It emerged last week that the cellular provider has been adding a unique identifier to its cell phone customers’ web traffic – the identifier can be used to track a user’s actions in exactly the same way as a cookie can but, unlike a cookie, it can’t be deleted.
An HTTP header containing a device-specific ID is tacked onto outgoing web traffic as it passes through Verizon’s network, after it has left their users’ phones and before it hits the internet.
The identifier is part of Verizon’s Relevant Mobile Advertising program but, as annoying as targeted ads can be, that’s not the reason I’m writing about it.
The problem with the identifier is a side-effect – the fact that it is sent to every website you visit, always. Even if you opt out of Relevant Mobile Advertising that pesky HTTP header gets added to every request that leaves your phone.
The ID itself doesn’t contain any useful information but it can be used to determine that different requests for web pages, images and other files have come from the same device.
And that’s exactly what you need if you want to track somebody online.
And unlike the cookies, Flash Cookies, Web Storage or ETags that are normally used for tracking you can’t hide yourself by deleting it.
If you have taken steps to protect your privacy by using private browsing or by blocking or regularly deleting cookies then Verizon has unintentionally undone your good work and gifted every website you visit a hook to hang its tracking on.
The flaw was first noticed by a Jacob Hoffman-Andrews from the Electronic Frontier Foundation (EFF) who announced it with this Twitter equivalent of a ‘face-palm’:
I don’t know how I missed this: Verizon is rewriting your HTTP requests to insert a permacookie? Terrible.
The tweet links to an article on the Advertising Age website that explains how Verizon’s advertising model works. Completely unintentionally, it nails the privacy problem too with this description:
It’s a cookie alternative for a marketing space vexed by the absence of cookies.
Yes it is.
Since then Hoffman-Andrews’s has suggested that Verizon isn’t alone in fiddling with their customers’ traffic.
Looks like AT&T has a similar header, and I’ve heard reports about Sprint. Visit scooterlabs.com/echo from cell data to check.
It wouldn’t be a surprise to learn that others are doing this – they certainly wouldn’t be the first. In January 2012 mobile carrier O2 were caught adding uniquely identifiable HTTP headers to their customers’ outgoing web traffic.
Only in O2‘s case it wasn’t just a long, meaningless strings that were being used as IDs – it was customers’ own phone numbers.
What Verizon has done is far from the worst thing that’s happened on the internet but it is, at best, a careless snub to any of their customers who take steps to manage their online privacy.
So, if you’re one of the 120 million customers who might be affected by this, what can you do to put your privacy choices back in your own hands?
Because the header is tacked on to HTTP requests that have already left your phone there are no apps or browser add-ons you can install on your phone that will remove it.
However it can’t be added in the first place if you connect to the internet using a Virtual Private Network or Wi-Fi, or if you use the cell network but only browse websites that are available over HTTPS.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.