Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Hints At Lawsuit Against Verizon For Its Stealth Cookies

Posted by timothy on from the as-well-they-might dept.

An anonymous reader writes A few weeks ago I noted how security researchers had discovered that Verizon has been injecting a unique new 'stealth cookie' identifier into all user traffic that tracks user online behavior, even if the consumer opts out. Using a unique Identifier Header, or UIDH, Verizon's ham-fisted system broadcasts your identity all across the web — and remains intact and open to third-party abuse — even if you opt-out of Verizon's behavioral ad programs. Now the Electronic Frontier Foundation has filed a complaint with the FCC and has strongly indicated that they're considering legal action against Verizon for violating consumer privacy laws.

53 of 81 comments (clear)

  1. how about lets give a good link by Kazman20 · · Score: 5, Informative

    here's the link to the actual EFF press release/post, not some random board post linking to it. https://www.eff.org/deeplinks/...

  2. It's so cute... by sconeu · · Score: 4, Funny

    It's so cute when they think that laws apply to $BIG_CORPORATIONS

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:It's so cute... by Anonymous Coward · · Score: 5, Insightful

      It's doubly cute when they've done it before and won. :)

    2. Re:It's so cute... by LessThanObvious · · Score: 4, Insightful

      The EFF doesn't mess around, good for them. I almost wish my Verizon phone did that tracking. I'd love to be included in that class action. I'd have to make a copy of the $10 check I'd get in two years so I could frame it. I pay Verizon well over a $100 a month. If they think they need to sell out their users privacy on top of that revenue then screw them.

    3. Re:It's so cute... by cdrudge · · Score: 1

      And in the end, you'd just end up then paying Verizon well over $110 a month.

    4. Re:It's so cute... by fibonacci8 · · Score: 1

      For $25 worth of service.

      --
      Inheritance is the sincerest form of nepotism.
    5. Re:It's so cute... by Krojack · · Score: 1

      Like Verizon charging it's customers extra to be able to use the Hot-Spot on their phone...

    6. Re:It's so cute... by Krojack · · Score: 1

      I partly agree with that. I've played Ingress with a group of people before and we we travel around the non AT&T/Verizon users data would often go in and out. They ended up just needing to tether to one of our hotspots.

      The cheaper services in my area have many many dead zones.

  3. What Comes Around Goes Around, I'll Tell You Why by Anonymous Coward · · Score: 1

    Like STDs - you give it to and get it from the ones you love.

  4. Not so stealthy afterall by Anonymous Coward · · Score: 1

    Stealthy cookies visible by every one. They should get sued for false advertizing too.

  5. Why the complexity? by Anonymous Coward · · Score: 2, Insightful

    Why don't ISPs simply focus on efficiently transferring packets and appropriately charging for the service? Are the profits generated by "stealth cookies" or "deep packet analysis" enough to pay for the engineering and hardware cost of these "features"?

    1. Re:Why the complexity? by penguinoid · · Score: 2

      Why don't ISPs simply focus on efficiently transferring packets and appropriately charging for the service?

      More money to be made by doing it inefficiently and charging you an arm and a leg.

      Are the profits generated by "stealth cookies" or "deep packet analysis" enough to pay for the engineering and hardware cost of these "features"?

      Yes, it's almost pure profit. Except if it loses them customers. This is another reason why lack of competition is a bad idea.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  6. Donate by Delicious+Pun · · Score: 1

    Instead of having a defeatist attitude or wailing about it on some news site, please consider doing something not totally useless. Donate to the EFF.

    1. Re:Donate by bobbied · · Score: 1

      Why? Seems to me Verizon is getting ready to dump a lot of coin in their laps..

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Donate by weilawei · · Score: 1

      Can we do both? Kvetching is a time-honored tradition on Slashdot, and it lets the other readers know that they're not alone in being pissed off. I'd say that it serves a valuable function in that regard, especially if it motivates others to take action, be it donating or spamming their favorite <insert-representative-here>.

      Okay, maybe not 'favorite'. I almost gagged while typing that.

  7. Re:AT&T doing same but here's the opt-out link by cheater512 · · Score: 4, Funny

    Its surprising more people don't do this. 205.234.28.93 is easily remembered and just rolls off the tip of your tongue.

  8. Not a simple carrier of bytes ? by Alain+Williams · · Score: 3, Interesting

    If Verison is fiddling with the packets going back & forth does it not lose its 'data carrier' status and become one with the end user ? So: if Disney/... sues an end user for downloading it's lastest film: then Verison should be part of the lawsuit as well and liable to pay Disney for the ''theft of its IP''.

    .Verison cannot have it both ways, it either copies bytes and the user is 100% responsible or it fiddles with them and so is aware of the content and is thus vicariously liable for any wrong doing.

    1. Re:Not a simple carrier of bytes ? by bobbied · · Score: 2

      Generally routers fiddle with packets all the time, usually not at the application layer though. Firewalls routinely do this as well as intrusion detection and protection systems.

      SO... I don't think Verizon is going to be liable for messing with your http packets. Not to mention that if you are downloading a Disney DVD, you are unlikely to be using http anyway, so Verizon isn't likely to do much to the torrent packets, assuming they even care.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re:Not a simple carrier of bytes ? by sconeu · · Score: 2

      VZW is *not* a common carrier. They've fought tooth and nail against that.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    3. Re:Not a simple carrier of bytes ? by mrchaotica · · Score: 1

      Verison cannot have it both ways

      The lobbyists running the FCC say otherwise.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  9. Re:AT&T doing same but here's the opt-out link by bobbied · · Score: 2

    At least it's not an IPV6 address..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  10. Wait, what? by canadiannomad · · Score: 5, Interesting

    Just reading through the EFF page on this and it sounds like they got a patent on setting a header to track... Wow. That just sounds, ... , I don't know, but :(

    --
    Hmm, the humour and sarcasm seem to have been be lost on you.
    1. Re:Wait, what? by Anonymous Coward · · Score: 1

      Having a patent to invade consumer privacy does not give the legal authority to break consumer privacy laws.

  11. Surprised no violences by DoofusOfDeath · · Score: 1

    Considering how many people get screwed over by big corporations (oil companies, telecoms, etc.), I'm a little surprised we don't see more examples of unstable victims attempting serious, premeditated harm on the company execs and/or facilities.

    Even if it's just 1 in 10,000,000 people who are that unstable, these companies have a lot of victims.

    1. Re:Surprised no violences by mi · · Score: 1

      Considering how many people get screwed over by big corporations [...] surprised we don't see more examples of unstable victims attempting serious, premeditated harm [...] these companies have a lot of victims

      Well, if your theory conflicts with the available facts, maybe, the theory is wrong? Maybe, the reason we don't see that much violence is that it is actually very few people, who are "screwed over" by big KKKorporations? (That's the proper spelling for a rant like yours, by the way.) I for one can't even imagine, how an "oil company" (your first example) could possibly screw me over... By selling diluted gasoline?

      And, though VZW's actions seem rather underhanded, it is nothing worth causing bodily harm to another human being...

      "My name is Doofus of Death and you injected tracking cookies into my browser's requests! Prepare to die!" — just does not have the right ring to it, sorry...

      --
      In Soviet Washington the swamp drains you.
    2. Re:Surprised no violences by swb · · Score: 2

      Well, Ted Kaczynski led something of an anti-corporate campagin. Groups like EarthFirst have done a fair amount of direct action against environmental exploitation.

      And workplace shootings aren't unheard of, although they tend to be driven more by personal rather than sociopolitical motivations. Although maybe you could make the argument that many of their grievenaces ultimately derive from soulless busines policies.

      But generally, there is little targeted violence against corporations or CEOs. About the only examples I can think of are historical -- the SLA kidnapped Patty Hearst, and the Red Army faction killed the head of Dresdner bank in a botched kidnapping, but there was something more politically motivated about these groups in a kind of Marxist-Lennist way than specific anti-corporate anger.

    3. Re:Surprised no violences by sjames · · Score: 1

      I suppose it's mostly that people who are violently insane enough to do something newsworthy and yet organized enough to choose a target and actually plan against it are rare.

      I do note that there are more businesses that put people behind heavy plexiglass than there used to be. It's either corporate paranoia or they actually have had increasing numbers of people jump over the desk and "register their dissatisfaction".

    4. Re:Surprised no violences by dbc · · Score: 1

      Definitely corporate paranoia. I've seen it in action. Company gets big enough that corporate security is a sizable organization. Security hires a couple of professional paranoids to do corporate level security planning. They identify various important people that need to be protected from threats -- they don't have to be actual threats yet, the planners are paid to be professional paranoids and plan for things that *might* happen. And since they can generalize from what has happened to similarly situated executives at other companies, it's hard to say they aren't doing their job correctly. Then you start seeing things like convenient drop-off/pick-up parking near the front door replaced with plazas and fountains so that truck bombs can't park in front of the headquarters lobby.

      In any large enough population of employees you will find loonies and criminals, despite the best hiring and interview practices. I even have personal experience -- an employee (a good one) was prescribed some reeeeeally not good for him medication by a well-meaning doctor. The employee became extremely erratic and I was glad for the security measures we had in place. We also got him to a different doctor. In any sufficiently large population, stuff happens -- sometimes quite unpredictably.

    5. Re:Surprised no violences by Prune · · Score: 1

      Kaczynski led an anti-technology campaign, not an anti-corporate one (source: his manifesto).

      --
      "Politicians and diapers must be changed often, and for the same reason."
    6. Re:Surprised no violences by swb · · Score: 1

      You're right For some reason I remember him targeting corporate executives but only the last two fatalities were corporate execs and most of his targets were University professors.

      The thread starter's comment is kind of intriguing, because I can't think of any ideology that's specifically anti-corporate without being part of some other, broader anti-capitalist or anti-technological ideology or philosophy.

      Maybe it will become some kind of emerging ideology, ultimately recycling anti-royalist ideas from the pre-20th century era.

  12. slashdot censorship Soviet Union stye! by Browzer · · Score: 4, Interesting

    While viewing stories in "0 Abbreviated and 0 Hidden" mode I noticed threads where the parent comment was missing but the replys are still there!

    Censorship Soviet Union style (pre photoshop) http://en.wikipedia.org/wiki/C...

  13. Copyright? by Anonymous Coward · · Score: 2, Interesting

    Why can't I claim copyright on my http requests, and deny them the ability to create a derivative work?

    1. Re:Copyright? by currently_awake · · Score: 2

      http headers are not art, they are generic templates devoid of artistic content. Your email, however, is most certainly copyrighted and the NSA owes you royalties for their duplication.

  14. So, what happens ... by PPH · · Score: 3, Interesting

    ... if my web browser already uses the X-UIDH header label? If Verizon monkeys with it, they could be breaking some app. And get charged with tampering. Never mind that I just set it to:

    X-UIDH: Go suck an egg.

    And if only a few people directed their web traffic through a simple proxy that rewrites the X-UIDH header, we could really screw with Verizon's plans.

    --
    Have gnu, will travel.
    1. Re:So, what happens ... by BitZtream · · Score: 1

      Good for you, you created your own unique ID that can be used to track you just as effectively as the one they use themselves. What were you trying to accomplish?

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    2. Re:So, what happens ... by PPH · · Score: 1

      You missed part 2 of my comment. Where the user changes the header value at their discretion.

      --
      Have gnu, will travel.
  15. Re:AT&T doing same but here's the opt-out link by dwywit · · Score: 1

    That's interesting. It asks me to disconnect my wi-fi before clicking the "opt out" button. As I'm not a networking sage, can someone explain why this would be necessary?

    --
    They sentenced me to twenty years of boredom
  16. So, what happens ... by Anonymous Coward · · Score: 5, Interesting

    I tried this. They delete your header and replace it with a new one.

    IANAL, but I think this violates wire tapping laws, copyright laws, and trespass of chattel laws. Under copyright and trespass of chattel laws you don't need to prove actual damages. If you can claim a "per incident" bases, the money could add up quickly.

    It also looks like it violates their own terms of use and privacy policy pages.

    What would be interesting is to use their arbitration clauses against them. They say that the arbitrator has all the powers of a court, so you should be able to ask for relief as both money and an injunction that they add this header to "your" connections. If the arbitrator cannot rule this way, then they lose their protection against class action suits.

  17. Re:AT&T doing same but here's the opt-out link by 3dr · · Score: 2

    I don't know what they have access to, but by disabling wifi, they see the traffic directly from the mobile device (which has a couple different IDs on the cellular system), and that's how they know (a) you're a verizon customer, and (b) what device & account it is.

  18. Cue the music... by vomitology · · Score: 2

    They'll fight for freedom,
    wherever there's trouble,
    EFF is there!


    EFF! A Real Internet Hero...

    --
    ~Knowledge is knowing that a tomato is a fruit, but Wisdom is knowing not to put it in a fruit salad.
  19. FCC, mandate them to stop immediately by Anonymous Coward · · Score: 1

    Fines mean nothing to these companies. Demand they cease this immediately or the executives go to jail.

  20. EFF -- picking ACLU's ball and running by mi · · Score: 3

    Good to see somebody doing, what ACLU used to do...

    --
    In Soviet Washington the swamp drains you.
    1. Re:EFF -- picking ACLU's ball and running by Insightfill · · Score: 2

      Good to see somebody doing, what ACLU used to do...

      Generally, the ACLU does in meat-space what the EFF does in cyberspace. They have similar general goals, but the ACLU generally doesn't do as much of the computer stuff. Their current list seems to involve plenty of LGBT issues right now, for example, but these are active court cases.

      Many times you don't hear about either organization as much because they get a lot of it sorted out via quick letters, especially at the smaller-scale level. A good letter from EFF or ACLU to a school district or county board, for example, usually never gets to a court level.

      Sometimes they even work together, such as this Tennessee story.

    2. Re:EFF -- picking ACLU's ball and running by mi · · Score: 1

      Generally, the ACLU does in meat-space what the EFF does in cyberspace.

      BS. Once, a decade ago, I donated enough to ACLU to warrant sending me a membership card. Still have it somewhere. Guess what? 2 weeks later an invitation to subscribe to a disgusting far-left magazine showed up, sent to the same "tagged" address as what I gave the ACLU. It had a picture of the then-President in shackles on it — showing today's President that way would've been a national scandal.

      Do you suppose, the USSR or Cuba, that American Left love some much, were any better on LGBT rights, than the US is today?

      Having aligned themselves so solidly with the Left — and outright communists among them — indeed, having concentrated on the nonsense like "LGBT rights", they've lost the hearts and minds of the rest of us...

      --
      In Soviet Washington the swamp drains you.
    3. Re:EFF -- picking ACLU's ball and running by Cyberax · · Score: 1

      It had a picture of the then-President in shackles on it — showing today's President that way would've been a national scandal.

      A pity Bush wasn't prosecuted for his role in torture of prisoners. And seriously, I've seen pictures of Obama photoshopped as a monkey, Obama holding a banana, Obama in a prison cell and so on. No scandals so far.

  21. VPN to the rescue? by scorp1us · · Score: 1

    Wouldn't a VPN on your mobile device block this?

    --
    Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
  22. What about intercepting and hacking my data? by Kludge · · Score: 5, Interesting

    Is this not an illegal man-in-the-middle intercept and hack of my data?
    I created (via my web browser) the http header and request. My device sent that http header and request to another computer with whom I want to communicate. Someone (ATT, Verizon) intercept my data, read it, hack it, and send it along. How is this not completely illegal.

  23. Re:AT&T doing same but here's the opt-out link by EETech1 · · Score: 1

    Wrong-O

    Updating my hosts file is the first thing I do after I root.

    http://adfree.bigtincan.com/ab...

  24. Re:The code rotates randomly every week by Shados · · Score: 3, Insightful

    It still gives you a unique identifier (even if its encrypted, its deterministic enough to be used as an ID even if you can't decrypt it) that lets you uniquely identify a household for a period of time. Combined with other more legit tracking methods, you can do some deliciously evil things with it...

  25. Re:The code rotates randomly every week by Prune · · Score: 2

    Nice try with your misdirection from the actual issue there to a red herring one. The actual problems is that they're tampering with your data (and headers are data)--the sort of thing natural (non-corporate) persons have gone to jail for. It's not merely a case of them inserting an additional header; if your application sets the X-UIDH header, they actually remove it and substitute their own. Mods, please mod parent down for shameless shilling.

    --
    "Politicians and diapers must be changed often, and for the same reason."
  26. Science! by Barefoot+Monkey · · Score: 1

    What happens if you send your own X-UIDH header? Does Verizon add a second header, replace the one you sent, or leave it alone? Can anyone on Verizon's network test this? I imagine that they probably ignore what headers are already being sent and simply add an additional one, as that would be the least work for them, but if they abstain from adding a X-UIDH header when one is already present then one could use this to re-anonymise your connection.

  27. Re:The code rotates randomly every week by l0n3s0m3phr34k · · Score: 1, Insightful

    it actually reminds me of the Nazi's Enigma code. They also rotated every week, although eventually England managed to capture a code book...still, Verizon using Nazi ideas is not suprising lol

  28. Re:AT&T doing same but here's the opt-out link by wannabgeek · · Score: 1

    I'm not sure if that's a genuine page or just setup to satisfy some regulatory requirement. I am on AT&T cellular and not connected to Wifi, but it still keeps giving me bs that I'm connected to Wifi, and asks me to disconnect and refresh.

    --
    I'm much more funny, interesting and insightful than the moderators think