Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon Injects Unique IDs Into HTTP Traffic

Posted by Soulskill on from the doing-the-wrong-thing-badly dept.

An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.

8 of 206 comments (clear)

  1. Free market? by NotInHere · · Score: 4, Insightful

    They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

    1. Re:Free market? by Anonymous Coward · · Score: 4, Insightful

      I think the free market solution would simply be having enough ISPs so that if one pulls stuff like this you can just switch to another. Some sort of "competition". I suggest we find out why there is only one fast ISP per area, and fix that problem.

    2. Re:Free market? by Charliemopps · · Score: 4, Insightful

      They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

      No because they'll quickly value this service at $50 a month to force you into it.

      They should not be altering my HTTP requests. It's wiretapping, plane and simple.

  2. HTTPS Everywhere by watermark · · Score: 4, Insightful

    They can't inject into secure traffic. HTTPS solves this problem too.

    1. Re:HTTPS Everywhere by cbhacking · · Score: 4, Insightful

      Slashdot actually supports HTTPS just fine. They simply redirect you back to HTTP immediately! Try it yourself: https://slashdot.org/ - 302, Location: http://slashdot.org/index2.pl - 302, Location: http://slashdot.org/

      I wish I was joking...

      --
      There's no place I could be, since I've found Serenity...
  3. Wonder if a chaff approach would help by chefmonkey · · Score: 5, Insightful

    I wonder... if we wrote addons for popular browsers that would inject bogus X-UIDH headers into every request, whether we could make this kind of inappropriate privacy intrusion prohibitively expensive. If it works as he surmises, maybe we can overwhelm Verizon's ad exchange platform with meaningless data.

  4. Re:Is there a way to prevent this? by whoever57 · · Score: 4, Insightful

    There has to be a way to prevent this

    As a sysadmin, you should know that it is easy and cheap to rent a VPS (Virtual Private Server). Then, run squid on the server, or do some fancy routing to send all your web traffic out via a VPN to your VPS. Since most VPS services offer a minimum of 1TB of monthy data, there should not be any excess data usage charges.

    --
    The real "Libtards" are the Libertarians!
  5. Not all web sites offer HTTPS by tepples · · Score: 4, Insightful

    And lose access to several websites. Slashdot, for example, redirects HTTPS hits to HTTP for non-subscribers because ad networks have been slow to implement HTTPS. And a lot of shared web hosts don't support HTTPS because their policies haven't been updated in the six months since the last major Server Name Indication-ignorant desktop web browser (IE on Windows XP) reached end of support in April. But HTTPS support is the second biggest reason I stopped going to TV Tropes in favor of All The Tropes (after licensing).