If you are using data as a Verizon Wireless customer, Verizon is tracking you. Not only that, but their method to ensure that you can't navigate around it makes your unique identifier visible to every website you visit. The injected data has been called a "supercookie," a term that reflects the fact that it is not removable like a tracking cookie. Now, recent reports show that at least one third-party ad agency has been using Verizon's supercookie to track users after they have deleted cookies or opted out of data collection.

How it works

Technically speaking, what Verizon is using is not a cookie or supercookie or any kind of baked good. It is what they call a "unique identifier header" (UIDH), a code injected into the HTTP header for each page you request while browsing on their network. An HTTP header is part of the information your device sends to the server of the website you're visiting; its main function is to ask for the server to send the webpage to your computer/phone/tablet. It provides some information that helps the server choose the correct version of the page, such as what browser and operating system you use.

Here's an example of the header generated when I visit Android Police:

GET / HTTP/1.1

Host: www.androidpolice.com

Connection: close

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0 Waterfox/34.0

Accept-Encoding: gzip

Accept-Charset: ISO-8859-1,UTF-8;q=0.7,*;q=0.7

Cache-Control: no-cache

Accept-Language: de,en;q=0.7,en-us;q=0.3

Referer: http://web-sniffer.net/

This is part of the backbone of how the Internet works. The "http://" at the beginning of a web address is a signal that this is how you and the website have communicated. It is unsecured information because it is not meant to be private (the HTTPS protocol is helping to change that, though). Your ISP can see this as well as anyone on the same local network, plus those with access to the server of the website you visited.

What Verizon is doing is adding another line that looks like this (example from Jonathan Mayer):

X-UIDH: OTgxNTk2NDk0ADJVquRu5NS5+rSbBANlrp+13QL7CXLGsFHpMi4LsUHw

That code signals to the website you visit that you are a Verizon customer and that you are the particular Verizon customer who has that identifier. The ads being served on the website are determined in part by the UIDH, because cooperating ad providers hold an instantaneous auction based on the personal data of the visitor, obtained from Verizon via the identifier. To see it visually, here's an image from security researcher Jonathan Mayer's blog:

Why it's bad

On its face, this isn't all that unlike other targeted advertising techniques. There are a few key differences, though:

  • The UIDH is in the HTTP header
  • The identifier comes from the ISP, not a third party
  • There are no true opt-out options

The fact that the UIDH is in the HTTP header means that the user has little control over who accesses this information. The obvious worry from the get-go is reidentification, in which someone attempting to be private is unveiled by connecting their browsing activities together. Because Verizon does it and it is injected into the header, this method is unique in part because that means it tracks your activities in apps in addition to browsers.

Upon hearing about this in November, Internet activist group the Electronic Frontier Foundation warned that third parties would abuse this feature. And they did. Twitter has been using information obtained through the UIDH in their ad auctions and now major ad processor Turn has been caught doing something even more sinister. Turn, which has a formal marketing relationship with Verizon, has been using the UIDH to reidentify users who have deleted Turn's tracking cookies or opted out of tracking.

For example, suppose you visit one of the many websites that have Turn tracking code. A Turn cookie is set in your browser, with its own UID to keep track of your browsing habits. This is standard ad tracking, so far. When you visit another Turn-serviced site, your browsing info and whatever other information their database has about you is used to drive up the price of targeted ads. Now, suppose you are privacy-conscious and regularly delete your cookies.

According to Mayer's research, the presence of Verizon's UIDH triggers the subsequent cookies set by Turn to have the old UID from the Turn, linking your browsing before and after the cookie deletion. Normally, Turn would see you as a new user after deleting the cookie. This is justified, they say, because they are merely improving the targeting and treating the deletion of the cookie as non-intentional. People have called this sort of behavior a "zombie" cookie. Turn has an opt-out cookie available, but interestingly enough this part of your profile is not resurrected when you are re-identified via the UIDH. It couldn't be because they don't give a damn about your actual preferences, could it?

Here's a quick review, thanks to ProPublica:

Also of note, as pointed out by the EFF, is that Turn engages in a process known as cookie syncing. This means Turn shares your info with other ad partners to gain a fuller picture of the user, thus improving ad targeting. Not only do they reidentify you with UIDH, they then share that info with others.

Mayer also adds that Turn has done this in a really obvious way, and it is likely that others are reidentifying users in a way that is less detectable. He could tell this was occurring because the Turn cookie had the same UID before and after deletion; they could just as easily use a different UID that they know is for the same user, but the user would not recognize.

Back when Verizon started injecting the UIDH, more than just the EFF voiced concerns. Verizon's FAQ on the program says not to be worried:

It is unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH

...

other permanent and longer-term identifiers are already widely available in the wireless area and could be used to build customer profiles.  For ad tech entities that have a presence on many websites, the UIDH does not provide any information beyond what those entities have by virtue of these and other already existing IDs.

Also mentioned is that the UIDH is changed periodically for each user, though the timeframe is unspecified. Knowing that your browsing activities are only broadcast publicly for small chunks of time is so reassuring, isn't it? The other aspect of the explanation, that the UIDH is no different than other public information, is simply false. Verizon wouldn't use it if that were the case.

Lastly, neither company provides a real opt-out. In both cases, your data is still collected. Verizon continues to inject the UIDH. They just don't show you targeted ads. The ads themselves aren't most people's problem with the program, though. It's the data collection and the public exposure of identifying information. Both Mayer's research and replication by ProPublica confirm that the collection and injection persist after opting out.

What you can do

Most common privacy-protecting measures won't do you much good. Deleting and blocking cookies is ineffective. Using a privacy-oriented browser or incognito mode won't do, either. You have one real recourse: use a VPN. With a VPN, the HTTP header is sent to the provider, not the public internet. Trustworthy VPN providers cost money, though, and aren't very convenient on Android. Still, this is your best bet.

You could also stop being a Verizon customer, if you are one. Being locked into a contract may leave you with little recourse, though. It may be worth noting, too, that AT&T pilot tested a program similar to this last year, but appears to have stopped doing so.

To see if you are being tracked, try visiting amibeingtracked.com from your mobile device.

Jonathan Mayer via Techdirt