Verizon Injects Unique IDs Into HTTP Traffic

An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.

Is there a way to prevent this?

This should be illegal. People have a right to try and avoid being tracked. There has to be a way to prevent this. I'm a sysadmin, not a network guru, so I will defer to those smarter than me here...

Re:Is there a way to prevent this?

Unacceptable. Verizon licensed the spectrum from citizens, and therefore has certain obligations.

This is what should occur. Make use of any spectrum contingent upon a series of consumer friendly policies. Failure to comply requires turning the spectrum and any technology that uses it or assists in its use over to auction. Then establish a rule that prohibits anyone over a pay grade access to any industry that uses spectrum for a predetermined duration.

If you set the concequesnces high enough than ideas like this get shot down in the board room.

Re:Is there a way to prevent this?

[whoever57]

There has to be a way to prevent this

As a sysadmin, you should know that it is easy and cheap to rent a VPS (Virtual Private Server). Then, run squid on the server, or do some fancy routing to send all your web traffic out via a VPN to your VPS. Since most VPS services offer a minimum of 1TB of monthy data, there should not be any excess data usage charges.

Free market?

[NotInHere]

They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

Re:Free market?

I think the free market solution would simply be having enough ISPs so that if one pulls stuff like this you can just switch to another. Some sort of "competition". I suggest we find out why there is only one fast ISP per area, and fix that problem.

Re:Free market?

[Charliemopps]

They should offer this to the user as an option, where the user has to pay less when tracking is enabled. Otherwise this is abuse of market power to make users agree to being tracked.

No because they'll quickly value this service at $50 a month to force you into it.

They should not be altering my HTTP requests. It's wiretapping, plane and simple.

HTTPS Everywhere

[watermark]

They can't inject into secure traffic. HTTPS solves this problem too.

Re:HTTPS Everywhere

[cbhacking]

Slashdot actually supports HTTPS just fine. They simply redirect you back to HTTP immediately! Try it yourself: https://slashdot.org/ - 302, Location: http://slashdot.org/index2.pl - 302, Location: http://slashdot.org/

I wish I was joking...

Wonder if a chaff approach would help

[chefmonkey]

I wonder... if we wrote addons for popular browsers that would inject bogus X-UIDH headers into every request, whether we could make this kind of inappropriate privacy intrusion prohibitively expensive. If it works as he surmises, maybe we can overwhelm Verizon's ad exchange platform with meaningless data.

Filthy Ingrates

[rogoshen1]

God. it's like you people don't even appreciate the value added service they are *GIVING* away here. Who wouldn't want to see more perfectly tailored and targeted ads -- some of which even include *VIDEO* again, completely for free.

You have to pay for cable right? The same thing applies, you're getting the service you paid for (TV shows, home shopping channels) with the added bonus of free to view advertisements.

In both cases they're simply giving away high quality, hopefully relevant audio and video. I think that's super generous of them.

And for no charge! And yet, you people still bitch. Absolutely shameful.

Hello Vodafone

[wabrandsma]

From: Using Browser Properties for Fingerprinting Purposes.

Vodafone injects the X-VF-ACR header: 'Vodafone Anonymous Customer Recognition'. It is unclear what this header exactly does; all headers that have been seen start with the string "204004DYNMVFNLACR", followed by 16 X's, and are followed by a BASE64-encoded 256-byte cyphertext, which we were unable to decrypt. It has been suggested that this string might contain the SIM-card identifier (IMSI) or other personal information, as was found in a research conducted by Mulliner in 2010 [14]. Vodafone did not respond to requests of explaining this header. Nevertheless, the presence of this header, certainly identifies customers of Vodafone as being customers of Vodafone.

Re:Telling The Story Backwards and Upside Down.

[DamnOregonian]

I have a good friend there right now. There have been 2 attempts on her where she had to physically fight someone off of her, and the first 2 days of reception were sexual assault awareness classes where they're instructed to stay out of the dark and not go anywhere on-base that they're not familiar with or get into any cars they're not familiar with. No shit. On a US army base.

Not all web sites offer HTTPS

[tepples]

And lose access to several websites. Slashdot, for example, redirects HTTPS hits to HTTP for non-subscribers because ad networks have been slow to implement HTTPS. And a lot of shared web hosts don't support HTTPS because their policies haven't been updated in the six months since the last major Server Name Indication-ignorant desktop web browser (IE on Windows XP) reached end of support in April. But HTTPS support is the second biggest reason I stopped going to TV Tropes in favor of All The Tropes (after licensing).