back to article PROOF the undead STALK Verizon users: Admen caught using 'perma-cookie'

Researchers have spotted an advertising agency using Verizon’s indestructible cookies to silently track people across the internet. Back in 2012, Verizon started injecting a "unique identifier token header" (UIDH) into each HTTP request sent through its mobile data network; these identifiers are unique to each subscriber and …

  1. Anonymous Coward
    Anonymous Coward

    I once wrote a bit of code to randomly change specific cookie data strings a few characters at a time every fifteen minutes to get around another company doing this. I should resurrect it and sell it for a few bucks.

  2. Eddy Ito

    So if I add several headers that look just like Verizon's UIDH, will they scrape it off when they add their own or will it just be extra? I'm just curious to know if it's possible to send a HTTP request out with a dozen different UIDH headers and up the noise to signal ratio. I suppose it's possible to configure a device to use a proxy or vpn that scrapes the header. Hmm, anybody think folks would pay for a header scraping service?

    1. Adze

      Probably... if they didn't have to do anything more than "Monkey see app, monkey press app, monkey like app, monkey rate app 3 stars, would have been 5 if free"

      For the supersimian, OpenVPN is still free if memory serves and has a free Android & IOS app - choose your OpenVPN host and attendent proxy and, while I can't burden this with any proof, your UIDH worries could well be over.

      1. Anonymous Coward
        Anonymous Coward

        Maybe we need a "Je suis UIDH" campaign where loads of people generate spurious UIDH headers and Verizon subscribers publish their headers anonymously so that others can copy them and reduce their value to advertisers?

        If the guids in cookies are no longer globally unique then they are useless to trackers like Turn.

        I for one would be more than happy to help out, anonymously!

      2. Charles 9

        "For the supersimian, OpenVPN is still free if memory serves and has a free Android & IOS app"

        Any host not owned by you is likely to be backdoored by whoever government runs the country the server's hosted in. As for making your own, that can be tricky. I'd love to use the one built into my home router, but it only supports TAP mode, and TAP support on Android 4 and up is only possible through a convoluted method that, frankly, doesn't work yet with the router.

    2. Daggerchild Silver badge

      From the length of it I'd say it's maybe digitally encrypted and signed (or at least checksummed) so they know when it's corrupted or faked. Of course I may be giving them too much credit..

      But you *can* probably still use it to impersonate others, as far as the Evil Overlords tracking you are concerned.

  3. Swarthy Silver badge

    I know the article specifically stated Verizon Mobile

    But do we know if Verizon is doing this to their terrestrial (Fios, etc) customers? and is there an easy way to test? perhaps a website that gleans all the HTTP headers and will let you know what they are?

    1. Haku

      Re: I know the article specifically stated Verizon Mobile

      Take your pick from the many many sites that offer this service:

      1. Swarthy Silver badge

        Re: I know the article specifically stated Verizon Mobile

        Thanks. I had just finished answering my own question by writing one, but it's not pretty (just text on a white background), good to know that there are others, probably more professional.

  4. Graham Marsden

    How about a new UIDH


    1. Haku

      Re: How about a new UIDH

      Or a service that strips the unique identifier and replaces it with

      "I'M SPARTACUS!"

    2. Mike Bell

      Re: How about a new UIDH

      There already is such a header in existence: Do Not Track

      I have this set whenever I use various browsers, but the ad men just ignore it. Microsoft didn't help by setting the header by default in a version of Internet Explorer. That annoyed the ad men greatly, to the extent that they will have nothing to do with it.

  5. Dave Pickles

    As I understand the scheme, Verizon subscribers are SOL. However the rest of us can lend a hand by adding random UIDH headers to our HTTP requests. Advertisers will lose interest if the targeting (which they are paying for) becomes too polluted.

  6. P. Lee

    I'm surprised that this doesn't fall under wire-tapping fraud or some such thing?

    I thought messing with people's communications is usually a no-no in the US.

    1. solo

      Re: I'm surprised that this doesn't fall under wire-tapping fraud or some such thing?

      Unless you read the privacy policy of the host websites and rejected it by navigating away (that is impossible without visiting them at least once :)

      1. Sir Runcible Spoon

        Re: I'm surprised that this doesn't fall under wire-tapping fraud or some such thing?

        What has it got to do with the host websites? This header is being added to your data packets by the carrier, therefore it is being intercepted (and modified). Very dodgy ground.

  7. elDog

    The Verizon UIDH is added to the content headers

    After the HTTP request was completely built within the browser/client. I would imagine that any smart (dumb) reader of your HTTP requests would simply ignore fake ones injected during legitimate surfing and pick up the one illegitimately (and probably illegally) by your ISP.

    FWIW, I've submitted comments via to Verizon Wireless and the FCC and separately to VZW during a bill payment discussion. I say For What Its Worth because the corporations can't admit that what they're doing is wrong without getting slapped with lawsuits.

    I also use a proxy service (PrivateInternetAccess) which should prevent this type of behavior but might introduce its own flavor of tracking... Just sayin'.

  8. John Brown (no body) Silver badge

    Phorm on steroids

    ...but it's nice to see all that effort by Verizon to monitise their customers only for other ad networks to use it for free.

  9. Anonymous Coward
    Anonymous Coward

    In corporate America, government no track you, business does.

    In corporate America, government run by business.

  10. Anonymous Coward
    Anonymous Coward

    Ad industry behaviour

    "When he tried it, the cookie reappeared and the opt-out cookie had been deleted."

    Frankly they're actually their own worst enemy, and their behaviour is the best possible advertisement for adblocking imaginable. It doesn't fix the basic privacy issue, but at least it makes their tracking an irrelevance.

    I wonder when they'll start lobbying to have adblocking classified as terrorism and banned.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ad industry behaviour

      No need to lobby, just ask their pals at Google not to allow adblock plus on the Play store...wait, what?

  11. Alan Brown Silver badge

    Thius is one of the best arguments...

    ...for https-everywhere that I've run into.

    1. Charles 9

      Re: Thius is one of the best arguments...

      Unless, of course, Verizon MITM's everything that goes through its network, meaning you're screwed no matter what you do. As I understand it, the injection occurs at their which is why you can't remove it (since it occurs at an upstream point beyond your control). The only reasons tunnelled connections aren't tagged is because Verizon's servers can't MITM them and recognize them for what they are.

      1. Sir Runcible Spoon

        Re: Thius is one of the best arguments...

        Whilst VPN's are presently immune, businesses already intercept user https traffic outbound and re-sign the keys so the user doesn't know it's been tapped.

        1. Charles 9

          Re: Thius is one of the best arguments...

          That's what I'm talking about. Verizon could easily do the same thing for any https request that goes through its network, allowing them to MITM the connection and still insert the supercookie, again at a point beyond your control.

  12. skeptical i

    Hangin's too good for 'em.

    re: "Turn absolutely respects a consumer’s opt-out preference when expressed in the only way the online ad industry is sure to recognize[.]”

    Hire Keanu Reeves and Bruce Willis to dive through the matrix to Turn's offices and reduce them, their machines, and their cloud to a smoldering hulk before frog-marching the perps responsible for this idea to the public square to be tarred and feathered? (The managers and CEOs, not necessarily the worker bees punching out the code.)

    This "if you use our service, we can do with you what we like" sense of entitlement has really gone too far.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hangin's too good for 'em.

      "The managers and CEOs, not necessarily the worker bees punching out the code."

      Why exempt the drones? They're taking money, they know what they're doing.

      1. skeptical i

        Re: Hangin's too good for 'em.

        I allow for the possibility that they have bills to pay and might not be able to switch jobs easily. Although they should have wikileak'ed a workaround, huh. Hmmm.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like