Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixing Verizon's Supercookie

Posted by Soulskill on from the c-is-for-cookie,-cookie-is-for-whoever-verizon-says dept.

New submitter ferro lad sends a story about Verizon's so-called supercookie, a unique identifier they add to web traffic going across their network to help advertisers target their ads better. A new article at Slate demonstrates how Verizon could fix the identifier so that ad companies would have a harder time misusing it — something they've already been shown to do. "...with just a tiny amount of effort, Verizon could maintain its current business while substantially preventing the misuse of its UID headers." Of course, for privacy-conscious users, the ability to get rid of them altogether would be preferable. Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers. Previously, users could opt out of having their data shared with advertisers, but the unique identifier itself remained with their web traffic. It's not a complete solution — the tracking should be opt-in to begin with — but it's a step in the right direction.

17 of 111 comments (clear)

  1. more reason for https as default for all sites by MarkH · · Score: 5, Interesting

    Adding cookie headers into isp traffic only possible for http. If ISP terminating https traffic that is a bit GCHQ/NRA level.

  2. On tracking by fustakrakich · · Score: 2, Insightful

    There is no such thing as 'opt in'. That is a total fantasy. Your traffic is always being tracked by cookies, government spies, whatever. Even https exists to serve this purpose. Certificates are just another cookie.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:On tracking by davesque · · Score: 2

      How is a certificate anything like a cookie? Cookies are unique to clients. Certificates are unique to servers. You can't use a server's SSL cert to track its users. And, unless Verizon has figured out a way to crack SSL connections in real time, they can't be injecting any headers into web requests made through HTTPS.

    2. Re:On tracking by mcrbids · · Score: 4, Insightful

      Your traffic is always being tracked by cookies, government spies, whatever.

      Please stop with the "sky is falling" routine - it only makes the problem worse and the stakes are too high to just throw your hands up in the air and give up in blissful ignorance.

      Even https exists to serve this purpose. Certificates are just another cookie.

      I suspect that, at a basic level, you have a fundamental misunderstanding as to what a "certificate" is and does.

      1) A cookie is an identifier that allows you to tie numerous http(s) sessions together by domain. It can thus be used to track you by having many sites contain images or content from a common domain. (EG: doubleclick.com)

      2) A certificate is used to negotiate a private session with a single domain. It's provided by the server and validated by the client to set up an encrypted connection. It allows you, the user, to verify that you are connected with the correct domain and *not* a nefarious person. The use of HTTPS and certificates foils the Verizon "supercookie" as they have no meaningful way to pierce the encryption provided between you and, say, Google.com.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  3. Opting out... by QuietLagoon · · Score: 4, Funny

    ... Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers....

    Yeah, you'll probably need to keep an opt-out cookie on your device in order to opt-out.

    1. Re:Opting out... by SuricouRaven · · Score: 2

      X-VERIZON-TRACK=2397123483
      X-IGNORE-VERIZON-TRACK=1

  4. VPN. by Guspaz · · Score: 4, Insightful

    Spend $5 or $10 a month on a VPN or a VPS and encrypt all your web traffic. As soon as your ISP is actively inspecting and modifying your traffic, it can't be trusted.

    You shouldn't have to do this, true, but it's a solution to the present problem.

    1. Re:VPN. by Archangel+Michael · · Score: 4, Insightful

      The NSA has a budget somewhere on the order of 40-80 billion dollars per year. No normal individual can stand up to that level of attack.

      Nor should they. The government should be protecting citizen's rights, not invading them. But that is what you get when you keep voting for Republicrats.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. A good Net Neutrality thing for law by MerlynEmrys67 · · Score: 4, Insightful

    I don't care that you traffic shape my traffic -> But it is immoral and should be illegal to change it. Why do we allow ISPs like this to change the traffic flowing through their systems to the destination.
    I am not talking about adding an MPLS tag that gets inserted on insertion into the provider and stripped before it leaves the other side, I am talking adjusting my traffic to add content to the L4+ content. The ISP should only adjust things at L3 and below. Everything above that should never be touched (Ok - Large scale NAT I can live with - Lets move that to L5+)

    --
    I have mod points and I am not afraid to use them
  6. Re:Windows Phone by Bugler412 · · Score: 4, Informative

    nope, that only disables the advertising ID in the phone used by apps as an identifier. Does nothing for the "supercookie" that Verizon inserts into the traffic, much like a man in the middle attack, at the network level. Easily and personally verified.

  7. Re:Windows Phone by gstoddart · · Score: 4, Informative

    Are you clueless or something?

    Verizon's controversial technology basically involves attaching tracking numbers whenever customers view Web pages. Generally, to visit a Web page, my computer (or phone, tablet, etc.) sends a request message to the website with that page. Think of this like a very (very!) fast version of sending a letter through the mail, requesting some information.

    Now imagine if the Postal Service assigned an identification number to me, and every time I sent one of those letters, a postal worker opened up the envelope and stamped the ID number inside. That is more or less what Verizon has been doing: Every time a Verizon Wireless customer requests a Web page, Verizon rewrites the request in transit to include a tracking number identifying the customer.

    There is no way to disable this, and certainly not with your damned Windows phone.

    Verizon is directly injecting this crap into your request, on their servers, independent of what YOU do.

    Basically Verizon are acting like a bunch of greedy assholes, and setting every request you make to be something uniquely identifiable as you.

    --
    Lost at C:>. Found at C.
  8. Re:Pot meet Kettel by DarkOx · · Score: 2

    The real question is how are multiple headers interpreted for the tracking code. Is the first UID header the verizon one or the last? What if my client inserts a random one before and after every other header etc. Sure if its the NSA or whatever than you're the guy whose got the UID header that changes with each request or the guy with multiple headers etc. Even if lots of people do it a weak PRNG used to generate those headers and $AGENCY might still be able to identify you.

    Advertisers though I am going to guess not so much. Hell half of them are probably used web application frameworks that don't even make explicit commitments to ordering of headers in the collection their high level code is interfacing with.

    The other thing is the system was/is designed for 1 person : 1 uid header mapping. If enough people start changing UID headers that are a per request nonce that is going to be lots and lots of entities in the key space. Just ask the big data guys how much memory and storage can get burned just on keys; hint its a lot. Might be able to make the entire system fall over if enough people participate.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  9. Re:Pot meet Kettel by gwjgwj · · Score: 2

    I think the GP's idea was to create a Verizon-like UID, but using other providers.

  10. Re:Report this to the FCC by Bugler412 · · Score: 2

    I've done the FCC complaint, FTC complaint, contacted a lawyer for possible civil action or even class action (not practical since you can't "prove" damage), contacted the FBI for a CFAA violation, all of it. No results at all. Voting with my wallet when the contract expires and using nothing but HTTPS and VPN otherwise until then.

  11. They have to do this due to Canada-US treaty by WillAffleckUW · · Score: 2

    Under the treaty signed for Data they have to respect the Canadian Citizens right to not be tracked, including the Canadian Constitutional Right to Privacy, even if a Canadian is in the US. Since many Canadians use border cell towers in the US, they would be liable to be sued if they did not provide some method not to be tracked.

    Once again, Canada saves American rights.

    --
    -- Tigger warning: This post may contain tiggers! --
  12. Re:Windows Phone by gstoddart · · Score: 2

    WTF does being anti or pro Microsoft have to do with the fact that the fucking headers are being rewritten by Verizon?

    I'm not blindly pro or anti Microsoft -- but let's not fucking pretend a Windows phone is a magic cure-all for something which is happening at the carrier level.

    But, hey, don't let common sense or facts stand in the way of being an idiot.

    --
    Lost at C:>. Found at C.
  13. It isn't a cookie, actually by TrollstonButterbeans · · Score: 2

    It is added to the HTTP request on the Verizon server when you use the internet.

    They add it to your internet communications, like adding a name-tag on to your luggage.

    --
    Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory