Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon Injects Unique IDs Into HTTP Traffic

Posted by Soulskill on from the doing-the-wrong-thing-badly dept.

An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.

28 of 206 comments (clear)

  1. Is there a way to prevent this? by Anonymous Coward · · Score: 5, Interesting

    This should be illegal. People have a right to try and avoid being tracked. There has to be a way to prevent this. I'm a sysadmin, not a network guru, so I will defer to those smarter than me here...

    1. Re: Is there a way to prevent this? by Anonymous Coward · · Score: 3, Interesting

      Or just browse https only

    2. Re: Is there a way to prevent this? by Anonymous Coward · · Score: 3, Interesting

      To be honest, I don't think this does anything. I think a VPN might be the only current way to avoid this, as your traffic in a VPN tunnel is theoretically not seen by the routers that pass it. I'm not sure if deep packet inspection tools could add the unique ID. I'm not a network engineer, so I don't know for sure. I do know that VPNs of today are rapidly becoming easier to circumvent by those who would do so.

    3. Re:Is there a way to prevent this? by Charliemopps · · Score: 3, Informative

      Don't use Verizon as your ISP?

      Personally, I use Verizon and have no other choice for a wireless provider. AT&T has plans to build another tower here in 2021, and it's not like their the champions of my privacy either.

    4. Re:Is there a way to prevent this? by Anonymous Coward · · Score: 4, Interesting

      Unacceptable. Verizon licensed the spectrum from citizens, and therefore has certain obligations.

      This is what should occur. Make use of any spectrum contingent upon a series of consumer friendly policies. Failure to comply requires turning the spectrum and any technology that uses it or assists in its use over to auction. Then establish a rule that prohibits anyone over a pay grade access to any industry that uses spectrum for a predetermined duration.

      If you set the concequesnces high enough than ideas like this get shot down in the board room.

    5. Re:Is there a way to prevent this? by whoever57 · · Score: 4, Insightful

      There has to be a way to prevent this

      As a sysadmin, you should know that it is easy and cheap to rent a VPS (Virtual Private Server). Then, run squid on the server, or do some fancy routing to send all your web traffic out via a VPN to your VPS. Since most VPS services offer a minimum of 1TB of monthy data, there should not be any excess data usage charges.

      --
      The real "Libtards" are the Libertarians!
    6. Re: Is there a way to prevent this? by Anonymous Coward · · Score: 3, Informative

      TLS from end to end ...

    7. Re:Is there a way to prevent this? by DamnOregonian · · Score: 3, Insightful

      Not just sexual harassment. It's safer for a supermodel to walk down MLK in your favorite large city naked than a homely woman to walk from one end of Fort Hood to the other, wearing ACUs after dark.
      When soldiering becomes less of a duty and more of a way to delay starting out your life of dismal poverty, you start making the wrong kind of army.

  2. Maybe the FCC... by Anonymous Coward · · Score: 3, Funny

    Will tell them to go fuck themselves on this, and make them stop...

  3. Free market? by NotInHere · · Score: 4, Insightful

    They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

    1. Re:Free market? by fox171171 · · Score: 3, Insightful

      They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

      Except it will be the other way around. Pay more to not be tracked.

    2. Re:Free market? by Anonymous Coward · · Score: 4, Insightful

      I think the free market solution would simply be having enough ISPs so that if one pulls stuff like this you can just switch to another. Some sort of "competition". I suggest we find out why there is only one fast ISP per area, and fix that problem.

    3. Re:Free market? by Charliemopps · · Score: 4, Insightful

      They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

      No because they'll quickly value this service at $50 a month to force you into it.

      They should not be altering my HTTP requests. It's wiretapping, plane and simple.

  4. HTTPS Everywhere by watermark · · Score: 4, Insightful

    They can't inject into secure traffic. HTTPS solves this problem too.

    1. Re:HTTPS Everywhere by Charliemopps · · Score: 3, Insightful

      They can't inject into secure traffic. HTTPS solves this problem too.

      Good idea, I just need to figure out what the http address for slashdot is...

    2. Re:HTTPS Everywhere by cbhacking · · Score: 4, Insightful

      Slashdot actually supports HTTPS just fine. They simply redirect you back to HTTP immediately! Try it yourself: https://slashdot.org/ - 302, Location: http://slashdot.org/index2.pl - 302, Location: http://slashdot.org/

      I wish I was joking...

      --
      There's no place I could be, since I've found Serenity...
    3. Re:HTTPS Everywhere by TheGratefulNet · · Score: 3, Interesting

      quite a valid point!

      just like you can NEVER trust a windows (or mac or even linux box) that was not setup by you, especially if its a corporate box that was given to you pre-installed.

      almost every company of mid-size or larger preinstalled MitM certs for their spying firewalls. they don't tell employees that, but netadmins and sysadmins pretty much all know this.

      I work at a large networking company and they didn't tell me WHAT they do or HOW they'd spy on me, but I found out via a friend (in germany) exactly what they are doing. in .de, you have to disclose to the employees a lot more than the US requires you to do, and he relayed the info to me about how our corp laptops come preinstalled with corp spyware. ability to active mic, camera, screen caps, all that bullshit in addition to traffic logging.

      I'm a network mgmt guy and when I was out interviewing for jobs (the last few years) almost all of them involved DPI and MitM attacks, even though they tried to explain it away as 'troubleshooting information' and 'for the users benefit'. quite bullshitty but they said it with a straight face, like they believe their own BS.

      you guys have to start realizing that corp america is all about privacy invasion; of customers and employees, alike. if you have a corp laptop, do NOT login to your home email systems and keep your work laptops entirely clean of anything personal and home related. yeah, even if you see the lock icon on the browser, it means nothing anymore, in a corp LAN.

      --

      --
      "It is now safe to switch off your computer."
  5. Re:which Verizon services by watermark · · Score: 3, Interesting

    I'm on fios and just checked headers, nothing like this (yet).

  6. Wonder if a chaff approach would help by chefmonkey · · Score: 5, Insightful

    I wonder... if we wrote addons for popular browsers that would inject bogus X-UIDH headers into every request, whether we could make this kind of inappropriate privacy intrusion prohibitively expensive. If it works as he surmises, maybe we can overwhelm Verizon's ad exchange platform with meaningless data.

    1. Re:Wonder if a chaff approach would help by cbhacking · · Score: 3, Interesting

      This plan. I like this plan! Put a random value in the header on every request. If you're not on Verizon, it'll look like you are (but as a different person every time). If you *are* on Verizon, you may just confuse the software that is adding those headers, or that is logging them. Poison their tracking data with meaningless garbage, and make it *cost* Verizon money to try and track us.

      Well, that and use HTTPS everywhere possible, of course. But that requires that the sites you use allow people to do so (*AHEM* Slashdot, looking at you...)

      Oh, and don't use Verizon. That's the best way to hit them in the pocketbook, by far. I like the idea of sending the header even when you don't use Verizon though, as a general-purpose "fuck you!" to them.

      --
      There's no place I could be, since I've found Serenity...
    2. Re:Wonder if a chaff approach would help by Mr.+Sanity · · Score: 3, Interesting

      Since they're the ones adding the header, the client setting the header is futile. Verizon's version will clobber it.

      However, if you happen to run some intermediary servers that handle traffic once a backbone layer is crossed, then you can clobber their value.

  7. Filthy Ingrates by rogoshen1 · · Score: 5, Funny

    God. it's like you people don't even appreciate the value added service they are *GIVING* away here. Who wouldn't want to see more perfectly tailored and targeted ads -- some of which even include *VIDEO* again, completely for free.

    You have to pay for cable right? The same thing applies, you're getting the service you paid for (TV shows, home shopping channels) with the added bonus of free to view advertisements.

    In both cases they're simply giving away high quality, hopefully relevant audio and video. I think that's super generous of them.

    And for no charge! And yet, you people still bitch. Absolutely shameful.

  8. Hello Vodafone by wabrandsma · · Score: 5, Informative
    From: Using Browser Properties for Fingerprinting Purposes.

    Vodafone injects the X-VF-ACR header: 'Vodafone Anonymous Customer Recognition'. It is unclear what this header exactly does; all headers that have been seen start with the string "204004DYNMVFNLACR", followed by 16 X's, and are followed by a BASE64-encoded 256-byte cyphertext, which we were unable to decrypt. It has been suggested that this string might contain the SIM-card identifier (IMSI) or other personal information, as was found in a research conducted by Mulliner in 2010 [14]. Vodafone did not respond to requests of explaining this header. Nevertheless, the presence of this header, certainly identifies customers of Vodafone as being customers of Vodafone.

  9. Telling The Story Backwards and Upside Down. by westlake · · Score: 3, Informative

    It's safer for a supermodel to walk down MLK in your favorite large city naked than a homely woman to walk from one end of Fort Hood to the other, wearing ACUs after dark. When soldiering becomes less of a duty and more of a way to delay starting out your life of dismal poverty, you start making the wrong kind of army.

    I have come to the conclusion that anything the geek says about women, rape or the military needs to be fact-checked.

    A cash-strapped female soldier told a Fort Hood hearing board Tuesday about how a noncommissioned sexual assault prevention officer on base forced her into a prostitution ring so she could buy groceries for her child.

    The private testified against Sgt. 1st Class Gregory McQueen during a proceeding similar to a grand jury hearing. McQueen could face some 21 criminal charges if he is slapped with a military court-martial.

    ''Basically, it was having sex with higher ranking officers for money," the woman told the board.

    The private, who was 20 and struggling as a single mother of a 3-year-old child at the time of the alleged prostitution, was granted immunity in return for her testimony. She told the board how McQueen snapped pics of her naked to distribute to potential clients. The two also had sex so McQueen could see how she would ''act out'' with clients.

    McQueen, who has since been relieved from his sexual assault prevention duties, faces charges of pandering, conspiracy, adultery and sexual assault.

    Another female private claims McQueen sexually assaulted her when he tried to recruit her into the military sex ring.

    That woman told investigators that McQueen ''preys on young females who are in bad financial situations and that he keeps their pictures on his cell phone,'' the Austin American-Statesman reported in December.

    Fort Hood sexual assault prevention officer ran on-base prostitution ring: witness [June 3, 2014]

    1. Re:Telling The Story Backwards and Upside Down. by DamnOregonian · · Score: 4, Informative

      I have a good friend there right now. There have been 2 attempts on her where she had to physically fight someone off of her, and the first 2 days of reception were sexual assault awareness classes where they're instructed to stay out of the dark and not go anywhere on-base that they're not familiar with or get into any cars they're not familiar with. No shit. On a US army base.

  10. Not all web sites offer HTTPS by tepples · · Score: 4, Insightful

    And lose access to several websites. Slashdot, for example, redirects HTTPS hits to HTTP for non-subscribers because ad networks have been slow to implement HTTPS. And a lot of shared web hosts don't support HTTPS because their policies haven't been updated in the six months since the last major Server Name Indication-ignorant desktop web browser (IE on Windows XP) reached end of support in April. But HTTPS support is the second biggest reason I stopped going to TV Tropes in favor of All The Tropes (after licensing).

  11. Re:which Verizon services by jbmartin6 · · Score: 3, Informative

    I just checked using http://centralops.net/co/ over my Verizon mobile phone and sure enough there is the X-UIDH header. Well, this cements my plan to switch carriers in a month when my contract expires. Any tips on moving to a pay-as-you-go plan that lets me keep my phone number?

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  12. Ads would be mixed content by tepples · · Score: 3, Insightful

    For all users other than subscribers and karma-capped users who have checked "Disable Advertising", Slashdot is funded by advertisements. Using an HTTP ad network from an HTTPS site would be blocked as mixed content, and HTTPS support among ad networks is very new. AdSense, for example, didn't support HTTPS until September of last year.