Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixing Verizon's Supercookie

Posted by Soulskill on from the c-is-for-cookie,-cookie-is-for-whoever-verizon-says dept.

New submitter ferro lad sends a story about Verizon's so-called supercookie, a unique identifier they add to web traffic going across their network to help advertisers target their ads better. A new article at Slate demonstrates how Verizon could fix the identifier so that ad companies would have a harder time misusing it — something they've already been shown to do. "...with just a tiny amount of effort, Verizon could maintain its current business while substantially preventing the misuse of its UID headers." Of course, for privacy-conscious users, the ability to get rid of them altogether would be preferable. Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers. Previously, users could opt out of having their data shared with advertisers, but the unique identifier itself remained with their web traffic. It's not a complete solution — the tracking should be opt-in to begin with — but it's a step in the right direction.

8 of 111 comments (clear)

  1. more reason for https as default for all sites by MarkH · · Score: 5, Interesting

    Adding cookie headers into isp traffic only possible for http. If ISP terminating https traffic that is a bit GCHQ/NRA level.

  2. Opting out... by QuietLagoon · · Score: 4, Funny

    ... Fortunately, Verizon now says users will soon have the ability to opt out of the identifiers....

    Yeah, you'll probably need to keep an opt-out cookie on your device in order to opt-out.

  3. VPN. by Guspaz · · Score: 4, Insightful

    Spend $5 or $10 a month on a VPN or a VPS and encrypt all your web traffic. As soon as your ISP is actively inspecting and modifying your traffic, it can't be trusted.

    You shouldn't have to do this, true, but it's a solution to the present problem.

    1. Re:VPN. by Archangel+Michael · · Score: 4, Insightful

      The NSA has a budget somewhere on the order of 40-80 billion dollars per year. No normal individual can stand up to that level of attack.

      Nor should they. The government should be protecting citizen's rights, not invading them. But that is what you get when you keep voting for Republicrats.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  4. A good Net Neutrality thing for law by MerlynEmrys67 · · Score: 4, Insightful

    I don't care that you traffic shape my traffic -> But it is immoral and should be illegal to change it. Why do we allow ISPs like this to change the traffic flowing through their systems to the destination.
    I am not talking about adding an MPLS tag that gets inserted on insertion into the provider and stripped before it leaves the other side, I am talking adjusting my traffic to add content to the L4+ content. The ISP should only adjust things at L3 and below. Everything above that should never be touched (Ok - Large scale NAT I can live with - Lets move that to L5+)

    --
    I have mod points and I am not afraid to use them
  5. Re:Windows Phone by Bugler412 · · Score: 4, Informative

    nope, that only disables the advertising ID in the phone used by apps as an identifier. Does nothing for the "supercookie" that Verizon inserts into the traffic, much like a man in the middle attack, at the network level. Easily and personally verified.

  6. Re:Windows Phone by gstoddart · · Score: 4, Informative

    Are you clueless or something?

    Verizon's controversial technology basically involves attaching tracking numbers whenever customers view Web pages. Generally, to visit a Web page, my computer (or phone, tablet, etc.) sends a request message to the website with that page. Think of this like a very (very!) fast version of sending a letter through the mail, requesting some information.

    Now imagine if the Postal Service assigned an identification number to me, and every time I sent one of those letters, a postal worker opened up the envelope and stamped the ID number inside. That is more or less what Verizon has been doing: Every time a Verizon Wireless customer requests a Web page, Verizon rewrites the request in transit to include a tracking number identifying the customer.

    There is no way to disable this, and certainly not with your damned Windows phone.

    Verizon is directly injecting this crap into your request, on their servers, independent of what YOU do.

    Basically Verizon are acting like a bunch of greedy assholes, and setting every request you make to be something uniquely identifiable as you.

    --
    Lost at C:>. Found at C.
  7. Re:On tracking by mcrbids · · Score: 4, Insightful

    Your traffic is always being tracked by cookies, government spies, whatever.

    Please stop with the "sky is falling" routine - it only makes the problem worse and the stakes are too high to just throw your hands up in the air and give up in blissful ignorance.

    Even https exists to serve this purpose. Certificates are just another cookie.

    I suspect that, at a basic level, you have a fundamental misunderstanding as to what a "certificate" is and does.

    1) A cookie is an identifier that allows you to tie numerous http(s) sessions together by domain. It can thus be used to track you by having many sites contain images or content from a common domain. (EG: doubleclick.com)

    2) A certificate is used to negotiate a private session with a single domain. It's provided by the server and validated by the client to set up an encrypted connection. It allows you, the user, to verify that you are connected with the correct domain and *not* a nefarious person. The use of HTTPS and certificates foils the Verizon "supercookie" as they have no meaningful way to pierce the encryption provided between you and, say, Google.com.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.