Slashdot Mirror
Ad Company Using Verizon Tracking Header To Recreate Deleted Cookies
itwbennett writes The story began a few months ago when it was reported that both Verizon and AT&T were injecting unique identifiers in the Web requests of their mobile customers. AT&T has since stopped using the system, but Verizon continues. Now, Stanford computer scientist Jonathan Mayer has found that one advertising company called Turn, which tracks users across the Web when they visit major sites including Facebook, Twitter, Yahoo, BlueKai, AppNexus, Walmart and WebMD, uses the Verizon UIDH to respawn its own tracking cookies.
“If a Verizon customer tethered with their phone, their notebook could get stuck with the zombie value. (The ultimate in cross-device advertising!) And the zombie value could spread between cookie stores on a device, including between the web browser and individual apps. (The ultimate in inter-app advertising!)”
Oh, I'm sorry, that must have been one of my OTHER personalities!!!!
So Verizon inject encrypted cookies that identify the user, then sell the decryption key to add companies, so they can track users. I'd be reviewing the terms and conditions of the internet service. Surely they don't allow tampering? People should shame Verizon publicly and leave them, but calls for net neutrality laws are misguided. Verizon makes money from this, so they should end up cheaper than competitors who don't do this. Customers are free to choose to have less privacy for a cheaper service. Regulation isn't needed.
the "market" does not correct for corrupt practices like these, despite every libertarian fantasy to the contrary.
if you haven't ever waded thru pcap traffic of adfraud, you may not be familiar with this steaming shitpile.
http://www.lumapartners.com/wordpress/wp-content/uploads/2012/04/Display-LUMAscape_2012-04-05.jpg
turn, bluekai, and appnexus are all companies in the lumascape group.
All of these greedy assholes who run these companies which exist to violate our privacy?
They've all given up any right to privacy and to be treated like humans.
Start doxxing the fuckers. Release their home addresses, phone numbers, baking information. release every mother fucking piece you can find on them, their families, their friends, their business partners.
If they want to make their living by trading on our personal information without our consent, then they utterly deserve to be driven into the ground using the same thing.
They're parasites with no regard for us. Which means they and those they associate with deserve no regard from us.
It's all supply and demand. They don't price their products based on cost, but on how much people are willing to pay. Just like apple doesn't set it's prices based on the cost of components.
It would probably have been more correct to say: Verizon makes money from this, so they should end up making more money than competitors who don't do this.
You are required, with threat of force, to still buy Verizon after this? At least when the government screws up you can switch to the other government provider and stop paying your IRS bill to them.
Your assertion is based on... what?
Gamingmuseum.com: Give your 3D accelerator a rest.
If they are injecting headers, that still won't work. Every http request will be identifying you. You need to browse in https and comfirm that your Verizon phone isn't using some dodgy built in Verizon CA. It is always a good idea to browse in privacy mode, especially because bank sites and other sites could have flaws like cross site scripting.
And even if it were to eventually... it certainly isn't right now. Your privacy has been invaded for weeks or months. That is a fait accompli; no market reaction can undo that.
That's the thing I find baffling about the libertarian fantasists. Even if in some kind of long-term it were to eliminate some kind of abuse, it can't reverse the effects of that abuse. Pollutants stay in the environment. People injured by dangerous products remain injured. Patients who die from counterfeit medicines stay dead. You can't sue your way whole.
There are many other reasons why the market isn't nearly as frictionless as libertarian theorists like to imagine. But right here, in this case, we've got an example: you will never regain the privacy that you lost because of this. Even if you switch providers, and that forces them to change the policy, it won't return the privacy you've already lost. Markets simply aren't frictionless, and that friction makes the notion that "the market fixes everything" just plain false.
That's not to say we need infinite regulations on everything. The right level of regulation is difficult and complex, and has to be worked out as a compromise. I'm just pointing out that "oh, it'll all be OK, we never need to do anything at all" isn't a helpful contribution to that compromise.
Someone didn't RTFA. Neither of those things will prevent this. The tracking is injected into the HTTP headers by the ISP. Even if you don't accept their cookie, they can still track you.
Popisms.com - Connecting pop culture
Ummm the customers and Verizon have a contract. It's either broken or it isn't. It's only corruption if they are breaking the contract and rigging the justice system so no one can get at them for breach. I'd say it's much more likely people are just lazy and don't read any of the terms and conditions they agree to. In many countries there are free/cheap isp's who work by injecting ads. Under net neutrality these wouldn't exist.
But you can change government providers.
There's another government provider to the north of the US and another government provider to the south of the US. Along with more than a hundred other government providers. There's also plenty of other local and regional government providers if your problem is just with your local provider.
The market only fails because we essentially have a duopoly of nationwide carriers and that is ONLY possible because of regulation, in the first place.
Admittedly its very likely without the likes of the FCC the idea of nation wide cellular carrier being able to exist at all is unlikely. Just think VZW and AT&T had to negotiate with every locality and try to get spectrum easements in the same band but...this isn't the point.
You don't get to have it both ways any more than Libertarians do, you can't blame the market for failures when its already one of the most regulated market segments in existence.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
the "market" does not correct for corrupt practices like these
Public shaming stopeed AT&T from doing this.
In my corner of the "market", things like these led me to switch from Verizon to T-Mobile.
Your confusion seems to be that the "market" must correct instantly, instead of over time.
The benefit of market correction is it's more natural in reaction, and proportionate to the problem.
The model you'd prefer is a regulatory approach, which at this point is inherently corrupt and alarmist - your approach brought us the Patriot Act (thanks for that BTW).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
An outcome that does not yield your personal preference of goodness or morality is not proof of the market not working. Rather, this sort of thing conveys that people just don't care.
Monopolies... Past experience. It is not an assertion, but fact backed by empirical evidence.
The header injections work no matter what. Visit lessonslearned.org/sniff as proof of this.
It isn't too tough to fix -- use an encrypted VPN.
I wonder if we could fuck with this services though by creating a Mozilla addon that inserts this header and fills it with some random garbage on each request. If enough people used it maybe we could DOS their database by filling it with UUID seen only once?
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I just tried this URL on three Verizon phones:
http://uidh.crud.net/ On all browsers on the Android phones, no ehader was detected. THe iphone we tested, there was a header insertion.
I assume this is due ot a "no track" setting at the browser application level. Interesting that androids browsers have it enabled but iphone browser does not.
VPN to some endpoint outside of VZ's network.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
An outcome that does not yield your personal preference of goodness or morality is not proof of the market not working. Rather, this sort of thing conveys that people just don't care.
So you are basically agreeing. Since people doesn't care, the market doesn't fix itself, so the corrupt actions doesn't get corrected.
And for those saying that AT&T got shamed out of it. Have you even noticed that AT&T (and the others) still keep doing corrupt things over and over again until they get caught?!? They will just come with a different system or might already have one. It never changes. Big corps wins, because they aren't being regulated with a strong fist.
Someone doesn't understand TFA. By rejecting their cookie, you strip the ad company's ability to "rehydrate" your identity cookie later when you're not on Verizon's network.
We have a dualapoly because of a lack of regulation. at&t and Verizon have been buying up competitors for years. There's a funny video of one of the guys from The Daily Show showing how AT&T undid their breakup through mergers
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
What is the "free market" mechanism for dealing with corporate intrusions that are unknown to the consumer?
When you have third parties making money off of your data without your permission, and you are not their customer, which free market recourse is available to you?
The "free market" is just a myth used to make people like you think you have some agency in an economy where you are the consumable. There is no such thing as a free market. It has never existed, and can never exist. It's a fairy tale told to slaves.
You are welcome on my lawn.
my rates haven't gone down for years and I use mobile browsing more then desktop.
I wonder if we could fuck with this services though by creating a Mozilla addon that inserts this header and fills it with some random garbage on each request. If enough people used it maybe we could DOS their database by filling it with UUID seen only once?
No, that wouldn't work. The header is inserted well after the request leaves your phone. If you insert the header yourself first, it will just get overwritten once you've sent it.
I find it unlikely that whatever software Verizon uses to add the tag bothers to check if the value already exists before setting it to the value for your account.
You can probably also do illegal things to your connectivity provider. I mean, they are free to select other customers, right?
"So, what’s a Verizon subscriber to do?,"
Dump Verizon.
He's suggesting non-Verizon users do this to protect Verizon users.
How about creating a proxy server that sanitizes the header. You browse to https://myproxyserver.com/get?... and it pulls up the page after cleaning the headers. And it patches all the links on the page to also go through the proxy so you can simply surf away... I'd think such servers might exist already...
Oops, I didn't intend to create a plug for that site, I didn't know it actually existed and is some kind of proxy service...
Ahh, I understand. You'd also have to not be an AT&T user. Best bet is to actually test for header injection first, since we don't really know all the carriers that do this. Particularly with the small carriers, since they are just reselling service from the major carriers.
From https://www.eff.org/deeplinks/...
Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers. Notably, Verizon appears to inject the X-UIDH header even for customers of Straight Talk, a mobile network reseller (known as a MVNO) that uses Verizon's network. Customers of Straight Talk don't necessarily have a relationship with Verizon.
Windows 3.1x calc: 3.11 - 3.10 = 0.00
and Android does not so that is the reason why they throw that header to iOS phones by default.
What is the "free market" mechanism for dealing with corporate intrusions that are unknown to the consumer
Competitors.
Phone companies can only get away with crap like this because the government gave them a monopoly on parts of the EM spectrum.
But, hey, feel free to blame the EVIL FREE MARKET if it gets you hot in your pants.
You assume the market is broken.
Their execrable behavior is summed up in this lawyer speak from the article...
"Turn admits that it is using Verizon’s UIDH to recreate deleted cookies, but the company’s general counsel and chief privacy officer, Max Ochoa, argued in a blog post that “clearing a cookie cache is not a widely recognized method of reliably expressing an opt-out preference.”"
If the user clears cookies, they want the memory of that crap gone.
Scum!
Still stuck on last year's meme? I hear that you can get help for that now.
Il n'y a pas de Planet B.
Genius, how is competition going to help dealing with corporate intrusions that are unknown to the consumer because the consumer really isn't the customer in these third-party transactions?
"Competition" only helps when you have sufficient information to make a decision.
And yes, I blame the EVIL FREE MARKET THAT DOES NOT EXIST for your lack of reading comprehension.
You are welcome on my lawn.
Whatever you say Bennett.
Man, those guys at Verizon are getting the job done. I gotta step up my game.
Only if you're request is going through Verizon. If it were a Firefox Addon I would be sending these fake headers from my PC which isn't going through Verizon.
You may say "why do I care if I don't use Verizon?" and I'll respond with "and first they came for the Jews". If you think that's a big jump, well maybe it is, but you need to protect rights for all of the people or you don't deserve the rights you have.
I refuse to sign
For fake domains and URLs you should always use the RFC approved "example.tld" such as https://myproxy.example.org/...
The idea is that people not using Verizon could do this, and pollute their databases with garbage data. It likely wouldn't affect their ability to track actual Verizon users, but it could make it more difficult to do so by burying them in garbage. Only problem is that I can think of a couple of easy technical solutions to easily filter out most of the "noise".
I have used a VPN to my home machine to avoid these kinds of issues but my home ISP could always start doing the same thing.