EFF Hints At Lawsuit Against Verizon For Its Stealth Cookies

An anonymous reader writes A few weeks ago I noted how security researchers had discovered that Verizon has been injecting a unique new 'stealth cookie' identifier into all user traffic that tracks user online behavior, even if the consumer opts out. Using a unique Identifier Header, or UIDH, Verizon's ham-fisted system broadcasts your identity all across the web — and remains intact and open to third-party abuse — even if you opt-out of Verizon's behavioral ad programs. Now the Electronic Frontier Foundation has filed a complaint with the FCC and has strongly indicated that they're considering legal action against Verizon for violating consumer privacy laws.

how about lets give a good link

[Kazman20]

here's the link to the actual EFF press release/post, not some random board post linking to it. https://www.eff.org/deeplinks/...

It's so cute...

[sconeu]

It's so cute when they think that laws apply to $BIG_CORPORATIONS

Re:It's so cute...

It's doubly cute when they've done it before and won. :)

Re:It's so cute...

[LessThanObvious]

The EFF doesn't mess around, good for them. I almost wish my Verizon phone did that tracking. I'd love to be included in that class action. I'd have to make a copy of the $10 check I'd get in two years so I could frame it. I pay Verizon well over a $100 a month. If they think they need to sell out their users privacy on top of that revenue then screw them.

Why the complexity?

Why don't ISPs simply focus on efficiently transferring packets and appropriately charging for the service? Are the profits generated by "stealth cookies" or "deep packet analysis" enough to pay for the engineering and hardware cost of these "features"?

Re:Why the complexity?

[penguinoid]

Why don't ISPs simply focus on efficiently transferring packets and appropriately charging for the service?

More money to be made by doing it inefficiently and charging you an arm and a leg.

Are the profits generated by "stealth cookies" or "deep packet analysis" enough to pay for the engineering and hardware cost of these "features"?

Yes, it's almost pure profit. Except if it loses them customers. This is another reason why lack of competition is a bad idea.

Re:AT&T doing same but here's the opt-out link

[cheater512]

Its surprising more people don't do this. 205.234.28.93 is easily remembered and just rolls off the tip of your tongue.

Not a simple carrier of bytes ?

[Alain+Williams]

If Verison is fiddling with the packets going back & forth does it not lose its 'data carrier' status and become one with the end user ? So: if Disney/... sues an end user for downloading it's lastest film: then Verison should be part of the lawsuit as well and liable to pay Disney for the ''theft of its IP''.

.Verison cannot have it both ways, it either copies bytes and the user is 100% responsible or it fiddles with them and so is aware of the content and is thus vicariously liable for any wrong doing.

Re:Not a simple carrier of bytes ?

[bobbied]

Generally routers fiddle with packets all the time, usually not at the application layer though. Firewalls routinely do this as well as intrusion detection and protection systems.

SO... I don't think Verizon is going to be liable for messing with your http packets. Not to mention that if you are downloading a Disney DVD, you are unlikely to be using http anyway, so Verizon isn't likely to do much to the torrent packets, assuming they even care.

Re:Not a simple carrier of bytes ?

[sconeu]

VZW is *not* a common carrier. They've fought tooth and nail against that.

Re:AT&T doing same but here's the opt-out link

[bobbied]

At least it's not an IPV6 address..

Wait, what?

[canadiannomad]

Just reading through the EFF page on this and it sounds like they got a patent on setting a header to track... Wow. That just sounds, ... , I don't know, but :(

slashdot censorship Soviet Union stye!

[Browzer]

While viewing stories in "0 Abbreviated and 0 Hidden" mode I noticed threads where the parent comment was missing but the replys are still there!

Censorship Soviet Union style (pre photoshop) http://en.wikipedia.org/wiki/C...

Copyright?

Why can't I claim copyright on my http requests, and deny them the ability to create a derivative work?

Re:Copyright?

[currently_awake]

http headers are not art, they are generic templates devoid of artistic content. Your email, however, is most certainly copyrighted and the NSA owes you royalties for their duplication.

So, what happens ...

[PPH]

... if my web browser already uses the X-UIDH header label? If Verizon monkeys with it, they could be breaking some app. And get charged with tampering. Never mind that I just set it to:

X-UIDH: Go suck an egg.

And if only a few people directed their web traffic through a simple proxy that rewrites the X-UIDH header, we could really screw with Verizon's plans.

So, what happens ...

I tried this. They delete your header and replace it with a new one.

IANAL, but I think this violates wire tapping laws, copyright laws, and trespass of chattel laws. Under copyright and trespass of chattel laws you don't need to prove actual damages. If you can claim a "per incident" bases, the money could add up quickly.

It also looks like it violates their own terms of use and privacy policy pages.

What would be interesting is to use their arbitration clauses against them. They say that the arbitrator has all the powers of a court, so you should be able to ask for relief as both money and an injunction that they add this header to "your" connections. If the arbitrator cannot rule this way, then they lose their protection against class action suits.

Re:AT&T doing same but here's the opt-out link

[3dr]

I don't know what they have access to, but by disabling wifi, they see the traffic directly from the mobile device (which has a couple different IDs on the cellular system), and that's how they know (a) you're a verizon customer, and (b) what device & account it is.

Cue the music...

[vomitology]

They'll fight for freedom,
wherever there's trouble,
EFF is there!


EFF! A Real Internet Hero...

EFF -- picking ACLU's ball and running

[mi]

Good to see somebody doing, what ACLU used to do...

Re:EFF -- picking ACLU's ball and running

[Insightfill]

Good to see somebody doing, what ACLU used to do...

Generally, the ACLU does in meat-space what the EFF does in cyberspace. They have similar general goals, but the ACLU generally doesn't do as much of the computer stuff. Their current list seems to involve plenty of LGBT issues right now, for example, but these are active court cases.

Many times you don't hear about either organization as much because they get a lot of it sorted out via quick letters, especially at the smaller-scale level. A good letter from EFF or ACLU to a school district or county board, for example, usually never gets to a court level.

Sometimes they even work together, such as this Tennessee story.

Re:Surprised no violences

[swb]

Well, Ted Kaczynski led something of an anti-corporate campagin. Groups like EarthFirst have done a fair amount of direct action against environmental exploitation.

And workplace shootings aren't unheard of, although they tend to be driven more by personal rather than sociopolitical motivations. Although maybe you could make the argument that many of their grievenaces ultimately derive from soulless busines policies.

But generally, there is little targeted violence against corporations or CEOs. About the only examples I can think of are historical -- the SLA kidnapped Patty Hearst, and the Red Army faction killed the head of Dresdner bank in a botched kidnapping, but there was something more politically motivated about these groups in a kind of Marxist-Lennist way than specific anti-corporate anger.

What about intercepting and hacking my data?

[Kludge]

Is this not an illegal man-in-the-middle intercept and hack of my data?
I created (via my web browser) the http header and request. My device sent that http header and request to another computer with whom I want to communicate. Someone (ATT, Verizon) intercept my data, read it, hack it, and send it along. How is this not completely illegal.

Re:The code rotates randomly every week

[Shados]

It still gives you a unique identifier (even if its encrypted, its deterministic enough to be used as an ID even if you can't decrypt it) that lets you uniquely identify a household for a period of time. Combined with other more legit tracking methods, you can do some deliciously evil things with it...

Re:The code rotates randomly every week

[Prune]

Nice try with your misdirection from the actual issue there to a red herring one. The actual problems is that they're tampering with your data (and headers are data)--the sort of thing natural (non-corporate) persons have gone to jail for. It's not merely a case of them inserting an additional header; if your application sets the X-UIDH header, they actually remove it and substitute their own. Mods, please mod parent down for shameless shilling.