Verizon Wireless "perma-cookies" deserve a very frosty response

Martyn Warwick
By Martyn Warwick

Oct 29, 2014

via Flickr © garlandcannon (CC BY-SA 2.0)

via Flickr © garlandcannon (CC BY-SA 2.0)

Over in the Land of the Free, it has just been discovered that over the past two years Verizon Wireless has been stealthily and slowly subverting subscriber "do not track" requests by constructing and inserting a 50 character, number and letter string into the communications flowing between mobile users and the websites they visit and browse.

Verizon has some 125 million subscribers in the US and the sneaky and snaky introduction of what the company disingenuously calls its "Unique Identifier Header" (UIDH), but is, in reality, a serial number unique to each subscriber, actually permits advertisers to identify people and bombard them with advertising.

It also, of course, drives a coach and horses through the entire concept of "do not track" features that mobile subscribers use to prevent their identities being used and exposed for ruthless and endless advertising (and other) purposes by third parties.

The UIDH "perma-cookie" is just that, permanent. It is always there, always waiting to be read by any web server that a Verizon Wireless subscriber might ever visit and be used to build a profile of that individual's Internet browsing and transaction habits.

Verizon Wireless, along with other US mobile operators, has long been vocally up-front about its determination to become a major player in the lucrative mobile advertising space, what it has not been so shouty and honest about is the ways in which it subverts mobile technology to meet its own pecuniary ends, ends which are evidently inimical to what subscribers actually want - or even know about.

The fact that it has taken two full years for the story to break is prima facie evidence that Verizon Wireless wanted the mechanics of its "perma-cookie" programme to remain secret for as long as possible.

Now though the secret is out. A Verizon mouthpiece, one Debra Lewis, admits that the UIDH exists but maintains that it is not used to build customer profiles for targeted advertising. She doesn't say what it is used for though and also admits that it can't be turned off - or at least that it can't be turned off permanently.

The pipe, the whole pipe and nothing but the pipe

She says that subscribers can "opt-out" (not "opt-in", you'll note) of Verizon's mobile advertising "program" by logging-on to their Verizon account and going through the lengthy and deliberately complex process of the opt-out procedure. However, doing this once may well not be enough to disable the feature for ever.

Like others, Facebook being a notable case in point, opting-out of various privacy intrusions is all very well but cynical, money-grubbing operators and websites deliberately change options every few weeks weeks or months and that defaults all customers back to where they were in the first place and where the operators and advertisers want them - over the barrel and the more easily exploited.

Jacob Hoffman-Andrews of the Electronic Frontier Foundation (EFF) says "ISPs are trusted connectors of users and they shouldn’t be modifying traffic on its way to the Internet." It is high time user and consumer groups begin to agitate for service to be providers to be just that - the pipe, the whole pipe and nothing but the pipe.

Opt-outs are, generally, cookie-based so even if savvy subscribers use cookie-cleaning software or simply manually delete cookies from their browser, they will have shot themselves in the foot by simultaneously, and frequently unknowingly, removing the opt-out itself. It's a rottenand biased system and keeping up with the sneakiness of it all requires dedication and determination - and the operators know that the majority of users will either forget or give up. Inertia rules as far as most subscribers are concerned.

Verizon's underhand strategy was actually rumbled by a member of the EFF who was experimenting with web traffic configurations to make a comprehensive list of all headers that are being used. He found that Verizon Wireless subscriber data had a a suspicious extra string to it. As Jacob Hoffman-Andrews says, “It had all gone relatively unremarked by the security, privacy, and broader technical community, partly because it is so hard to observe.” Of course it is, it was designed like that.

And, of course, once the can of worms was opened, others nastinesses slid into the light of day. The EFF is now investigating whether AT&T and other service providers are doing the same as Verizon Wireless. Anybody like to make a small side bet that they aren't? No, I thought not. We'll soon find out.

The fact is that the attitude of service providers, advertisers and business is to mine everywhere all the time to discover as much as they can about millions upon millions of private individuals and they will subvert privacy safeguards whenever and wherever that can in their relentless quest to get more data to help them squeeze more money out of people.

In the second decade of the 21st Century, the concept of electronic freedom is fast becoming civil rights matter that will only properly be dealt with via national legislation or even an amendment to the Constitution of the United States.  But don't hold your breath for that one.

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.