Slashdot Mirror
Fixing Verizon's Supercookie
New submitter ferro lad sends a story about Verizon's so-called supercookie, a unique identifier they add to web traffic going across their network to help advertisers target their ads better. A new article at Slate demonstrates how Verizon could fix the identifier so that ad companies would have a harder time misusing it — something they've already been shown to do. "...with just a tiny amount of effort, Verizon could maintain its current business while substantially preventing the misuse of its UID headers." Of course, for privacy-conscious users, the ability to get rid of them altogether would be preferable. Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers. Previously, users could opt out of having their data shared with advertisers, but the unique identifier itself remained with their web traffic. It's not a complete solution — the tracking should be opt-in to begin with — but it's a step in the right direction.
Verizon is just doubling down on their lie. And when they get caught? Oops, now you can get of it for real this time, honest! And the game begins anew.
Adding cookie headers into isp traffic only possible for http. If ISP terminating https traffic that is a bit GCHQ/NRA level.
It isn't a bug it is a feature.
There is no such thing as 'opt in'. That is a total fantasy. Your traffic is always being tracked by cookies, government spies, whatever. Even https exists to serve this purpose. Certificates are just another cookie.
“He’s not deformed, he’s just drunk!”
... Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers....
Yeah, you'll probably need to keep an opt-out cookie on your device in order to opt-out.
It boggled my mind how fucked we all. Join me in boycotting Verizon and Comcast.
...or you can just use a Windows Phone and disable the advertising ID as part of the OS in the Settings menu.
I don't respond to AC's.
Poision the Pot. Creat a bunch of random UIDs that look like Verizons. Or maybe a site you can goto that will help you set your set of UIDs to everyone elses that visits the site.
Also what happens if the UID is set to a very long string?
Could also put abusive messages in it for the asswips that abuse it.
mmmm Beef Pot Pie!
Spend $5 or $10 a month on a VPN or a VPS and encrypt all your web traffic. As soon as your ISP is actively inspecting and modifying your traffic, it can't be trusted.
You shouldn't have to do this, true, but it's a solution to the present problem.
I don't care that you traffic shape my traffic -> But it is immoral and should be illegal to change it. Why do we allow ISPs like this to change the traffic flowing through their systems to the destination.
I am not talking about adding an MPLS tag that gets inserted on insertion into the provider and stripped before it leaves the other side, I am talking adjusting my traffic to add content to the L4+ content. The ISP should only adjust things at L3 and below. Everything above that should never be touched (Ok - Large scale NAT I can live with - Lets move that to L5+)
I have mod points and I am not afraid to use them
Are there Google Chrome or Firefox add-ons that can deal with this issue, or is it injected into the request header on Verizon's side?
Jumpstart the tartan drive.
Verizon is completely nuts if they don't think there will be a backlash!!!!!!!!
Make a complaint to the FCC about it. Complain about their DNS hijacking while you are at it. Opt-out is not neutral!
why do they feel the need (and claim the right!) to inject extra headers into your traffic in the first place?
They really ought to just pass on the packets, not do the boneheaded thing and meddle.
This is so tin hat it should be in a sitcom.
The real way to fix this is to pass net neutrality regulations that establish Verizon as a common carrier and clip the balls off these assholes
It goes without saying that you should be using https everywhere from the FSF. https://www.eff.org/https-ever... Its also worth mentioning that your home network shouldnt be using your ISP's wifi equipment, DNS servers, or if possible even their router. Other tools worth looking into that would subvert most most of the outright privacy violations coming from not just carriers but various governments can be found here: https://prism-break.org/
Good people go to bed earlier.
Verizon's unique identifier they add to web traffic going across their network to help advertisers target their ads
If I was'nt stealing the neighbors WiFi I`d be soooo pissed!I
Anyone check if the header still gets added (updated) if it's already present? If not, a browser extension or local proxy, like Proxomitron, could add the header with a random value.
It must have been something you assimilated. . . .
What they suggested in the article is not a privacy "fix" -- they suggest that Verizon encrypt the cookie so advertisers have to feed the cookie back to Verizon so Verizon can decrypt it to let them track me.
The problem is that I don't want Verizon to track my web usage at all. I know they can track my web use by looking at the sites I visit (and I don't want them to do that either), byt the cookie lets advertisers send more data to Verizon than they'd capture from web host tracking -- if go to "https://somesite.com" and search for Puppies, Verizon can't see my search, but the ad network might get my keywords and can pass those keywords back to Verizon with the cookie.
I have an better solution--ditch verizon.
This one isn't too hard; the best way to "fix" this is stop using Verizon and supporting their horrible company. I had them for a few years and always had excellent cell service, but everything else sucked balls. I switched to T-Mobile's pay-as-you-go plan and have saved a ton of money without supporting the cellular devil.
(I realize that there are contracts etc., but seriously, if you can you should drop them like a hot potato.)
Under the treaty signed for Data they have to respect the Canadian Citizens right to not be tracked, including the Canadian Constitutional Right to Privacy, even if a Canadian is in the US. Since many Canadians use border cell towers in the US, they would be liable to be sued if they did not provide some method not to be tracked.
Once again, Canada saves American rights.
-- Tigger warning: This post may contain tiggers! --
Don't mess with my traffic.
To get you from one place to another, yes you can trust a VPN if you base it on very large keys such as SSH tunneling with 4K RSA keys, or AES256 TLS tunneling, or something like that. But you'll have to move the keys manually using a physical media rather than shipping them across the net, and you have to set up both ends of the VPN yourself, and all it does is make your traffic enter the shared Internet at a different point.
So what difference does it make, really?
Well, OK, if you're a spy or drug dealer it will let you set up a secure tunnel to an associate, but for regular people who just want to look at pr0n without being blackmailed by the NSA, VPNs don't help.
Debi Lewis, a Verizon spokeswoman, issued this statement: ...
Verizon takes customer privacy seriously and it is a central consideration as we develop new products and services.
Anyone want to tell her that, if Verizon truly does take customer privacy seriously, they wouldn't be in this $hitstorm to begin with?
It is added to the HTTP request on the Verizon server when you use the internet.
They add it to your internet communications, like adding a name-tag on to your luggage.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
The misuse IS their buisiness.,
For anyone wondering, and too lazy to RTFA, the proposal is to make the ID string different on each request.
""Specifically, Verizon assigns each of its customers a UID, as it does now. But rather than simply inserting the UID into each Web request from the customer, Verizon takes two extra steps for each request. First, it tacks on a random number called a “nonce” to the UID. Second, it scrambles the number based on an encryption algorithm and a password, to make the resulting value look unreadable and random when it is sent out to websites. (The nonce ensures that the encrypted result changes on every request.)""
Has anyone tried adding multiples of their own version of this header to outgoing traffic upstream of verizons gateway, to see what happens?
Not having Verizon here in Canada I cannot try this, but it would be interesting to see if doing so with a true random nonce would defeat their tracking by adding confusion, as to which header was the real verizon one and which the customers.
Also F*** verizon, go full VPN on all your mobile traffic from now on.
In this case, where apathy and short news cycles are the strongest barriers to a resolution, so a tweak blocks the fix.
Designing new ways for them to push boundaries is not a helpful activity.
"Problem" and "fixing" are not the right metaphors here. "Crime" and "justice" fit better. Translated into that language, "It wouldn't be justice, but hypothetical self-restraint on the criminal's part would still help the victim."
- no, it wouldn't, because part of being victimized is loss of power, which justice fixes and self-restraint does not.
- an alternate resolution means there will be no justice.
- also, "No. That's dumb."
Quoting directly from the Slate article at the URL referenced by /.
Besides just being creepy, Verizon’s steaming-the-envelope-open approach tends to discourage adoption of privacy-protecting technologies such as end-to-end encryption.
From what I read on /. and elsewhere (and even in this article's comments threads...), the use of this "supercookie" approach by Verizon seems to have people talking about how to use VPNs and attempting to favor HTTPS-only for web services.
That doesn't sound like "discouraging" to me...quite the opposite in fact.
Someone at Slate needs to re-read their own article...just to see how much "sense" there is in everything else they are blathering....
just because you have another advertising ID as part of your operating system doesn't mean that if you disable that then the verizon inserted id would be removed. the verizon id doesn't care what settings you turn on or off on your phone, it gets inserted to the data stream after the phone.
unless your phone has a setting for "force https on everything", then you're fucked. and you know what's funny? on windows phone you cannot do that, you don't have even the option of a 3rd party browser that would do that(afaik).
world was created 5 seconds before this post as it is.