Slashdot Mirror
Fixing Verizon's Supercookie
New submitter ferro lad sends a story about Verizon's so-called supercookie, a unique identifier they add to web traffic going across their network to help advertisers target their ads better. A new article at Slate demonstrates how Verizon could fix the identifier so that ad companies would have a harder time misusing it — something they've already been shown to do. "...with just a tiny amount of effort, Verizon could maintain its current business while substantially preventing the misuse of its UID headers." Of course, for privacy-conscious users, the ability to get rid of them altogether would be preferable. Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers. Previously, users could opt out of having their data shared with advertisers, but the unique identifier itself remained with their web traffic. It's not a complete solution — the tracking should be opt-in to begin with — but it's a step in the right direction.
Adding cookie headers into isp traffic only possible for http. If ISP terminating https traffic that is a bit GCHQ/NRA level.
There is no such thing as 'opt in'. That is a total fantasy. Your traffic is always being tracked by cookies, government spies, whatever. Even https exists to serve this purpose. Certificates are just another cookie.
“He’s not deformed, he’s just drunk!”
... Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers....
Yeah, you'll probably need to keep an opt-out cookie on your device in order to opt-out.
Spend $5 or $10 a month on a VPN or a VPS and encrypt all your web traffic. As soon as your ISP is actively inspecting and modifying your traffic, it can't be trusted.
You shouldn't have to do this, true, but it's a solution to the present problem.
I don't care that you traffic shape my traffic -> But it is immoral and should be illegal to change it. Why do we allow ISPs like this to change the traffic flowing through their systems to the destination.
I am not talking about adding an MPLS tag that gets inserted on insertion into the provider and stripped before it leaves the other side, I am talking adjusting my traffic to add content to the L4+ content. The ISP should only adjust things at L3 and below. Everything above that should never be touched (Ok - Large scale NAT I can live with - Lets move that to L5+)
I have mod points and I am not afraid to use them
nope, that only disables the advertising ID in the phone used by apps as an identifier. Does nothing for the "supercookie" that Verizon inserts into the traffic, much like a man in the middle attack, at the network level. Easily and personally verified.
Are you clueless or something?
There is no way to disable this, and certainly not with your damned Windows phone.
Verizon is directly injecting this crap into your request, on their servers, independent of what YOU do.
Basically Verizon are acting like a bunch of greedy assholes, and setting every request you make to be something uniquely identifiable as you.
Lost at C:>. Found at C.
Are there Google Chrome or Firefox add-ons that can deal with this issue, or is it injected into the request header on Verizon's side?
Jumpstart the tartan drive.
Verizon is completely nuts if they don't think there will be a backlash!!!!!!!!
The real question is how are multiple headers interpreted for the tracking code. Is the first UID header the verizon one or the last? What if my client inserts a random one before and after every other header etc. Sure if its the NSA or whatever than you're the guy whose got the UID header that changes with each request or the guy with multiple headers etc. Even if lots of people do it a weak PRNG used to generate those headers and $AGENCY might still be able to identify you.
Advertisers though I am going to guess not so much. Hell half of them are probably used web application frameworks that don't even make explicit commitments to ordering of headers in the collection their high level code is interfacing with.
The other thing is the system was/is designed for 1 person : 1 uid header mapping. If enough people start changing UID headers that are a per request nonce that is going to be lots and lots of entities in the key space. Just ask the big data guys how much memory and storage can get burned just on keys; hint its a lot. Might be able to make the entire system fall over if enough people participate.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Make a complaint to the FCC about it. Complain about their DNS hijacking while you are at it. Opt-out is not neutral!
I think the GP's idea was to create a Verizon-like UID, but using other providers.
The real way to fix this is to pass net neutrality regulations that establish Verizon as a common carrier and clip the balls off these assholes
It goes without saying that you should be using https everywhere from the FSF. https://www.eff.org/https-ever... Its also worth mentioning that your home network shouldnt be using your ISP's wifi equipment, DNS servers, or if possible even their router. Other tools worth looking into that would subvert most most of the outright privacy violations coming from not just carriers but various governments can be found here: https://prism-break.org/
Good people go to bed earlier.
Verizon's unique identifier they add to web traffic going across their network to help advertisers target their ads
If I was'nt stealing the neighbors WiFi I`d be soooo pissed!I
Anyone check if the header still gets added (updated) if it's already present? If not, a browser extension or local proxy, like Proxomitron, could add the header with a random value.
It must have been something you assimilated. . . .
It can be gotten around... just hash the UIDs obtained, and look for the valid one that persists between transactions, especially with other supercookie data that most browsers hand over (font order is quite identifable, same with plugins... and we are not even near LSOs or other items.)
The only solution to this is a trustworthy VPN so traffic is encrypted from the device on out (and can't be modified without parties noticing.)
What they suggested in the article is not a privacy "fix" -- they suggest that Verizon encrypt the cookie so advertisers have to feed the cookie back to Verizon so Verizon can decrypt it to let them track me.
The problem is that I don't want Verizon to track my web usage at all. I know they can track my web use by looking at the sites I visit (and I don't want them to do that either), byt the cookie lets advertisers send more data to Verizon than they'd capture from web host tracking -- if go to "https://somesite.com" and search for Puppies, Verizon can't see my search, but the ad network might get my keywords and can pass those keywords back to Verizon with the cookie.
Money. More specifically, revenue from advertisers. Once they had the motive, it's pretty easy to justify the means to the end.
John
This one isn't too hard; the best way to "fix" this is stop using Verizon and supporting their horrible company. I had them for a few years and always had excellent cell service, but everything else sucked balls. I switched to T-Mobile's pay-as-you-go plan and have saved a ton of money without supporting the cellular devil.
(I realize that there are contracts etc., but seriously, if you can you should drop them like a hot potato.)
...or you can just use a Windows Phone and disable the advertising ID as part of the OS in the Settings menu.
Or you could read at the very least the one sentence title of the story.
Verizon inserts the cookie, long after the traffic has left your phone and your phone has any ability to do shit all about it.
The only thing your phone could do or be effected by is if it also added a cookie with the same header name, in which case Verizon deletes your data and replaces it with their own.
It should be a requirement that you can read before you are allowed to write and post...
Under the treaty signed for Data they have to respect the Canadian Citizens right to not be tracked, including the Canadian Constitutional Right to Privacy, even if a Canadian is in the US. Since many Canadians use border cell towers in the US, they would be liable to be sued if they did not provide some method not to be tracked.
Once again, Canada saves American rights.
-- Tigger warning: This post may contain tiggers! --
Resetting your advertising ID makes it harder for apps to connect your past activities with your future ones
Says nothing about disabling the ability of apps to track or store your past activities
Yes. Why was there ever a Super Undelete-able Cookie ever allowed to be placed on devices in the first place?
No, it doesn't, but the rest of his points stand.
WTF does being anti or pro Microsoft have to do with the fact that the fucking headers are being rewritten by Verizon?
I'm not blindly pro or anti Microsoft -- but let's not fucking pretend a Windows phone is a magic cure-all for something which is happening at the carrier level.
But, hey, don't let common sense or facts stand in the way of being an idiot.
Lost at C:>. Found at C.
Seems like "VPN" will solve that problem. Whether it engenders a new problem is a different story.
The cesspool just got a check and balance.
Because you should trust your server provider not to mess with your traffic more than you should trust Verizon? Who cares about the NSA, if they want to get your data they're going to get it. Meanwhile, Verizon is actively MODIFYING your traffic...
Key exchange is also really not a problem, the entire point of a secure key exchange is that the keys are never transmitted in the clear. You don't need physical media.
+1
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
It is added to the HTTP request on the Verizon server when you use the internet.
They add it to your internet communications, like adding a name-tag on to your luggage.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
someone's confusing the device's id used for marketing by products like MixPanel, Localytics, maybe Omniture (dunno if web analytics used on native apps tap into it) with the verizon supercookie.
Not the same thing. At all.
Has anyone tried adding multiples of their own version of this header to outgoing traffic upstream of verizons gateway, to see what happens?
Not having Verizon here in Canada I cannot try this, but it would be interesting to see if doing so with a true random nonce would defeat their tracking by adding confusion, as to which header was the real verizon one and which the customers.
Also F*** verizon, go full VPN on all your mobile traffic from now on.
It'll decrease their backhaul capacity, but few people even care and fewer still will do something about it. Heck, it took me three months to bother renting a VPS to do it and I already had all the skills.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
just because you have another advertising ID as part of your operating system doesn't mean that if you disable that then the verizon inserted id would be removed. the verizon id doesn't care what settings you turn on or off on your phone, it gets inserted to the data stream after the phone.
unless your phone has a setting for "force https on everything", then you're fucked. and you know what's funny? on windows phone you cannot do that, you don't have even the option of a 3rd party browser that would do that(afaik).
world was created 5 seconds before this post as it is.