An Update on Verizon’s UIDH Injection

In October last year, I posted a summary of phone carriers injecting unique identifiers into outgoing http requests made by customers. From the perspective of privacy, the main problem with this scheme is that it provides a way for third parties such as advertising networks to uniquely identify their users without using cookies.

Recent developments show that this threat is not merely theoretical. John Mayer recently discovered a company called Turn using Verizon’s UIDH to track consumers. Specifically, Turn was using a technique referred to as cookie respawning. In short, whenever you think you’ve deleted all your cookies, Turn uses Verizon’s UIDH to restore the same ID to any new cookies that are set, thus rendering cookie deletion useless. Cookie respawning is not a new technique. Samy Kamkar’s proof of concept evercookie provides a good demonstration of the technique; one that you can try in your own browsers. According to Kamkar, “if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.” Nevertheless, Verizon’s UIDH does add a new vector for cookie respawning, thus making the technique even more dangerous than it was before.

Another potential problem Mayer identified is cookie syncing, which occurs when multiple sites pool together the information they have. For example, if adsite1.com identifies you in their cookie as user123 and adsite2.com identifies you as user456, adsite1 and adsite2 can perform cookie syncing by sharing the identifier they’ve each assigned to you. Now adsite1 knows you are user456 on site2 and adsite2 knows you are user123 on adsite1. Using these identifiers, both advertisers can then combine all the information they each have on you to form a far more comprehensive picture of your browsing habits.

Verizon is hardly an innocent bystander in this privacy fiasco. By not allowing customers a way of opting out of having the UIDH injected into their surfing, Verizon is the company that makes UIDH tracking possible. According to Mayer’s testing, Verizon’s opt-out does nothing to prevent the UIDH from being sent; Verizon’s own statement, which I quoted in my last post on this topic, shows that it merely prevents Verizon from sending the user’s demographic and geographic segments to its ad partners. In fact, by selling the information of users who haven’t opted out, it’s profiting by acting as a data broker.

The question here isn’t whether we can prevent the injection of the UIDH by using a VPN. The question is why users should have to allow companies like Verizon to profit at the expense of their privacy. Even their rival AT&T stopped this despicable practice in November 2014. It’s time for Verizon to do the same. The EFF has started a petition asking the FCC and the FTC to take action against Verizon and Turn for violating user privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *