Verizon revives "zombie cookie" device tracking on AOL's ad network
propublica.orgAOL’s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon, including — “your gender, age range and interests.” ... AOL will also be able to use data from Verizon’s identifier to track the apps that mobile users open, what sites they visit, and for how long. Verizon purchased AOL earlier this year...
"I think in some ways it’s more privacy protective because it’s all within one company,” said Verizon’s (chief privacy officer) Zacharia"
Good to know she's looking out for our interests.
I think this happens pretty much everywhere a mobile carrier can profit from selling data about who's doing what. For example, Norwegian company Mobiletech.no has API access to the largest, Nordic mobile carriers' billing gateways and can turn an IP address:port pair from an HTTP/HTTPS connection into a MSISDN, sometimes with additional subscriber details. They're working with advertisers and analytics companies to help them count mobile subscribers instead of unreliable, cookie-based visitors. Similarly, mobile carriers in Denmark have been caught injecting HTTP request headers which leaked the subscriber's phone number, phone model, etc to arbitrary web sites. In Sweden, someone used a similar service to blackmail visitors who watched porn.
We only hear about this in mobile but I presume Comcast, Time Warner and friends do the same thing for broadband users, or is there some regulation that stands in their way?
For that matter I've always wondered why the tv industry pays so much for inaccurate Nielson data (sometimes still based on diaries) when presumably the cable providers have much more accurate data for many more users.
Because Nielsen gives them numbers they like. I'm sure the real data proves to advertisers exactly how few people really watch TV ads rather than skip/change channels/mute etc.
If so presumably the cable companies also know the networks are scared of seeing how many people flip channels during commercials and so they would package the data into larger chunks to hide this.
How is that legal in the European Economic Area?
They should be sued for that.
There is no way most customers are informed and intentionally consenting to them tampering with the HTTP requests they send to include their customer ID.
The obvious expectation of a customer of an ISP is that it sends the data through unchanged.
It's things like this that drive people to want HTTPS everywhere, but even that is subject to subterfuge when the provider inserts their own "trusted" certificates to proxy that traffic.
There really should be provisions in the telecom bill that data traffic is to remain absolutely untouched.
Just imagine phone calls where mentioning the word "pizza" would trigger an advertisement being injected into it.
I don't know of any ISPs that are currently MITMing HTTPS. That seems like something that would be big news and get a CA revoked. Do you have a source for that?
Not an ISP, but I think this was a reference to Lenovo's recent Superfish scandal.
[0]: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with...
HTTPS is just transit data, they don't need to see that. They can still tell the sites you've visited and really they just want to ID you and optionally make that ID available to others who pay/participate in data syncing.
It's not about Verizon. Of course they know where their users connect to. But by injecting a special HTTP header field, they make it possible for third parties to track the user – for example an ad network that serves ads on sites the user visits. Regular cookies are limited to certain domains, but this header is added to every request, making it cross-domain. HTTPS would prevent Verizon from injecting it.
They may not be able to inject HTTPS, but they can offer an API that will map IPaddress:port to identity (as one mentioned here[1]), for only a bit more overhead than tampering with HTTP headers and without breaking TLS.
If they want to make some possibly non-standard protocol adjustments they mutually understand, they should be able to inject it, too. Researching the protocols/crypto to understand that more and trying to produce a POC are side-projects on my list, maybe some day.
The root of the issue is that your ISP often knows who you are, every site you connect to knows who your ISP is, and they have incentives to trade notes on you and few reasons not to.
I'm sure the three letter agencies also love it. But as we know now, the agencies don't have to rely on extracting cookies from intercepted traffic in this particular case: Verizon will happily go above and beyond the call of duty and betray the trust the customers put into them.
The HTTP header was really the lowest tech they could've used and feels like more of a stopgap.
Most ISPs will use tracking at a much lower network layer and provide APIs for partners to match up IDs on demand. No need for HTTP headers.
When I switched to verizon last year (shortly before articles about this last time).. I received a privacy notice in the mail. 1 page, front and back that covered this (and only this). It also had opt out instructions.
I remember it, because I had it sitting on my desk for a week before I got around to following the instructions.
It's on page 73, section 4, subsection i) of the terms of service.
It's very sad that I don't know whether you are joking because it's entirely plausible that they both have this in their TOS, and that their TOS is over 70 pages long.
The data is unchanged. Most ISPs have internal tracking for each request to see how network data flows. You can just think of this as Verizon leaving those tags on - and in this case it owns AOL so it's sharing within the same entity.
Not saying good/bad - just how they treat it.
Zombie cookies are ones that are added to HTTP responses by the ISP, so that even if the user clears their cookies manually or opens their browser in incognito mode then the tracking cookie persists.
I've left Verizon when the story first broke. The coverage I get from T-Mobile is not quite as good as Verizon was - but it is a small price to pay ...
... if indeed I'm getting any privacy in return. Which I'm not at all sure about.
Good call! That's the only way of making them change their ways. It doesn't hurt to complain and sue them, either.
I also changed my provider after the initial story. Originally went to tmobile but the service was terrible. Att removed their tracking header so I have switched to them now.
Well given that Experian leaked your SSN last week (if you gave it to T-Mobile), that's debatable.
I didn't. Neither did I give any to Verizon when I signed up (they said they can't, but after insisting they "graciously" agreed to get a $400 deposit instead).
Apple's already shown they don't like this behaviour with their randomised MAC addresses in iOS 8+. Obviously what this article references is done at the carrier level, not on open wifi networks.
I expect them to do something about this carrier-level behaviour next iOS. From a technical perspective, what could they do to prevent this?
Run everything from the phone through a VPN over iCloud servers, so all traffic from every iPhone in the world hits the internet as if it comes out of Cupertino? Install Tor as an OS-level feature?
Tor as an OS-level feature may not spark the best reaction. It's been given a bad name ("deep web," silk road, etc) in mass media and many people don't understand it enough to think of it as anything other than bad.
I think that it'd be cool to have, but I don't think that Apple would ever implement it.
Agree, it's phenomenally unlikely, but then again there is a part of me which could actually imagine Apple doing something like it. They wouldn't use Tor, of course, they'd build a proprietary equivalent, and then come out on a black stage to 'introduce Apple Undercover, a revolutionary enhancement to personal network privacy and security'.
I never dreamed Apple would in any way officially support, or even acknowledge the existence of, ad blocking.
Google makes money from ads, and now Microsoft is shifting towards that strategy with Win 10 being free etc. Apple on the other hand makes money from hardware, app store, 30% or whatever it is on ebooks and inapp purchases. I'm not really THAT surprised - only so much as I thought Apple would want a slice out of both pies, but it stands to reason that they can bleed much more from Google by blocking ads than they could gain from partnering with (or creating) ad networks.
It's an aggressive strategy.
Apple is only blocking internet ads, not in-app ads, which makes it obvious that they're targeting content creators to push them to either Apple newsstand or iOS apps, where Apple gets a cut of the ads.
It's disappointing because Apple is using their mobile marketshare to attack and fragment the open web. Users either don't understand or don't care because they have cognitive bias towards ads to begin with - e.g. people only attribute negative ad experiences to ads, never good experiences (w/ few exceptions like the superbowl).
Ads considerably degrade the browsing experience on mobile.
Most ads used to be in Flash which was blocked by default since not working on Ios, then everything turned into big and slow HTML5 stunts to replace Flash, which has the exact same effect as Flash : battery drain,... .
Apple, on the other hand controls the in-app anything experience.
Not saying to it's right , just saying that how Apple justifies its strategy.
To be clear, Apple is not blocking any ads. They are providing browser hooks to let people create ad blockers, just like (say) Google does on desktop Chrome. The difference is important.
Does anyone have a positive experience with ads on mobile?
Apple is not blocking any ads. iAd makes little money and Apple is letting apps that block iAds into the app store. I know some people will oppose Apple no matter what they do but in this case they and the majority of users are right and you are wrong. People have a negative view of advertising for a very good reason.
It would also make their phones seem bizarrely slow which is not very Apple like.
>many people don't understand it enough to think of it as anything other than bad.
And what could transform public opinion of the software to the positive, over night, better than Apple adopting it?
Installing it (and utilising it) as a default, pro-user, privacy-preserving tool would do a lot to improve its public perception.
They could encourage developers to support and prefer HTTPS – which is exactly what they are doing: https://developer.apple.com/library/prerelease/ios/technotes...
I really think we are way past the point where we need a serious regulatory adjustment on all of these large data service providers - I don't think any of them should be allowed to facilitate targeted advertising based on our browsing habits, our phone calls, or the content of our emails.
This is the state of ISP regulation in the US, providers willfully manipulating the payload they have been paid to transport.
I think a ISP that manipulates data beyond what is necessary for transport should lose it's immunity and associated privileges.
Lovely. https://www.verizonwireless.com/support/unique-identifier-he...
"Verizon Wireless will stop inserting the UIDH after a customer opts out of the Relevant Mobile Advertising program or activates a line that is ineligible for the advertising program. GOVERNMENT AND ENTERPRISE LINES ARE EXAMPLES OF INELIGIBLE LINES. The UIDH will still appear for a short period of time after a customer opts out of the Relevant Mobile."
Emphasis mine. This sort of clause is indicative that anyone with bargaining power would not put up with this. Business users are probably even more valuable to have data on, but the individuals just deal.
So I have a VPN I use already on my iPhone for sensitive things. Seems like I should use it all the time.
Is it possible to make a VPN connection mandatory on a consumer iPhone? It's really a pain having to reconnect manually after I haven't used it for a few minutes.
Yes.
getcloak.com is a combination app and subscription VPN service that makes it easy. You can either switch it on, or set it to always on. You can decide which wi-fi networks (or cellular) to "trust" (exception to always-on).
The VPN, including always-on functionality, is implemented by iOS. The Cloak app merely configures it via API (or via configuration profiles prior to iOS 9).
F-Secure's FreedomeVPN is a great persistent VPN service that also runs anti-tracking and other security features. The iOS app runs great and always connects over VPN.
In android this is (was?) a built-in feature, no need to install profiles or apps. I say was because it seems like Google is removing all the things I liked about android.
I wrote a small Heroku app a while back for viewing request headers: http://rocky-brook-3183.herokuapp.com/
Source for the site is here if you're interested: https://github.com/wyattjoh/HeadersCheck
Some of those headers are generated by the Heroku infrastructure
https://devcenter.heroku.com/articles/http-routing
Plus> X-Forwarded-For > X-Forwarded-Proto > X-Forwarded-Port > X-Request-Start > X-Request-Id > Via
Are all Heroku-generated headers> X-Request-IdExactly. I wasn't sure at the time what the name for the Verizon headers was, so I just showed all of them.
That's interesting. I see
using Firefox, regardless of whether "tell sites I do not want to be tracked" is unchecked or unchecked."dnt": "1"Could be a bug in Firefox, since visiting your site with Safari doesn't send the header at all (which is how it's supposed to work).
Edit: Sorry about the noise. It's not your site, and it's not Firefox. NoScript took it upon itself to set this header!
The article just below it indicates users can opt-out but mobile tracking is such a big business I sm sure that if it actually is possible, it is not easy.
Anyone have good privacy resources for mobile/iOS. My phone security is nowhere near where it should be.
You can visit http://checkyourinfo.com to see all of the HTTP headers your device is sending in requests, including any your ISP may tack on.
Disclosure: I maintain the site
Nice! I'm seeing an `X-Uidh` attribute in my request headers, is that the Verizon Zombie Cookie?
Looks like that's the one: http://www.verizonwireless.com/support/unique-identifier-hea...
Not that I approve at all of what Verizon is doing, but apart from the item about opting out ("Verizon Wireless will stop inserting the UIDH after a customer opts out of the Relevant Mobile Advertising program"), this stands out:
They plan to (eventually) only send this to Verizon-owned (or contracted) servers. This has two roughly equivalent corollaries:
1. They don't need to use a header for this because they can trivially accomplish the same thing with a database of IP addresses.
2. They can trivially accomplish this with a database of active IP addresses, so it doesn't really matter if they use a header or not.
Incidentally, other ISPs do this too, but for more benign reasons because they don't (as far as I know) own an ad network: for example, T-Mobile automatically logs you in to My T-Mobile when you access it over 3G. Basically, if your ISP wants to track you, they will have no trouble with this (except to the extent that they can be stopped with SSL). You'll just have to switch ISPs, if possible.
Don't forget to turn off wifi if you want to see the identifiers your provider adds.
I use http://lessonslearned.org/sniff . I check it reflexively every so often, as Verizon has at least once re-enabled the super cookie after I had disabled it. That site checks for cookies from other carriers as well.
I find myself cynically wondering, if such a site becomes bothersome to those placing tracking cookies (and the site mentions articles in Wired), how long it would take before they would disable adding them for destinations known to be revealing it?
I guess it could be automated in a small way too, such that if the cookie was detected as being returned to the browser then the site gets flagged and it won't get it again.
Alternatively, only add the cookie when requesting pages from partner sites known to be tracking it.
Super cool thanks. Still can't figure out why I can't connect to HN, but no tracking beacons which is nice.
If your ISP really wants to provide customer/household level tracking to advertisers/partners, they could easily provide an API to them like getCustomerId(IPAddress, Timestamp).
It's not entirely clear from the article whether it's "Set-Cookie" being injected in to replies, or the "Cookie" header in to requests, or both.
Interesting times nonetheless.
It is an http header: X-UIDH added to http requests
It occurs to me that a mischievous person could easily write a Firefox plugin to (over)write that header with random garbage. If enough people used the plugin, it would render Verizon's data useless.
except that the ISP is adding this header. They could (or do already?) just replace your header with their own..
Yep, and Verizon does. They will overwrite your header.
Opt out [instructions](http://www.techlicious.com/blog/verizon-uidh-supercookie-tra...).
Previously: https://news.ycombinator.com/item?id=10354692
There's a lot of randomness in what gets traction on HN, so sometimes a story needs to be posted a few times before it does. So we don't consider reposts to be duplicates until the story has had significant attention on HN (see https://news.ycombinator.com/newsfaq.html).
One downside is that the original submitter of a story doesn't always end up with the karma for it.
Hey dang,
Thanks for getting back to me quickly yesterday and restoring my old hn name. I still seem to be unable to connect from my entire network, and I have gotten a few arbitrary upvotes, but no one has responded to any comment or submission since yesterday. Coupled with connectivity issues, would you mind double checking there is not a ri.ri.cox.net ip address that was banned at a software level, begins with 72 and ends with 48. Sorry to reply here, just trying to confirm if i am visible. Thanks for the reply yesterday, cheers.
======================
Edit
====•==================
i somehow am having traffic timeout to most cloudflare severs. Sorry to bother you again, you were super helpful. Going to try and figure this out or find a direct ip if it exists. Super fast, really pleasant response yesterday. Thanks again. I am def. visible.
i somehow am having traffic timeout to most cloudflare severs
I had all sorts of intermittent problems like this about 18 months ago. In my particular case it was
Dan and I went back and forth a few times in email but didn't conclude anything before things cleared up. I haven't seen the problems since.The web server reported a bad gateway error.One thing to try is to set up a Personal Hotspot on a phone, and point your laptop at that. In my case I would still see the same errors.
Good luck.
Edit: this may be nothing but IIRC I had more problems trying to access HN anonymously than if I was logged in. Sounds crazy, but most intermittent problems are exactly that: crazy.
What exactly is the big aversion to tracking? The vast majority has shown (via actions, not internet noise) that they don't care so what exactly is the big downside?
Not arguing for/against, just want to know reasons beyond "i just dont like it".
Zombie cookies in particular are insidious -- while you are actively trying to conceal your identity by proactively deleting cookies or using incognito mode, your ISP re-adds them without your consent.
This kind of aggressive and underhanded behavior should be shamed as it violates the trust that users have in their ISPs.
A lot of this came about because of the "war" on the 3rd party cookie which was unfairly demonized.
I get why zombie cookies are bad as it takes control away, but what is the issue surrounding plain tracking of behaviours? So what if a company knows the history of sites you've visited - what does this do against you?
Since this is tied to an account, it means data that never dies. While currently unlikely, imagine being vetted for a job by the websites you visit. Do you want an employer to be able to purchase your online history? There's more to hide the the usual things like pornography or political sites. Imagine you've visited several competitor employers, including past job listings. One could easily deduce you likely applied and failed if the job listings no longer exist and you're applying for this new job. Perhaps this makes for a lower offer on the new employers behalf.
I could invent many hypotheticals in this vain but privacy is something worth protecting.
Makes sense. Isn't this more of an issue of discrimination and what data a company can have access to?
Are employers getting access to search data today? I'm not sure that's happening. Most 3rd party tracking isn't that accurate in coming up with interests/segments for the user in the first place and 1st party data is well protected in that it's what gives the holder value.
I think privacy is important, but there a lot of levels here and browsing history (while valuable) for advertising is not as big of an issue as other wholesale data collection that we see out there.
> Are employers getting access to search data today?
The more it's used, the cheaper it becomes to collect and sell. The issue is never about how it is used today; always about how it can be used in the future.
You can always find a way to work for yourself and avoid passing an employer background check. I'm more worried about political parties and private eyes -- blackmail, extortion, ugly divorce proceedings, etc. This can have a chilling effect on free speech and curiosity.
The Jacob Applebaum talk explaining linkability.[1]
Anyone who has access to any website where you logged into an account you publicly admit to owning can link your public identity to any private/anonymous persona, given another marketing data source. Verizon "owns the data", but not really. They are the original owner of the data, but eventually Expirion (target of the recent T-Mobile-Experion data theft) and the other credit reporting agencies will have your X-UIDH. Facebook, Twitter, and Google will know as soon as you log in once. They will be able to identify all of your accounts, perhaps even if you use a VPN.
As with any other high tech tracking, the average end-user is either unaware of the zombie cookie or unaware of the full capabilities of the linkability of it.
You're making the https://en.wikipedia.org/wiki/Nothing_to_hide_argument except for corporate surveillance instead of state surveillance.
Not making an argument - I'm trying to get real examples of everyone's argument of what they're losing, in terms of actual effect against them.
I get that most people have uninteresting data but don't want it collected anyway, but what happens if it is? (Because it is right now). What is it doing to them today? More targeted ads? More spam? More...? That's what I'd like to know.
Anytime you are questioning privacy, you can simply make it about clothing to immediately show how ridiculous anti-privacy statements really sound.
>I get that most people have uninteresting genitals but don't want it seen anyway, but what happens if it is? (Because it is right now). What is it doing to them today? More targeted ads? More spam? More...? That's what I'd like to know.
>What exactly is the big aversion to nudity? The vast majority has shown (via actions, not internet noise) that they don't care so what exactly is the big downside? Not arguing for/against, just want to know reasons beyond "i just dont like it".
I'm not saying you're taking a stance against privacy by any means, but changing only a single word in your statements makes them laughable. Would you tell someone embarassed about a wardrobe malfunction in public that you just couldn't understand why they would feel uncomfortable? How about someone who is the victim of identity theft? Now extend that to someone who's entire internet browsing history was made available to corporate and governmental institutions.
I don't want my privacy violated because it makes me feel violated - why should anyone need a better reason than that?
lastly, think about what we would classify as 'creepy facebook stalking' by a person - why should corporations and governemntal institutions be immune to that creepy classification?
One thing that appears to be happening is that some companies are selling information about which users are going to medical sites like WebMD and what they're viewing. I'm concerned that my insurance rates will change because I looked up an obscure disease. I can't prove that that the data is being used that way, yet, but it concerns me.
They're losing trust, control, and piece of mind. Like if a bully comes up to you and pretends to punch you in the face every day: you can't just say "oh, I'm not hitting you" and think what you're doing is ok. It forces people to be cynical and defensive, and people don't want to be cynical and defensive.
Please, publish your browser history on Pastebin and let's see what we can figure out about you.
Ok, I get it. But then what? How is this being used against you? Better (so called) ads? Is it just a innate feeling of not wanting it tracked?
It's 2015 and you've never heard of Social Engineering?
It takes a small attack surface and multiplies it exponentially, making you more vulnerable to any criminal out there.
Is not wanting your identity stolen enough of a reason?
What does social engineering have to do with this? What about Facebook/Twitter then - considering how much information people willing share?
Social eng. is more of an issue in dealing with people and public information, not private analytics.
Again, you're making the argument that because someone doesn't understand how something can affect them negatively that you should be allowed to take advantage of that.
That is literally called FRAUD in the US: "the deception of someone for the purpose of financial gain".
and stop calling it private, it wont be fucking private when (not if, but when) your network gets breached.
All the big tech companies have had data breaches, but suddenly your network is going to out-shine them all? God that's laughable.
Oh, and when that happens, you will be sanctioned by every consumer protection agency, and bankrupted by class-action suits. Have fun!!!
It's not just "a company", it's many companies. They're injecting this header into every request you make which is visible to the servers you connect to.
It makes any positive steps you've taken to protect your privacy utterly meaningless.
The "vast majority" aren't even CLOSE to being INFORMED, so saying they don't care is complete bull-shit.
The "internet noise" is everyone who actually understands what's going on, and is rightfully upset.
What does informed mean? If it's articles and news stories, haven't there been countless of those?
Just last week there was a local primetime news story about internet history collection. But it hasn't at all stopped the usage of Google, Facebook or the hundreds of services that collect data. The issue with surveys is people will always say one thing but will do something else. Thoughts/words != actions.
At what point and how do we measure education vs apathy and decide which is true?
Well, imagine a world where every site you visit, every purchase you make, etc. is tracked and a score is assigned to you. Imagine that the activity your friends undertake also affects this score.
Now, imagine that it's happening in China.
You don't have to. They're actively building it.
Advertisers in the US would kill to get that kind of an individualized profile. So would insurance companies, credit card issuers, etc.
How long before you employer demands access? Because guaranteed that someone in Congress would agree that it's a good idea.
How long before Homeland Security becomes interested?
To all the downvotes - Why? It's sad that asking any opposing questions around here leads to this.
I am sorry to see the down votes happen, but I can tell you that seeing your questions bring up memories of conversations I've had with friends and family about this issue. They, too, were curious about the issues of tracking and cookies, but in my experience nobody's opinion changes beyond their initial gut reaction, and extended discussion on the topic do not result in much listening-- only non-stop talking. So I wonder if the down votes in this thread are a silent attempt to discourage discussion along this route to prevent a flame.
Pretty much everything has been discussed to death these days, doesnt mean new conversation or new learnings cant happen.
We'll never if we dont even start that discussion. I just expected HN to not act like reddit or other sites that downvote for disagreement.
It's none of their business what sites I've been to.