Slashdot Mirror
Ad Company Using Verizon Tracking Header To Recreate Deleted Cookies
itwbennett writes The story began a few months ago when it was reported that both Verizon and AT&T were injecting unique identifiers in the Web requests of their mobile customers. AT&T has since stopped using the system, but Verizon continues. Now, Stanford computer scientist Jonathan Mayer has found that one advertising company called Turn, which tracks users across the Web when they visit major sites including Facebook, Twitter, Yahoo, BlueKai, AppNexus, Walmart and WebMD, uses the Verizon UIDH to respawn its own tracking cookies.
“If a Verizon customer tethered with their phone, their notebook could get stuck with the zombie value. (The ultimate in cross-device advertising!) And the zombie value could spread between cookie stores on a device, including between the web browser and individual apps. (The ultimate in inter-app advertising!)”
So Verizon inject encrypted cookies that identify the user, then sell the decryption key to add companies, so they can track users. I'd be reviewing the terms and conditions of the internet service. Surely they don't allow tampering? People should shame Verizon publicly and leave them, but calls for net neutrality laws are misguided. Verizon makes money from this, so they should end up cheaper than competitors who don't do this. Customers are free to choose to have less privacy for a cheaper service. Regulation isn't needed.
the "market" does not correct for corrupt practices like these, despite every libertarian fantasy to the contrary.
All of these greedy assholes who run these companies which exist to violate our privacy?
They've all given up any right to privacy and to be treated like humans.
Start doxxing the fuckers. Release their home addresses, phone numbers, baking information. release every mother fucking piece you can find on them, their families, their friends, their business partners.
If they want to make their living by trading on our personal information without our consent, then they utterly deserve to be driven into the ground using the same thing.
They're parasites with no regard for us. Which means they and those they associate with deserve no regard from us.
If they are injecting headers, that still won't work. Every http request will be identifying you. You need to browse in https and comfirm that your Verizon phone isn't using some dodgy built in Verizon CA. It is always a good idea to browse in privacy mode, especially because bank sites and other sites could have flaws like cross site scripting.
And even if it were to eventually... it certainly isn't right now. Your privacy has been invaded for weeks or months. That is a fait accompli; no market reaction can undo that.
That's the thing I find baffling about the libertarian fantasists. Even if in some kind of long-term it were to eliminate some kind of abuse, it can't reverse the effects of that abuse. Pollutants stay in the environment. People injured by dangerous products remain injured. Patients who die from counterfeit medicines stay dead. You can't sue your way whole.
There are many other reasons why the market isn't nearly as frictionless as libertarian theorists like to imagine. But right here, in this case, we've got an example: you will never regain the privacy that you lost because of this. Even if you switch providers, and that forces them to change the policy, it won't return the privacy you've already lost. Markets simply aren't frictionless, and that friction makes the notion that "the market fixes everything" just plain false.
That's not to say we need infinite regulations on everything. The right level of regulation is difficult and complex, and has to be worked out as a compromise. I'm just pointing out that "oh, it'll all be OK, we never need to do anything at all" isn't a helpful contribution to that compromise.
Someone didn't RTFA. Neither of those things will prevent this. The tracking is injected into the HTTP headers by the ISP. Even if you don't accept their cookie, they can still track you.
Popisms.com - Connecting pop culture
Ummm the customers and Verizon have a contract. It's either broken or it isn't. It's only corruption if they are breaking the contract and rigging the justice system so no one can get at them for breach. I'd say it's much more likely people are just lazy and don't read any of the terms and conditions they agree to. In many countries there are free/cheap isp's who work by injecting ads. Under net neutrality these wouldn't exist.
The header injections work no matter what. Visit lessonslearned.org/sniff as proof of this.
It isn't too tough to fix -- use an encrypted VPN.
I wonder if we could fuck with this services though by creating a Mozilla addon that inserts this header and fills it with some random garbage on each request. If enough people used it maybe we could DOS their database by filling it with UUID seen only once?
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I just tried this URL on three Verizon phones:
http://uidh.crud.net/ On all browsers on the Android phones, no ehader was detected. THe iphone we tested, there was a header insertion.
I assume this is due ot a "no track" setting at the browser application level. Interesting that androids browsers have it enabled but iphone browser does not.
What is the "free market" mechanism for dealing with corporate intrusions that are unknown to the consumer?
When you have third parties making money off of your data without your permission, and you are not their customer, which free market recourse is available to you?
The "free market" is just a myth used to make people like you think you have some agency in an economy where you are the consumable. There is no such thing as a free market. It has never existed, and can never exist. It's a fairy tale told to slaves.
You are welcome on my lawn.
I wonder if we could fuck with this services though by creating a Mozilla addon that inserts this header and fills it with some random garbage on each request. If enough people used it maybe we could DOS their database by filling it with UUID seen only once?
No, that wouldn't work. The header is inserted well after the request leaves your phone. If you insert the header yourself first, it will just get overwritten once you've sent it.
"So, what’s a Verizon subscriber to do?,"
Dump Verizon.
He's suggesting non-Verizon users do this to protect Verizon users.
How about creating a proxy server that sanitizes the header. You browse to https://myproxyserver.com/get?... and it pulls up the page after cleaning the headers. And it patches all the links on the page to also go through the proxy so you can simply surf away... I'd think such servers might exist already...
From https://www.eff.org/deeplinks/...
Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers. Notably, Verizon appears to inject the X-UIDH header even for customers of Straight Talk, a mobile network reseller (known as a MVNO) that uses Verizon's network. Customers of Straight Talk don't necessarily have a relationship with Verizon.
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Only if you're request is going through Verizon. If it were a Firefox Addon I would be sending these fake headers from my PC which isn't going through Verizon.
You may say "why do I care if I don't use Verizon?" and I'll respond with "and first they came for the Jews". If you think that's a big jump, well maybe it is, but you need to protect rights for all of the people or you don't deserve the rights you have.
I refuse to sign