Verizon Wireless has kicked up something of a privacy scandal in recent days over how it tampers with user’s web traffic sent via the company’s wireless network. Hoping to cash in on lucrative advertising dollars from mobile devices, Verizon inserts a unique string of letters and numbers into individual users’ HTTP requests that can be used to identify a specific device.
These strings, called a Unique Identifier Header (UIDH), are inserted into almost every web request a Verizon user makes on the company’s network, security researchers say. The UIDH is supposed to be used for Verizon’s advertising program. The carrier also told Wired it doesn’t use the UIDH to create profiles of its customers.
But since the UIDH is bundled into every plain text web request a user makes the strings are public and can thus be used as tracking beacons by anyone who knows to look for them.
Why this matters: Dealing with browser cookies, the most common way to track users online, is one thing. But those little text files stored in your browser can be deleted or blocked. Verizon’s UIDH scheme is much harder to deal with or even discover, because the company inserts the UIDH into your web request at the network level. “ISPs are trusted connectors of users and they shouldn’t be modifying our traffic on its way to the Internet,” Jacob Hoffman-Andrews, a senior staff technologist with the Electronic Frontier Foundation, told Wired.
The tracking problem
Imagine an ad network discovered the existence of these UIDHs. The company could start recording them across multiple websites that show its ads. Pretty soon, the ad network could build a profile about users based on this information.
“Any website can easily track a user,” Jonathan Mayer, a computer scientist and lawyer at Stanford said in a recent blog post regarding UIDHs. “Regardless of cookie blocking and other privacy protections. No relationship with Verizon is required.”
Verizon told Wired that users can opt-out of having their device tracked as part of the company’s advertising scheme. However, even if you opt-out it appears Verizon will still insert a UIDH into your web traffic rendering the opt-out pointless.
It’s not clear how long a specific UIDH lasts, but it seems the unique string persists at least over several days perhaps even a week. We’ve asked Verizon for comment and will update this post should the company respond.
If you don’t like the idea of Verizon tracking you there are a few things you can do. First, you can avoid using Verizon’s wireless network and just use your phone’s Internet capabilities when connected to Wi-Fi.
But that is probably not very realistic. A second option is to turn to encryption such as using SSL (HTTPS) for sites you visit or connecting to the Internet through a virtual private network. These measures will block Verizon’s ability to insert a UIDH into your web traffic.
Verizon customers can test whether their HTTP request include UIDHs by visiting lessonslearned.org/sniff.