Verizon’s ‘Perma-Cookie’ Is a Privacy-Killing Machine

Verizon Wireless has been subtly altering the web traffic of its wireless customers for the past two years, inserting a string of about 50 letters, numbers, and characters into data flowing between these customers and the websites they visit.

The company—one the country’s largest wireless carriers, providing cell phone service for about 123 million subscribers—calls this a Unique Identifier Header, or UIDH. It’s a kind of short-term serial number that advertisers can use to identify you on the web, and it’s the lynchpin of the company’s internet advertising program. But critics say that it’s also a reckless misuse of Verizon’s power as an internet service provider—something that could be used as a trump card to obviate established privacy tools such as private browsing sessions or “do not track” features.

Jacob Hoffman-Andrews, a technologist with the Electronic Frontier Foundation, wants Verizon to stop using the UIDH. “ISPs are trusted connectors of users and they shouldn’t be modifying our traffic on its way to the Internet,” he says. He calls the UIDH a “perma-cookie,” because it can be read by any web server that you visit and used to build a profile of your internet habits.

According to Verizon spokeswoman Debra Lewis, there’s no way to turn it off. She says that Verizon doesn’t use the UIDH to create customer profiles, and if you opt out of the company’s Relevant Mobile Advertising program (you can do this by logging into your Verizon account here), then Verizon and its advertising partners won’t be using it to create targeted ads. But that’s beside the point, says Hoffman-Andrews. Because Verizon is broadcasting this unique identifier to every website, ad networks could start using it to build a profile of your web activity, even without your consent.

The fact that the UIDH was around for two years before getting any serious attention is a testament to the murky and challenging nature of privacy on today’s internet. Verizon has made no secret of its ambitions to cash in on the mobile advertising market. But the technical details of how it is doing this have been hard to uncover.

‘It’s gone relatively unremarked by the security, privacy, and broader technical community, in part, because it’s so hard to observe.’

You can test to see if your mobile device is broadcasting a UIDH on this website, run by Kenneth White, a security researcher. (Go to the site, and if there is nothing displayed after the line “your UID is reporting,” then you are not displaying a UIDH.) White says that the majority of Verizon Wireless customers who test their devices on his site display the perma-cookie. But not everyone does.

Verizon couldn’t explain why some of our Verizon phones here at WIRED didn’t display it when we tested. White thinks that may be because the router-side software used to insert the header may not be available on all of Verizon’s sprawling national network. If you connect via Wi-Fi, or a virtual private network, or are talking to a site via SSL, then the UIDH will not display either.

It’s difficult for even outside websites to realize what is happening here. The UIDH headers weren’t discovered until someone configured web traffic to log all headers and then noticed the extra data coming from Verizon customers. That person, an EFF member, then reported it to the digital rights organization. “It’s gone relatively unremarked by the security, privacy, and broader technical community, in part, because it’s so hard to observe,” says Hoffman-Andrews.

But now Verizon is getting some extra scrutiny, as are the other carriers. Late Friday, Hoffman-Andrews said he was looking into anecdotal reports that AT&T was using a similar type of identifier.

http://www.wired.com/2014/10/verizons-perma-cookie/

Leave a Reply

Your email address will not be published. Required fields are marked *