Slashdot Mirror
Verizon Injects Unique IDs Into HTTP Traffic
An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user."
Just like they said they would.
This should be illegal. People have a right to try and avoid being tracked. There has to be a way to prevent this. I'm a sysadmin, not a network guru, so I will defer to those smarter than me here...
Fucking scumbags.
Carriers have done this for years. Most carriers require a white-listed relationship with the destination.
Does this header remain intact if one uses Tor? I don't know enough about it offhand.
Will tell them to go fuck themselves on this, and make them stop...
They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.
Everyone was targeting mobile use because that's what the average slob uses, remember Facebook's panic because they couldn't find the right model for mobile?
How many other methods are in use? Who else is using this method? (ATT?)
Are agencies like the NSA doing something similar?
"If any question why we died, Tell them because our fathers lied."
This mentions Verizon wireless does that mean just wireless or also dsl and fios?
Does anyone know if FIOS internet uses the same system? I don't have a Verizon Wireless account.
excitingthingstodo.blogspot.com
They can't inject into secure traffic. HTTPS solves this problem too.
Every person browsing the web today should be using the HTTPS everywhere extension.
To forestall the typical slashdot objection: No, it's not perfect. That doesn't mean it isn't damned useful.
Step #6 image should have been this instead:
https://doodleaday.files.wordpress.com/2012/03/doodle-1016-money-bags.jpg
I think it illustrates whats happening more appropriately...
Just wondering. Thanks!
I wonder... if we wrote addons for popular browsers that would inject bogus X-UIDH headers into every request, whether we could make this kind of inappropriate privacy intrusion prohibitively expensive. If it works as he surmises, maybe we can overwhelm Verizon's ad exchange platform with meaningless data.
I mean, truth as bolean is true, world revolves around spending time to find what is real when you are truthfull to it, but what computers do is basicly differently human nature itself, so internet also can't be taken as whole asimilation, of course, only if you want it to be like that, you basicly are not making websytes with more than expectation of what is truth.
Insert 10 random X-UIDH headers in the same place verizon will, randomize them seeded based on the date and device-id (not the time), what could they do?
My router injects a unique identifier into every packet it sends. The manufacturer claims they can't turn it off. Yeah, probably under pressure from the government. But I'm building my own open source router that blanks out everything—MAC, IP, you name it. I'll be invisible to everyone. Take that, Orwellian bastards!
How can I believe you when you tell me what I don't want to hear?
I use Millenicom, which resells 20GB Verizon Wireless bandwidth in blocks. X-UIDH header is not set under their platform.
My contract is up. Time to pick up an unlocked Nexus and find a MVNO I like.
God. it's like you people don't even appreciate the value added service they are *GIVING* away here. Who wouldn't want to see more perfectly tailored and targeted ads -- some of which even include *VIDEO* again, completely for free.
You have to pay for cable right? The same thing applies, you're getting the service you paid for (TV shows, home shopping channels) with the added bonus of free to view advertisements.
In both cases they're simply giving away high quality, hopefully relevant audio and video. I think that's super generous of them.
And for no charge! And yet, you people still bitch. Absolutely shameful.
Has anyone determined whether they are only doing this to their wireless customers, or are they doing this to fios customers as well?
Verizon is a bunch of assholes.
Just install HTTPS Everywhere from the EFF : https://www.eff.org/HTTPS-EVERYWHERE
It makes your browser try to encrypt all traffic, some sites break, but all good sites work.
Also : Dump Verizon. LOL
Don't want your carrier messing with your traffic?
Use HTTPS.
So Verizon, tell me, who's the narcissistic vulnerability pimp now?
Google knows way more about you than Verizon ever will. Get over it, who gives a crap.
that will cure the disease.
The header is signed so the boundary of their system can reject it with a simple computation. They have not implemented well, but if they did random did would do little.
Just another reason not to spend your money with Verizon.
It's safer for a supermodel to walk down MLK in your favorite large city naked than a homely woman to walk from one end of Fort Hood to the other, wearing ACUs after dark. When soldiering becomes less of a duty and more of a way to delay starting out your life of dismal poverty, you start making the wrong kind of army.
I have come to the conclusion that anything the geek says about women, rape or the military needs to be fact-checked.
A cash-strapped female soldier told a Fort Hood hearing board Tuesday about how a noncommissioned sexual assault prevention officer on base forced her into a prostitution ring so she could buy groceries for her child.
The private testified against Sgt. 1st Class Gregory McQueen during a proceeding similar to a grand jury hearing. McQueen could face some 21 criminal charges if he is slapped with a military court-martial.
''Basically, it was having sex with higher ranking officers for money," the woman told the board.
The private, who was 20 and struggling as a single mother of a 3-year-old child at the time of the alleged prostitution, was granted immunity in return for her testimony. She told the board how McQueen snapped pics of her naked to distribute to potential clients. The two also had sex so McQueen could see how she would ''act out'' with clients.
McQueen, who has since been relieved from his sexual assault prevention duties, faces charges of pandering, conspiracy, adultery and sexual assault.
Another female private claims McQueen sexually assaulted her when he tried to recruit her into the military sex ring.
That woman told investigators that McQueen ''preys on young females who are in bad financial situations and that he keeps their pictures on his cell phone,'' the Austin American-Statesman reported in December.
Fort Hood sexual assault prevention officer ran on-base prostitution ring: witness [June 3, 2014]
This one is easy, easy, easy to kill. Your headers to the webserver are a copyrighted creative work if you customize them at all. Verizon is creating an unlicensed derivative work. Any legal eagles willing to run with this?
And lose access to several websites. Slashdot, for example, redirects HTTPS hits to HTTP for non-subscribers because ad networks have been slow to implement HTTPS. And a lot of shared web hosts don't support HTTPS because their policies haven't been updated in the six months since the last major Server Name Indication-ignorant desktop web browser (IE on Windows XP) reached end of support in April. But HTTPS support is the second biggest reason I stopped going to TV Tropes in favor of All The Tropes (after licensing).
Stop using Verizon.
Every Verizon Wireless customer join in and sue them for the invasion of privacy that this is.
Sue them out of existence.
A technique of dumping crumpled bits of aluminum foil from B-29 aircraft while bombing sites in Germany during WW!! .
They could remove your headers and add their own.
Then problem goes away!
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
Usually when people discuss military spending (or military resources in general) it is either "it should be higher" or "it should be lower" without specifying what's the current or the desired level.
I had to look up the numbers and it seems that USA has 1.4 million active frontline personnel and another 900k of active reserve. That puts USA at 2.3 million men before having to resort to drafts. I understand that large portition of that is some sort of supporting staff but to me, as a layman, that still seems like quite a few men.
So could you, for the sake of discussion, specify what is the 2.3 million qualified men too low for? Let's say that we make the qualifications a bit more difficult than they are now and weed out the people that, based on some psychological evaluation, are most likely to rape fellow soldiers (While accepting that there will be false negatives and false positives). Maybe that reduces the manpower over time to a mere 2.2 million qualified men? It stills seems like an adequate size for a military?
The thing is, this isn't just about rape. Raping fellow soldiers is so obviously wrong and so widely judged that if the military can't police that, it makes me very uneasy about the way crimes against foreing civilian population, etc. are being policed.
Even though https isn't perfect as heartbleed and the various TLS bugs have demonstrated, it certainly would help. Perhaps slashdot should consider HTTPS!
Just install HTTPS Everywhere [...] all good sites work.
You appear to call Slashdot not a good site. It redirects all HTTPS hits from non-subscribers to HTTP.
In order to stop being a Verizon customer, someone who requires home or mobile Internet access for his way of life might have to move his family away from territory serviced by Verizon, either as the DSL ILEC or as the only wireless carrier with acceptable coverage. Consensus in comments to previous Slashdot articles is that almost nobody is willing to spend the time and money to move just to change ISPs.
Ultimately, utility monopolies arise from cities' ownership of their roads. The solution is for a city to bury empty conduits when it repairs the roads, and then competing ISPs can blow their wires through those conduits.
For all users other than subscribers and karma-capped users who have checked "Disable Advertising", Slashdot is funded by advertisements. Using an HTTP ad network from an HTTPS site would be blocked as mixed content, and HTTPS support among ad networks is very new. AdSense, for example, didn't support HTTPS until September of last year.
Tell that to the operators of ad networks. If the ad network is HTTP while the rest of the page is HTTPS, it gets blocked as mixed content. That's probably why Slashdot redirects non-subscribers' page views to HTTP.
First, so far as I know (and I know, since my company uses the X-UIDH header) the process to get access to the translation of this ID (which is an encryption generated by Verizon and translated through calls to an internal API) is about a 4 year contract negotiation.
Secondly, the UIDH does rotate every week. In other words, it's useless as a tracking cookie unless you have the aforementioned contract with Verizon.
Thirdly, the X-UIDH is supposed to be sent only to white-listed IP addresses, namely the IP address of companies with a contract. Verizon is having issues with this due to how they implemented X-UIDH and are currently doing tests where they've turned it on for whole markets on every call as a stop-gap.
Finally, using this code for advertising is specifically forbidden by that contract.
Yes, I'm posting AC as I don't want to endanger said contract negotiations for my company.
Now under the law I believe they are required to protect this information. If the state of California has decided that a Zip code is PII, then this identifier certainly is. Roll the plaintiff's attorneys.
I am not a HTTP expert. My protocols are so old you probably won't know them!
- How do I determine if my ISP is doing this? Will Firebug do the job or do I need a protocol sniffer?
- How can we determine which ISPs are doing this?
- How can I challenge my own or possible future ISPs?
It strikes me that the first step is to document this. Will some kind (and expert) soul do this? Perhaps a Wikipedia page? If you don't grok Wikipedia then I (and may others, I am sure) can do the formatting if we have the information - with references.
Go to http://www.xhaus.com/headers from your at&t device - disable wifi and your vpn ;) - you'll see two header fields Via, which emits your location and X-Acr which will never ever change (check back after a phone restart or go to a different header reporting site to check). According to AT&T customer support you cannot opt out of this.
There is a way to spoil it - a firefox plugin called trackmenot automatically takes random phrases from the ny times web site and others and searches for them on google, bing, and others thereby filling the search engines data with random crap. I am sure it wouldn't be hard for someone to come up with a plugin that goes to random web sites and clicks around a little to fill the Verizon ad caches with garbage.
Someone could make a plugin to do this. The firefox plugin trackmenot that issues random search queries to search engines to spoil their profiling. A couple of random web sites visited per hour and a few clicks to simulate someone browsing would poison their ad cache.