Report: Verizon Using Undeletable Super Cookies

Stephen Yagielowicz

LOS ANGELES — A recent report from the Electronic Frontier Foundation is casting light on Verizon’s new advertising program, which secretly installs undeletable super cookies on its client’s mobile devices.

The new ad program, called Precision Market Insights, is believed to have begun in 2012 — tracking all of the online activities of Verizon’s roughly 106 million customers — at least when they are accessing the Internet from mobile devices, such as smartphones and tablets — according to the EFF, which says that Verizon users might want to start looking for another provider.

“In an effort to better serve advertisers, Verizon Wireless has been silently modifying its users’ web traffic on its network to inject a cookie-like tracker,” the EFF report explains. “This tracker, included in [a web page’s] HTTP header called X-UIDH, is sent to every unencrypted website a Verizon customer visits from a mobile device, [allowing] third-party advertisers and websites to assemble a deep, permanent profile of visitors’ web browsing habits without their consent.”

The practice could have profound implications for affiliate marketers already contending with cookie term manipulation and “stuffing,” which has contributed to lower revenues for many adult affiliates.

For its part, Verizon says that Precision Market Insights provide addressable advertising solutions for agencies, brands and channel partners, by using the PrecisionID, “an anonymous unique device identifier, which can be used to reach the right audiences on mobile through demographic, interest and geographic targeting and enables advertisers to use their own data to reach target audiences on their mobile devices.”

Claiming that the technology is privacy-safe and accurate, Verizon says that the PrecisionID powers more impactful, data-driven marketing at scale and drives better ROI for its partners, eliminating campaign waste and inefficiencies, noting that “Together, we’re solving for the biggest challenges in mobile advertising.”

According to the EFF, Verizon’s system has privacy implications reaching far beyond the company’s own programs, as it allows others to find out about Verizon users’ online behavior.

“The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy,” the report explains. “Worse still, Verizon doesn’t let users turn off this ‘feature,’” the report adds. “In fact, it functions even if you use a private browsing mode or clear your cookies.”

Unlike traditional cookies, Verizon’s header is nearly invisible to users and cannot be seen or changed in an affected device’s browser settings, remaining unchanged If a user clears their cookies. Worse yet, the report notes, is that advertising networks are able to immediately assign new cookies — linking them to the cleared cookies using the unchanged X-UIDH value.

The X-UIDH header reportedly bypasses several other browser privacy mechanisms, compounding the problem by affecting more than just web browsers, but mobile apps as well, correlating a user’s app behavior with their behavior on the web — something that is  difficult or impossible without this header.

Since the header is injected at the network level, the serious security implications are not only limited to Verizon customers — as the company can add the header to any traffic using its towers. These unique X-UIDH headers reportedly help eavesdroppers by making it easy for them to tie traffic to individual users, beyond what is possible using only IP addresses.

The EFF report notes that the best protection against this specific problem is to use a VPN that encrypts all requests made from phones, regardless of whether they were made by an app or a browser. Next up is the use of an encrypted proxy — while the use of HTTPS, often considered the best protection against many problems, is reportedly among the least effective in this case.

“The header cannot be injected into an HTTPS request,” the report states, “but since websites choose whether [or not] to offer HTTPS, a site that wants to track users can simply avoid HTTPS and get the tracking headers.”

The EFF supports a fully encrypted Internet, but explains that X-UIDH headers are a strong disincentive against adopting HTTPS if websites and advertisers wish to track their users.

“ISPs like Verizon act as trusted connectors to the world, and shouldn’t be modifying our communications on their way to the Internet,” the EFF report concludes. “People should not be required to subscribe to a VPN and put their trust in a third party in order to get a modicum of privacy on the Internet.”

To test whether or not the header is injected in into your traffic, visit LessonsLearned.org/sniff or AmIBeingTracked.com, using a cellular data connection.

Related: