Over the past few days, media outlets have been reporting that Verizon has been inserting a string of letters and numbers called a UIDH into outgoing http requests made by its customers. The string uniquely identifies a specific device. The diagram in Jonathan Mayer’s blog post provides a good picture of how the process occurs and how this string can be used. Basically, a website that receives the string can pass it along to an advertising exchange which in turn pays Verizon for information on the subscriber that allows them to show more relevant ads.
Mayer’s post states that at a minimum, Verizon reveals the subscriber’s demographic and geographic segments. Verizon itself has admitted in a statement that “If a customer has not opted out of Relevant Mobile Advertising (“RMA”), Verizon’s ad serving partners will receive demographic and third-party interest based segments related to the UIDH to enable the service of relevant ads to the mobile device associated with the UIDH.”
As Mayer points out, part of the problem with this scheme is that it need not necessarily even involve Verizon. Literally any website can use this unique string to track its visitors, making the string a “supercookie.” If the same device visits the same site at two different times, it won’t matter if you’ve cleared your cookies; the site will know it’s the same device. PC World also points out that different websites that collaborate as part of an ad network could share information about the same device, allowing them to build a profile about its users. So although Verizon has denied using the UIDH to create customer profiles or to track where customers go on the web, this won’t prevent other websites from doing so.
There currently appears to be no way to opt out of having this string injected. Verizon claims that you can opt out from having targeted ads created, but this won’t stop the UIDH from being injected into your traffic.
Want to see if you are broadcasting a UIDH to every non https website you’re visiting on your phone? Visit this site, which currently claims to let you test for “known AT&T, Verizon, Sprint, Bell Canada & Vodacom unique identifier beacons”. Sprint, however, has denied that it engages in this practice.
AT&T appears to be testing something very similar to what Verizon is doing. One difference, at least according to AT&T’s spokesman, is that AT&T will not inject a code into the IP packets of customers who have opted out. Without more evidence from actual tests of AT&T customers, however, it is difficult to verify this claim, especially when one researcher is disputing AT&T’s claim (made by the very same spokesman) that the code changes every 24 hours. If you’re an AT&T customer and want to test this, visit the test site, opt out here, then visit the test site again and see if there’s a difference. I would welcome your results in the comments.
Some sites report that it is possible to prevent the UIDH from being injected by Verizon by using a Wi-Fi network instead of your phone company’s network, using https, or connecting through a VPN. While this may be the case, there is also the issue of trust. According to Jacob Hoffman-Andrews, senior staff technologist at the EFF, “They are paid by their customers to be trusted conduit for data, and they should be sending that data through faithfully rather than trying to insert or remove things.” Users who trust their carrier should not have to take such measures to avoid having their traffic tampered with.