Verizon CEO Lowell McAdam

For the last two years, Verizon Wireless has been secretly tracking its customers online by adding tokens or ‘permacookies’ to web requests made over its cellular network. The data is used to build profiles of its users for advertising purposes, and it collects data even if people opt out of the program.

According to Wired.com, the tokens are called “Unique Identifier Headers” (UIHDs), and are linked to Verizon’s Relevant Mobile Advertising service. They ensure that users can be identified as they traverse the World Wide Web, allowing Verizon to build up a history of each user’s browsing habits, so it can direct targeted advertising at their mobile devices.

Predictably, Verizon has defended its use of UIDH’s, insisting they’re an important part of its advertising program. It reiterates it doesn’t use the UIDH to build up profiles of customers who opt out, though it will still collect data on them.

But this isn’t enough to satisfy Verizon’s critics. Jacob Hoffman-Andrews of the Electronic Frontier Foundation has been particularly vocal on Twitter since learning of Verizon’s UIDH tokens:

I don’t know how I missed this: Verizon is rewriting your HTTP requests to insert a permacookie? Terrible. http://t.co/MBDGZaLKNs

— Jacob H-A (@j4cob) October 22, 2014

Hoffman-Andrews said that Verizon should stop using the UIDH immediately. “ISPs are trusted connectors of users, and they shouldn’t be modifying our traffic on its way to the Internet,” he told Wired. Later on, Hoffman-Andrews did some digging and it turns out that Verizon isn’t the only carrier that collects data on its users in this fashion:

Looks like AT&T has a similar header, and I’ve heard reports about Sprint. Visit http://t.co/Y4BVGMtHcS from cell data to check.

— Jacob H-A (@j4cob) October 23, 2014

Verizon reveals a little about how its targeted advertising program works on the FAQ section of its website. There, it gives the example of a restaurant that only wants to display ads to customers located within 10 miles. We help enable these ads to mobile devices on our network,” the carrier explains.

Verizon also claims its users remain anonymous as their data is classified as “private”, but its statement that “we do not share any information that identifies you personally outside of Verizon as part of this program”, suggests that in reality, all it means is their personal data isn’t shared outside of the company itself.

The bad news is there’s no way to disable UIDH, and so even if Verizon can be trusted not to misuse your data, there’s nothing to stop others who have access to the cookies from doing so. The problem, explains Hoffman-Andrews, is the UIDH is broadcast to every site Verizon customers visit, which means other advertising networks can use the token to track them and build up a profile of their visits.

As Ryan Singel, CEO of content-recommendation firm Contextly, explained to Ars Technica, “All that’s needed is for one site that has your e-mail address or name to match that” to the UIDH. Once it’s done that, it can sell your information to anyone it chooses, without your consent.

Security research Kenneth White has since set up a website for people to use to check if their mobile devices are transmitting a UIDH token. Unfortunately there are few options for those who are being tracked, other than to “use HTTPS wherever possible” or use a trusted VPN or proxy server such as the Tor network.

photo credit: tj.blackwell via photopin cc