Ad Company Using Verizon Tracking Header To Recreate Deleted Cookies 70
itwbennett writes The story began a few months ago when it was reported that both Verizon and AT&T were injecting unique identifiers in the Web requests of their mobile customers. AT&T has since stopped using the system, but Verizon continues. Now, Stanford computer scientist Jonathan Mayer has found that one advertising company called Turn, which tracks users across the Web when they visit major sites including Facebook, Twitter, Yahoo, BlueKai, AppNexus, Walmart and WebMD, uses the Verizon UIDH to respawn its own tracking cookies.
Even worse... (Score:2)
“If a Verizon customer tethered with their phone, their notebook could get stuck with the zombie value. (The ultimate in cross-device advertising!) And the zombie value could spread between cookie stores on a device, including between the web browser and individual apps. (The ultimate in inter-app advertising!)”
Re: (Score:3, Funny)
Which leads to World War Z!!!!!
See, there IS an app for everything!!!!
Re: (Score:2)
Even this kind of invasive privacy violation and data gathering isn't as bad as that movie was.
Re: (Score:2)
Still stuck on last year's meme? I hear that you can get help for that [memegenerator.net] now.
Re:Que calls for net neutrality... (Score:5, Informative)
So Verizon inject encrypted cookies that identify the user, then sell the decryption key to add companies, so they can track users. I'd be reviewing the terms and conditions of the internet service. Surely they don't allow tampering? People should shame Verizon publicly and leave them, but calls for net neutrality laws are misguided. Verizon makes money from this, so they should end up cheaper than competitors who don't do this. Customers are free to choose to have less privacy for a cheaper service. Regulation isn't needed.
the "market" does not correct for corrupt practices like these, despite every libertarian fantasy to the contrary.
you can change government providers! (Score:1)
But you can change government providers.
There's another government provider to the north of the US and another government provider to the south of the US. Along with more than a hundred other government providers. There's also plenty of other local and regional government providers if your problem is just with your local provider.
Re: (Score:1)
Re: (Score:1)
Monopolies... Past experience. It is not an assertion, but fact backed by empirical evidence.
Re:Que calls for net neutrality... (Score:5, Insightful)
What is the "free market" mechanism for dealing with corporate intrusions that are unknown to the consumer?
When you have third parties making money off of your data without your permission, and you are not their customer, which free market recourse is available to you?
The "free market" is just a myth used to make people like you think you have some agency in an economy where you are the consumable. There is no such thing as a free market. It has never existed, and can never exist. It's a fairy tale told to slaves.
Re: (Score:2)
What is the "free market" mechanism for dealing with corporate intrusions that are unknown to the consumer
Competitors.
Phone companies can only get away with crap like this because the government gave them a monopoly on parts of the EM spectrum.
But, hey, feel free to blame the EVIL FREE MARKET if it gets you hot in your pants.
Re: (Score:2)
Genius, how is competition going to help dealing with corporate intrusions that are unknown to the consumer because the consumer really isn't the customer in these third-party transactions?
"Competition" only helps when you have sufficient information to make a decision.
And yes, I blame the EVIL FREE MARKET THAT DOES NOT EXIST for your lack of reading comprehension.
Re:Que calls for net neutrality... (Score:5, Insightful)
And even if it were to eventually... it certainly isn't right now. Your privacy has been invaded for weeks or months. That is a fait accompli; no market reaction can undo that.
That's the thing I find baffling about the libertarian fantasists. Even if in some kind of long-term it were to eliminate some kind of abuse, it can't reverse the effects of that abuse. Pollutants stay in the environment. People injured by dangerous products remain injured. Patients who die from counterfeit medicines stay dead. You can't sue your way whole.
There are many other reasons why the market isn't nearly as frictionless as libertarian theorists like to imagine. But right here, in this case, we've got an example: you will never regain the privacy that you lost because of this. Even if you switch providers, and that forces them to change the policy, it won't return the privacy you've already lost. Markets simply aren't frictionless, and that friction makes the notion that "the market fixes everything" just plain false.
That's not to say we need infinite regulations on everything. The right level of regulation is difficult and complex, and has to be worked out as a compromise. I'm just pointing out that "oh, it'll all be OK, we never need to do anything at all" isn't a helpful contribution to that compromise.
Re: (Score:2)
Re: (Score:2)
The market only fails because we essentially have a duopoly of nationwide carriers and that is ONLY possible because of regulation, in the first place.
Admittedly its very likely without the likes of the FCC the idea of nation wide cellular carrier being able to exist at all is unlikely. Just think VZW and AT&T had to negotiate with every locality and try to get spectrum easements in the same band but...this isn't the point.
You don't get to have it both ways any more than Libertarians do, you can't blam
it's actually the opposite (Score:2)
Does correct (Score:2)
the "market" does not correct for corrupt practices like these
Public shaming stopeed AT&T from doing this.
In my corner of the "market", things like these led me to switch from Verizon to T-Mobile.
Your confusion seems to be that the "market" must correct instantly, instead of over time.
The benefit of market correction is it's more natural in reaction, and proportionate to the problem.
The model you'd prefer is a regulatory approach, which at this point is inherently corrupt and alarmist - your approach br
Re: (Score:2)
Re: (Score:1)
It's all supply and demand. They don't price their products based on cost, but on how much people are willing to pay. Just like apple doesn't set it's prices based on the cost of components.
It would probably have been more correct to say: Verizon makes money from this, so they should end up making more money than competitors who don't do this.
Verizon just keeps getting better..... (Score:1, Funny)
lumascape (Score:1, Interesting)
if you haven't ever waded thru pcap traffic of adfraud, you may not be familiar with this steaming shitpile.
http://www.lumapartners.com/wordpress/wp-content/uploads/2012/04/Display-LUMAscape_2012-04-05.jpg
turn, bluekai, and appnexus are all companies in the lumascape group.
Re:Easy fix (Score:5, Informative)
Re: (Score:3, Informative)
Someone didn't RTFA. Neither of those things will prevent this. The tracking is injected into the HTTP headers by the ISP. Even if you don't accept their cookie, they can still track you.
Re:Easy fix (Score:5, Interesting)
I wonder if we could fuck with this services though by creating a Mozilla addon that inserts this header and fills it with some random garbage on each request. If enough people used it maybe we could DOS their database by filling it with UUID seen only once?
Re: (Score:3)
I wonder if we could fuck with this services though by creating a Mozilla addon that inserts this header and fills it with some random garbage on each request. If enough people used it maybe we could DOS their database by filling it with UUID seen only once?
No, that wouldn't work. The header is inserted well after the request leaves your phone. If you insert the header yourself first, it will just get overwritten once you've sent it.
Re: (Score:3)
Re: (Score:2)
Ahh, I understand. You'd also have to not be an AT&T user. Best bet is to actually test for header injection first, since we don't really know all the carriers that do this. Particularly with the small carriers, since they are just reselling service from the major carriers.
Re: (Score:3)
You may say "why do I care if I don't use Verizon?" and I'll respond with "and first they came for the Jews". If you think that's a big jump, well maybe it is, but you need to protect rights for all of the people or you don't deserve the rights you have.
Re: (Score:2)
The idea is that people not using Verizon could do this, and pollute their databases with garbage data. It likely wouldn't affect their ability to track actual Verizon users, but it could make it more difficult to do so by burying them in garbage. Only problem is that I can think of a couple of easy technical solutions to easily filter out most of the "noise".
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
The header injections work no matter what. Visit lessonslearned.org/sniff as proof of this.
It isn't too tough to fix -- use an encrypted VPN.
Re: (Score:2)
I have used a VPN to my home machine to avoid these kinds of issues but my home ISP could always start doing the same thing.
Start the doxxing ... (Score:2, Informative)
All of these greedy assholes who run these companies which exist to violate our privacy?
They've all given up any right to privacy and to be treated like humans.
Start doxxing the fuckers. Release their home addresses, phone numbers, baking information. release every mother fucking piece you can find on them, their families, their friends, their business partners.
If they want to make their living by trading on our personal information without our consent, then they utterly deserve to be driven into the grou
Re: (Score:1)
Re: (Score:2)
And then attach a note identifying your "tracking brick" and start throwing it through their windows.
Only iOS? (Score:3)
http://uidh.crud.net/ [crud.net] On all browsers on the Android phones, no ehader was detected. THe iphone we tested, there was a header insertion.
I assume this is due ot a "no track" setting at the browser application level. Interesting that androids browsers have it enabled but iphone browser does not.
Re: (Score:2)
It shows up on mine. I did not previously, but from what I understand it depends on the tower to which you are connected as much as the phone. I have already done Verizon's opt-out which of course does not turn it off, but rather just stops them from selling the data.
Anyone have good reason to believe there is an alternate carrier that actually has decent respect for privacy? I'd like to ditch Verizon as soon as my contract is up.
Re: (Score:2)
Re: (Score:2)
I assume this is due ot a "no track" setting at the browser application level.
The browser has nothing to do with this at all, and there's nothing a browser (or any other software you can run on the phone) can do about it short of using a VPN.
When you did your tests on the Android phone, are you quite certain that you weren't using the WiFi connection? The tracking header is only inserted into traffic that goes over the cell network.
Re: (Score:2)
Only the iphone/safari that I tested showed header insertion.
I found this on reddit, some people reporting that same thign I'm seeing...
https://www.reddit.com/r/priva... [reddit.com]
Re:Only iOS? (Score:4, Interesting)
There are only three possible explanations for this: the two phones were using different carriers, or they were being tested in different geographical locations, or the cell carrier itself is making the distinction for some weird reason. The header injection itself is totally unrelated to the phone, the operating system, or what the software on the phone does.
VPN to some endpoint (Score:2)
VPN to some endpoint outside of VZ's network.
Simple(r) answer (Score:3)
"So, what’s a Verizon subscriber to do?,"
Dump Verizon.
It's worse-Verizon also injects for non-customers! (Score:3)
From https://www.eff.org/deeplinks/... [eff.org]
Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers. Notably, Verizon appears to inject the X-UIDH header even for customers of Straight Talk, a mobile network reseller (known as a MVNO) that uses Verizon's network. Customers of Straight Talk don't necessarily have a relationship with Verizon.
Dark Lord of the Sith says... (Score:1)