbers whenever customers view Web pages. Generally, to visit a Web page, my computer (or phone, tablet, etc.) sends a request message to the website with that page. Think of this like a very (very!) fast version of sending a letter through the mail, requesting some information.

Now imagine if the Postal Service assigned an identification number to me, and every time I sent one of those letters, a postal worker opened up the envelope and stamped the ID number inside. That is more or less what Verizon has been doing: Every time a Verizon Wireless customer requests a Web page, Verizon rewrites the request in transit to include a tracking number identifying the customer.

There is no way to disable this, and certainly not with your damned Windows phone.

Verizon is directly injecting this crap into your request, on their servers, independent of what YOU do.

Basically Verizon are acting like a bunch of greedy assholes, and setting every request you make to be something uniquely identifiable as you.

Re:

[Anonymous Coward]

No, it doesn't, but the rest of his points stand.

Re:

[gstoddart]

WTF does being anti or pro Microsoft have to do with the fact that the fucking headers are being rewritten by Verizon?

I'm not blindly pro or anti Microsoft -- but let's not fucking pretend a Windows phone is a magic cure-all for something which is happening at the carrier level.

But, hey, don't let common sense or facts stand in the way of being an idiot.

Re:

[TrollstonButterbeans]

+1

Re:

[dissy]

...or you can just use a Windows Phone and disable the advertising ID as part of the OS in the Settings menu.

Or you could read at the very least the one sentence title of the story.

Verizon inserts the cookie, long after the traffic has left your phone and your phone has any ability to do shit all about it.

The only thing your phone could do or be effected by is if it also added a cookie with the same header name, in which case Verizon deletes your data and replaces it with their own.

It should be a requirement that you can read before you are allowed to write and post...

Re:

[unixisc]

Description:

Resetting your advertising ID makes it harder for apps to connect your past activities with your future ones

Says nothing about disabling the ability of apps to track or store your past activities

Re:

[Shados]

someone's confusing the device's id used for marketing by products like MixPanel, Localytics, maybe Omniture (dunno if web analytics used on native apps tap into it) with the verizon supercookie.

Not the same thing. At all.

not sure if trolling or stupid

[gl4ss]

just because you have another advertising ID as part of your operating system doesn't mean that if you disable that then the verizon inserted id would be removed. the verizon id doesn't care what settings you turn on or off on your phone, it gets inserted to the data stream after the phone.

unless your phone has a setting for "force https on everything", then you're fucked. and you know what's funny? on windows phone you cannot do that, you don't have even the option of a 3rd party browser that would do that

Re:

[DarkOx]

The real question is how are multiple headers interpreted for the tracking code. Is the first UID header the verizon one or the last? What if my client inserts a random one before and after every other header etc. Sure if its the NSA or whatever than you're the guy whose got the UID header that changes with each request or the guy with multiple headers etc. Even if lots of people do it a weak PRNG used to generate those headers and $AGENCY might still be able to identify you.

Advertisers though I am goin

Re:

[gwjgwj]

I think the GP's idea was to create a Verizon-like UID, but using other providers.

Re:

[mlts]

It can be gotten around... just hash the UIDs obtained, and look for the valid one that persists between transactions, especially with other supercookie data that most browsers hand over (font order is quite identifable, same with plugins... and we are not even near LSOs or other items.)

The only solution to this is a trustworthy VPN so traffic is encrypted from the device on out (and can't be modified without parties noticing.)

VPN.

[Guspaz]

Spend $5 or $10 a month on a VPN or a VPS and encrypt all your web traffic. As soon as your ISP is actively inspecting and modifying your traffic, it can't be trusted.

You shouldn't have to do this, true, but it's a solution to the present problem.

Re:

[itzly]

Can you trust a VPN ?

Re:

[CastrTroy]

Probably more than you can trust Verizon. Also, you can set up your own VPN server on Amazon's Cloud or another VPS provider. Sure there's always the chance that somebody would mess with your http connection, as you aren't really in control of the machine when using a VPS or other cloud provider. Although I think that any VPS/Cloud service that started manipulating the data traversing their servers would become very unpopular very quickly, and could also switch providers. It isn't so easy to switch cellu

Re:

[mlts]

If worried about existing VPS offerings, there is always the old standby, a VPS or a cloud instance. It is more money and work, and the VPS owners can always snoop the traffic going in, but if one wants to pack their own parachute, this works.

These days, I just use a local VPN. I'm not needing something NSA-proof, so what they have is more than enough, as I'm using their services to protect against attacks by a Wi-Fi AP (which are surprisingly common [1].)

[1]: One coffee shop near me always tries to repl

Re:

[Terry95]

Someone, like maybe torrent freak, did an exhaustive survey of seemingly EVERY VPN. They were specifically asking about what logs the company keeps and what laws govern their operation. A stunning majority of them log virtually everything you do, keep the logs for months, and are conveniently incorporated in the US. (Convenient for spying, not convenient for privacy).

OF COURSE there was absolutely no way to prove the one's that claim to be reputable aren't actually the worst of all. But it is worth at le

Re:

[Guspaz]

Yeah, so I pay $10 a month for my own VPS, and run my own VPN on it. I have full control over what exactly gets logged, and data retention laws don't apply.

Re:

[Guspaz]

Because you should trust your server provider not to mess with your traffic more than you should trust Verizon? Who cares about the NSA, if they want to get your data they're going to get it. Meanwhile, Verizon is actively MODIFYING your traffic...

Key exchange is also really not a problem, the entire point of a secure key exchange is that the keys are never transmitted in the clear. You don't need physical media.

Re:

[Severus Snape]

VPN's have always seemed to be the sensible way of keeping your data secured, but after the recent Snowden leaks showing their progress sabotaging them, total privacy now seems to be a myth.

Re:VPN.

[Archangel Michael]

The NSA has a budget somewhere on the order of 40-80 billion dollars per year. No normal individual can stand up to that level of attack.

Nor should they. The government should be protecting citizen's rights, not invading them. But that is what you get when you keep voting for Republicrats.

Re:

[SuricouRaven]

It's not partisan. The democrats have been just as supportive of spying as the republicans - they most they have offered are some token privacy acts that wouldn't be remotely effective.

A good Net Neutrality thing for law

[MerlynEmrys67]

I don't care that you traffic shape my traffic -> But it is immoral and should be illegal to change it. Why do we allow ISPs like this to change the traffic flowing through their systems to the destination.
I am not talking about adding an MPLS tag that gets inserted on insertion into the provider and stripped before it leaves the other side, I am talking adjusting my traffic to add content to the L4+ content. The ISP should only adjust things at L3 and below. Everything above that should never be touched (Ok - Large scale NAT I can live with - Lets move that to L5+)

Chrome add-on?

[Midnight Thunder]

Are there Google Chrome or Firefox add-ons that can deal with this issue, or is it injected into the request header on Verizon's side?

Re:

[Bugler412]

injected at the network layer, nothing you can do to prevent it locally. Perhaps salt it with false UIDs that look like Verizons to confuse the system, but you can't prevent their addition of the supercookie.

TERRIBLE

[omfglearntoplay]

Verizon is completely nuts if they don't think there will be a backlash!!!!!!!!

Re:

[Archangel Michael]

You are completely nuts if you think there will be any significant amount** of backlash.

** Significant meaning fines, large numbers of customers quitting, or anything else that will impact bottom line of VZ

Re:

[plover]

Verizon is completely nuts if they don't think there will be a backlash!!!!!!!!

From who? Thirteen enraged nerds on Slashdot? Their average customer doesn't understand the difference between their phone and their browser; they certainly won't get up in arms over a "super-cookie".

Verizon could easily afford to piss off every paranoiac on the planet, and they'd still have so much money they'll need to buy another dump truck to haul this month's profit to the bank. They have no real reason to change, so I'd recommend a strategy other than OMGPANIC!

Re:

[jwcollins]

We just switched the 2nd of our 2 smartphones from Verizon to AT&T. Want to inject a tracking supercookie into our web traffic, Verizon? Good luck now that we are no longer your customers, assholes.

Report this to the FCC

[MobyDisk]

Make a complaint to the FCC about it. Complain about their DNS hijacking while you are at it. Opt-out is not neutral!

Re:

[Bugler412]

I've done the FCC complaint, FTC complaint, contacted a lawyer for possible civil action or even class action (not practical since you can't "prove" damage), contacted the FBI for a CFAA violation, all of it. No results at all. Voting with my wallet when the contract expires and using nothing but HTTPS and VPN otherwise until then.

Re:

[Archangel Michael]

I would suggest that exploitation would be damage. Unless there is an overt consent for VZ to profit from your browsing habits, it is nothing short of exploitation.

Re:

[Bugler412]

my attorney examined it, while exploitation was a possible angle, assigning a value to it for a civil suit was damned near impossible, or gave results that were only in the fraction of a penny zone per user. Making the whole suit process impractical even for a millions of users class action, unless you are able to find a "white night" attorney willing to take it on based on principal alone (EFF?), not likely.

Re:

[Bugler412]

unsure of the timing of the implementation of the supercookie, I had never thought to examine my HTTP traffic from the far side before the initial public reports. As far as voiding, with only three months left I am OK just waiting for it rather than burning work bandwidth on what I'm sure would be insane stonewalling and bureaucracy to void the contract. Would likely take longer than simply waiting and leaving, although that doesn't have much "protest effect"

Re:

[MobyDisk]

Wow, good work. I reported the DNS hijacking stuff years ago but I never thought of talking to the FTC. That actually makes more sense, because this is a monopoly issue more than a telecommunications issue.

Re:

[plover]

Money. More specifically, revenue from advertisers. Once they had the motive, it's pretty easy to justify the means to the end.

Re:

[account_deleted]

Comment removed based on user account deletion

supercookie

[Anonymous Coward]

Verizon's unique identifier they add to web traffic going across their network to help advertisers target their ads

If I was'nt stealing the neighbors WiFi I`d be soooo pissed!I

Umm...

[fahrbot-bot]

Anyone check if the header still gets added (updated) if it's already present? If not, a browser extension or local proxy, like Proxomitron, could add the header with a random value.

That's not a privacy "fix"

[hawguy]

What they suggested in the article is not a privacy "fix" -- they suggest that Verizon encrypt the cookie so advertisers have to feed the cookie back to Verizon so Verizon can decrypt it to let them track me.

The problem is that I don't want Verizon to track my web usage at all. I know they can track my web use by looking at the sites I visit (and I don't want them to do that either), byt the cookie lets advertisers send more data to Verizon than they'd capture from web host tracking -- if go to "https://so

Simple Fix

[RyoShin]

This one isn't too hard; the best way to "fix" this is stop using Verizon and supporting their horrible company. I had them for a few years and always had excellent cell service, but everything else sucked balls. I switched to T-Mobile's pay-as-you-go plan and have saved a ton of money without supporting the cellular devil.

(I realize that there are contracts etc., but seriously, if you can you should drop them like a hot potato.)

They have to do this due to Canada-US treaty

[WillAffleckUW]

Under the treaty signed for Data they have to respect the Canadian Citizens right to not be tracked, including the Canadian Constitutional Right to Privacy, even if a Canadian is in the US. Since many Canadians use border cell towers in the US, they would be liable to be sued if they did not provide some method not to be tracked.

Once again, Canada saves American rights.

Additional headers?

[ramriot]

Has anyone tried adding multiples of their own version of this header to outgoing traffic upstream of verizons gateway, to see what happens?
Not having Verizon here in Canada I cannot try this, but it would be interesting to see if doing so with a true random nonce would defeat their tracking by adding confusion, as to which header was the real verizon one and which the customers.

Also F*** verizon, go full VPN on all your mobile traffic from now on.