Slashdot Mirror
EFF Hints At Lawsuit Against Verizon For Its Stealth Cookies
An anonymous reader writes A few weeks ago I noted how security researchers had discovered that Verizon has been injecting a unique new 'stealth cookie' identifier into all user traffic that tracks user online behavior, even if the consumer opts out. Using a unique Identifier Header, or UIDH, Verizon's ham-fisted system broadcasts your identity all across the web — and remains intact and open to third-party abuse — even if you opt-out of Verizon's behavioral ad programs. Now the Electronic Frontier Foundation has filed a complaint with the FCC and has strongly indicated that they're considering legal action against Verizon for violating consumer privacy laws.
here's the link to the actual EFF press release/post, not some random board post linking to it. https://www.eff.org/deeplinks/...
It's so cute when they think that laws apply to $BIG_CORPORATIONS
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
mmmm.... stealth cookies
Like STDs - you give it to and get it from the ones you love.
Stealthy cookies visible by every one. They should get sued for false advertizing too.
Why don't ISPs simply focus on efficiently transferring packets and appropriately charging for the service? Are the profits generated by "stealth cookies" or "deep packet analysis" enough to pay for the engineering and hardware cost of these "features"?
Doesn't work.
Test here on mobile connection:
http://www.amibeingtracked.com
Instead of having a defeatist attitude or wailing about it on some news site, please consider doing something not totally useless. Donate to the EFF.
Its surprising more people don't do this. 205.234.28.93 is easily remembered and just rolls off the tip of your tongue.
If Verison is fiddling with the packets going back & forth does it not lose its 'data carrier' status and become one with the end user ? So: if Disney/... sues an end user for downloading it's lastest film: then Verison should be part of the lawsuit as well and liable to pay Disney for the ''theft of its IP''.
.Verison cannot have it both ways, it either copies bytes and the user is 100% responsible or it fiddles with them and so is aware of the content and is thus vicariously liable for any wrong doing.
At least it's not an IPV6 address..
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Just reading through the EFF page on this and it sounds like they got a patent on setting a header to track... Wow. That just sounds, ... , I don't know, but :(
Hmm, the humour and sarcasm seem to have been be lost on you.
Considering how many people get screwed over by big corporations (oil companies, telecoms, etc.), I'm a little surprised we don't see more examples of unstable victims attempting serious, premeditated harm on the company execs and/or facilities.
Even if it's just 1 in 10,000,000 people who are that unstable, these companies have a lot of victims.
Actually you have a point. Someone inside Verizon should leak the UID's of various Verizon executives and let the mass log grepping commence! Let's see how many of them are cruising around the tranny section of Backpage while they're supposed to be in important business meetings.
While viewing stories in "0 Abbreviated and 0 Hidden" mode I noticed threads where the parent comment was missing but the replys are still there!
Censorship Soviet Union style (pre photoshop) http://en.wikipedia.org/wiki/C...
Why can't I claim copyright on my http requests, and deny them the ability to create a derivative work?
APK APK APK!
X-UIDH: Go suck an egg.
And if only a few people directed their web traffic through a simple proxy that rewrites the X-UIDH header, we could really screw with Verizon's plans.
Have gnu, will travel.
That's interesting. It asks me to disconnect my wi-fi before clicking the "opt out" button. As I'm not a networking sage, can someone explain why this would be necessary?
They sentenced me to twenty years of boredom
I tried this. They delete your header and replace it with a new one.
IANAL, but I think this violates wire tapping laws, copyright laws, and trespass of chattel laws. Under copyright and trespass of chattel laws you don't need to prove actual damages. If you can claim a "per incident" bases, the money could add up quickly.
It also looks like it violates their own terms of use and privacy policy pages.
What would be interesting is to use their arbitration clauses against them. They say that the arbitrator has all the powers of a court, so you should be able to ask for relief as both money and an injunction that they add this header to "your" connections. If the arbitrator cannot rule this way, then they lose their protection against class action suits.
You think they don't have some way of exempting themselves? If I were a gambling person, which I'm not, I'd almost be willing to place bets that they do. Of course, I don't gamble, so I'll sit here and speculate. Nothing to lose.
I don't know what they have access to, but by disabling wifi, they see the traffic directly from the mobile device (which has a couple different IDs on the cellular system), and that's how they know (a) you're a verizon customer, and (b) what device & account it is.
They'll fight for freedom,
wherever there's trouble,
EFF is there!
EFF! A Real Internet Hero...
~Knowledge is knowing that a tomato is a fruit, but Wisdom is knowing not to put it in a fruit salad.
Fines mean nothing to these companies. Demand they cease this immediately or the executives go to jail.
Doesn't this qualify as a wiretap: reading, processing, and inserting extra information in someone else's data stream?
Intercepted electronic communications and all that. The criminal laws against this are quite strict....
Good to see somebody doing, what ACLU used to do...
In Soviet Washington the swamp drains you.
That troll (apk) won't be forthcoming because hosts doesn't work on modern mobile devices.
Wouldn't a VPN on your mobile device block this?
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Is this not an illegal man-in-the-middle intercept and hack of my data?
I created (via my web browser) the http header and request. My device sent that http header and request to another computer with whom I want to communicate. Someone (ATT, Verizon) intercept my data, read it, hack it, and send it along. How is this not completely illegal.
Wrong-O
Updating my hosts file is the first thing I do after I root.
http://adfree.bigtincan.com/ab...
Doesn't everyone run firmware on their router that supports VPN? Just download OpenVPN for Android and connect to your home router.
The code is encrypted and rotates every week. It can only be used by contracted partners of Verizon, and the contract contains a "no-advertising" clause. The EFF should spend money on something actually important.
Life, the Universe, and Everything... in my image.
Does the squid3 web proxy violate wire tapping, copyright, privacy and chattel laws by inserting X-Forwarded-For: in it's default configuration? The EFF had better sue the squid project too! I bet you'd shit your pants once mobile IPV6 becomes common. Your phone will have a static IPV6 address. I'm just waiting for the bitching and moaning on all the tech websites when that happens. Do you whine about the IP address of your wired broadband connection never changing? The so called Verizon "Supercookie" is really no different from an fixed IP address or the X-Forwarded-For: header. Their web proxies were never intended to be an anonymizing service. They have every right to place a unique identifier on all outgoing web requests.
What happens if you send your own X-UIDH header? Does Verizon add a second header, replace the one you sent, or leave it alone? Can anyone on Verizon's network test this? I imagine that they probably ignore what headers are already being sent and simply add an additional one, as that would be the least work for them, but if they abstain from adding a X-UIDH header when one is already present then one could use this to re-anonymise your connection.
I was happy to see that the EFF blog had a paragraph that mentioned this also affects MVNOs that use Verizon. They called out Straightalk, but I'm on PagePlus. I've verified that my mobile web access also includes the UIDH. I'm pretty sure that PagePlus has never mentioned this, provides no sort of opt-out (and I can't even use the lame Verizon opt-out page, since I'm not their customer).
I'm not sure if that's a genuine page or just setup to satisfy some regulatory requirement. I am on AT&T cellular and not connected to Wifi, but it still keeps giving me bs that I'm connected to Wifi, and asks me to disconnect and refresh.
I'm much more funny, interesting and insightful than the moderators think
This is how to modify a hosts file on ANDROID using ADB -> http://yro.slashdot.org/commen... & yes, I've done it before (very easy).
* Too bad EETech1 already told you off on this showing how WRONG YOU ARE (fool) here http://yro.slashdot.org/commen... before I did (but I did show others how to do that per that 1st link above, LONG ago already))
Obviously, you're posting by AC to be able to downmoderate me - too bad I only prove, yet again, that giving morons like yourself moderation points is stupid... like you.
(LOL - The "best you got" was vainly & effetely *trying* to "hide" that fact by downmoderating my last post showing what a complete STOOGE you are, here -> http://yro.slashdot.org/commen...
APK
P.S.=> Android Debugging Bridge & it's pull/push commands do the job for transferring a modified custom hosts file to ANDROID phones that use hosts files... apk
I agree that you are a jackass. Law is not simplistic. It is not that changing of a header. It is the changing of a header AND doing so not as a part of a routine network management function. If your service provider runs NAT and gives you a private address, then their NAT functions re-write the IP addresses in the headers. With FTP, they can even watch the stream and re-write the port numbers in the stream. This is a necessary part of network management so their policies let them do this.
Verizon has no AND to fall back on. This new header in no way enhances the operation of their network. If anything it degrades their network by increasing the processing involved and increasing the amount of traffic involved (I wonder if I get billed for their extra bytes?). Their method if not a part of standard internet engineering. Their is no RFC for this.
Verizon is doing this to profit, and is also putting it's users at risk. There is no benefit to the user at all.
Verizon also has a terms of use and privacy policy. This type of action is not allowed or disclosed anywhere in these two documents.
In terms of what happens with IPv6, this is up to the user and the network. When I start using IPv6 at home, I can easily set up my routine to still run NAT. NAT still works on IPv6. Wireless carriers can keep addresses constant, but they don't have to. I expect my IP address to move when I move between cell regions. This is the technology at work. IPv6 address don't require a device to have a static address. In fact, your phone on a static address is impossible. Do you expect to update the router tables world wide every time you connect to a wifi hot-spot.
What Verizon is doing is technically dangerous. It was not announced. They did not ask their customers for their permission, even though their policies state that they must. They are modifying traffic for no engineering reason. They actions can cause me real damages. To put it bluntly, in terms of this action, they are EVIL. This does not mean that they do not provide good service. They have just gone one step too far and myself, and probably thousands of others, will demand that they walk this step back.