Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verizon Injects Unique IDs Into HTTP Traffic

Posted by Soulskill on from the doing-the-wrong-thing-badly dept.

An anonymous reader writes: Verizon Wireless, the nation's largest wireless carrier, is now also a real-time data broker. According to a security researcher at Stanford, Big Red has been adding a unique identifier to web traffic. The purpose of the identifier is advertisement targeting, which is bad enough. But the design of the system also functions as a 'supercookie' for any website that a subscriber visits. "Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. ...while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user." Just like they said they would.

4 of 206 comments (clear)

  1. Is there a way to prevent this? by Anonymous Coward · · Score: 5, Interesting

    This should be illegal. People have a right to try and avoid being tracked. There has to be a way to prevent this. I'm a sysadmin, not a network guru, so I will defer to those smarter than me here...

  2. Wonder if a chaff approach would help by chefmonkey · · Score: 5, Insightful

    I wonder... if we wrote addons for popular browsers that would inject bogus X-UIDH headers into every request, whether we could make this kind of inappropriate privacy intrusion prohibitively expensive. If it works as he surmises, maybe we can overwhelm Verizon's ad exchange platform with meaningless data.

  3. Filthy Ingrates by rogoshen1 · · Score: 5, Funny

    God. it's like you people don't even appreciate the value added service they are *GIVING* away here. Who wouldn't want to see more perfectly tailored and targeted ads -- some of which even include *VIDEO* again, completely for free.

    You have to pay for cable right? The same thing applies, you're getting the service you paid for (TV shows, home shopping channels) with the added bonus of free to view advertisements.

    In both cases they're simply giving away high quality, hopefully relevant audio and video. I think that's super generous of them.

    And for no charge! And yet, you people still bitch. Absolutely shameful.

  4. Hello Vodafone by wabrandsma · · Score: 5, Informative
    From: Using Browser Properties for Fingerprinting Purposes.

    Vodafone injects the X-VF-ACR header: 'Vodafone Anonymous Customer Recognition'. It is unclear what this header exactly does; all headers that have been seen start with the string "204004DYNMVFNLACR", followed by 16 X's, and are followed by a BASE64-encoded 256-byte cyphertext, which we were unable to decrypt. It has been suggested that this string might contain the SIM-card identifier (IMSI) or other personal information, as was found in a research conducted by Mulliner in 2010 [14]. Vodafone did not respond to requests of explaining this header. Nevertheless, the presence of this header, certainly identifies customers of Vodafone as being customers of Vodafone.