Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon Injects Unique IDs Into HTTP Traffic

Posted by Soulskill on from the doing-the-wrong-thing-badly dept.

An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.

10 of 206 comments (clear)

  1. Is there a way to prevent this? by Anonymous Coward · · Score: 5, Interesting

    This should be illegal. People have a right to try and avoid being tracked. There has to be a way to prevent this. I'm a sysadmin, not a network guru, so I will defer to those smarter than me here...

    1. Re:Is there a way to prevent this? by Anonymous Coward · · Score: 2, Interesting

      third party VPN paid for by a cash card

    2. Re: Is there a way to prevent this? by Anonymous Coward · · Score: 3, Interesting

      Or just browse https only

    3. Re: Is there a way to prevent this? by Anonymous Coward · · Score: 3, Interesting

      To be honest, I don't think this does anything. I think a VPN might be the only current way to avoid this, as your traffic in a VPN tunnel is theoretically not seen by the routers that pass it. I'm not sure if deep packet inspection tools could add the unique ID. I'm not a network engineer, so I don't know for sure. I do know that VPNs of today are rapidly becoming easier to circumvent by those who would do so.

    4. Re:Is there a way to prevent this? by Anonymous Coward · · Score: 4, Interesting

      Unacceptable. Verizon licensed the spectrum from citizens, and therefore has certain obligations.

      This is what should occur. Make use of any spectrum contingent upon a series of consumer friendly policies. Failure to comply requires turning the spectrum and any technology that uses it or assists in its use over to auction. Then establish a rule that prohibits anyone over a pay grade access to any industry that uses spectrum for a predetermined duration.

      If you set the concequesnces high enough than ideas like this get shot down in the board room.

  2. Re:which Verizon services by watermark · · Score: 3, Interesting

    I'm on fios and just checked headers, nothing like this (yet).

  3. Could be worse by pushing-robot · · Score: 1, Interesting

    My router injects a unique identifier into every packet it sends. The manufacturer claims they can't turn it off. Yeah, probably under pressure from the government. But I'm building my own open source router that blanks out everything—MAC, IP, you name it. I'll be invisible to everyone. Take that, Orwellian bastards!

    --
    How can I believe you when you tell me what I don't want to hear?
  4. Re:Wonder if a chaff approach would help by cbhacking · · Score: 3, Interesting

    This plan. I like this plan! Put a random value in the header on every request. If you're not on Verizon, it'll look like you are (but as a different person every time). If you *are* on Verizon, you may just confuse the software that is adding those headers, or that is logging them. Poison their tracking data with meaningless garbage, and make it *cost* Verizon money to try and track us.

    Well, that and use HTTPS everywhere possible, of course. But that requires that the sites you use allow people to do so (*AHEM* Slashdot, looking at you...)

    Oh, and don't use Verizon. That's the best way to hit them in the pocketbook, by far. I like the idea of sending the header even when you don't use Verizon though, as a general-purpose "fuck you!" to them.

    --
    There's no place I could be, since I've found Serenity...
  5. Re:HTTPS Everywhere by TheGratefulNet · · Score: 3, Interesting

    quite a valid point!

    just like you can NEVER trust a windows (or mac or even linux box) that was not setup by you, especially if its a corporate box that was given to you pre-installed.

    almost every company of mid-size or larger preinstalled MitM certs for their spying firewalls. they don't tell employees that, but netadmins and sysadmins pretty much all know this.

    I work at a large networking company and they didn't tell me WHAT they do or HOW they'd spy on me, but I found out via a friend (in germany) exactly what they are doing. in .de, you have to disclose to the employees a lot more than the US requires you to do, and he relayed the info to me about how our corp laptops come preinstalled with corp spyware. ability to active mic, camera, screen caps, all that bullshit in addition to traffic logging.

    I'm a network mgmt guy and when I was out interviewing for jobs (the last few years) almost all of them involved DPI and MitM attacks, even though they tried to explain it away as 'troubleshooting information' and 'for the users benefit'. quite bullshitty but they said it with a straight face, like they believe their own BS.

    you guys have to start realizing that corp america is all about privacy invasion; of customers and employees, alike. if you have a corp laptop, do NOT login to your home email systems and keep your work laptops entirely clean of anything personal and home related. yeah, even if you see the lock icon on the browser, it means nothing anymore, in a corp LAN.

    --

    --
    "It is now safe to switch off your computer."
  6. Re:Wonder if a chaff approach would help by Mr.+Sanity · · Score: 3, Interesting

    Since they're the ones adding the header, the client setting the header is futile. Verizon's version will clobber it.

    However, if you happen to run some intermediary servers that handle traffic once a backbone layer is crossed, then you can clobber their value.