EVIL: Perma-Cookies and Your Privacy

Category: Privacy

Verizon has quietly developed a way to track its mobile data customers’ web activity and the use of certain apps, and sell that private information to advertisers. It’s done without customers’ consent and there’s no way to turn it off. Are you mad yet? Read on!

What's a Perma-Cookie?

Are you concerned about your online privacy? Dutifully deleting your cookies, surfing surreptitiously, and expeditiously encrypting your web sessions? Well, none of that will protect you from what's being called supercookies or perma-cookies, an insidious online behavior-tracking technique developed by Verizon.

Without getting too geeky, it's like browser cookies on steroids. Except those cookies have some basic security constraints built in. But not perma-cookies, which appear to be designed to circumvent all forms of privacy protection built into web browsers.

The perma-cookie is sent to every website you visit, whether they ask for it or not. So any third party can use Verizon’s tracking trick to build dossiers on Verizon data service users, instantly replace deleted tracking cookies, and pull end-runs around other browser-based security features. They don’t even need to buy anything from Verizon.

And the plague is spreading. “Thanks, Verizon!” says AT&T, which is busily testing its own mobile-targeting service based upon Verizon’s tracking trick. I’ve been watching this tale unfold over the past few days, sitting here shaking my head in dismayed disbelief as more details and their implications arise. “No. NO! They DIDN’T!” But they did. Thanks, Verizon. You can get lots of techy details and analysis from the EFF website if you wish to dig deeper.

Verizon is not noted for respecting its customers’ privacy. The ISP ignores the “do not track” anti-cookie request that can be enabled in every Web browser. The customized versions of iOS and Android that run on Verizon phones likewise ignore the limits those operating systems place on the sharing of data between apps running on the same phone. So a rogue app on your phone may eavesdrop on other apps to learn where you are, when you log in at your bank, how fast your heart is beating, what destination you are requesting directions to, and lots more. Thanks, Verizon.

But now Verizon has jumped the shark. It not only enabled itself to pillage customers’ privacy for profit; it gave the unprecedented gift of mobile user tracking to the whole universe of online marketers, government snoops, scammers, stalkers, terrorists, aliens, etc., for free. Thanks, Verizon.

OK, maybe not the aliens, who are reputed to have more highly evolved ethics than we Earthlings. But all those other guys, yes.

How It’s Done and Why You Can’t Stop It

When your device sends an HTTP request through Verizon’s mobile data service, Verizon adds to it a string of characters in a hidden part of the HTTP request called a X-UIDH header. Verizon does nothing on your computing device, so there’s nothing there for you to control in order to defeat Verizon’s tracking. Using private browsing or incognito mode won't foil this technique, either. All of the skullduggery takes place on Verizon’s data network where you can’t even see it’s happening without help from tools like Sniff or Am I Being Tracked?

That X-UIDH header string identifies the owner of the Verizon data account being used, not just the device that’s sending the HTTP request. So for the first time, it’s possible to tie together all of a person’s devices - phone, tablet, desktop PC or laptop if they’re using Verizon data service – and form a much more comprehensive dossier on the person.

Needless to say, marketers are “interested” in Verizon’s little trick. Because users often are switching from one device to another, it makes tracking of an increasingly mobile prey population difficult. Now advertisers are crying, “Shut up and take my money!” Demand for this highly valuable capability will spur creation of apps that use it and proliferation of online sites and services that take advantage of it. Pandora’s box is open, upside down, and being shaken out.

Any server that receives an HTTP request containing X-UIDH header info can read it; there is no encryption or any other security on the header info. There are no checks or balances on who can use the X-UIDH header info for what purpose. It’s as if some mad geek published step-by-step instructions for genetically engineering Ebola virus from kitchen counter bacteria using common household products. (Hopefully by the time you read this, that's still in the realm of fiction.

Verizon’s False Reassurances

Relax, says Verizon; we only sell aggregated data, not individually identifiable activity. That’s beside the point, even if I believed it. They've also offered an opt-out tool, which stops them from selling your data, but it doesn't stop the injection of the X-UIDH header into every web page request you make. So it's useless, really.

“But they can’t get useful amounts of data because we change the X-UIDH header info every few days,” says Verizon disingenuously. Here’s how that works out: Suppose I have identifier A and Verizon changes it to B. Someone’s server notes that there’s a “new” Verizon user, “B.” But look! He has the same apps on his phone as user “A;” the same desktop browser extensions; and like user “A” he visits a certain website every workday morning to check the weather, or a bus schedule. Let’s assume that user “A” and “B” are the same person. And they got me!

As I mentioned already, deleting browser cookies and the use of incognito mode won't help. Encryption (using HTTPS instead of HTTP) does, but websites and apps can force HTTP requests, to give unencrypted connections even if the user has requested a secured connection. Who looks for the telltale padlock icon or “httpS” in a URL, anyway? Right now, the only sure way to avoid this perma-cookie tracking is to use a VPN on your mobile device. But the free ones are slow, and you never know if you can trust them any more than Verizon or AT&T.

This has to stop. The Electronic Frontier Foundation says that Verizon has been playing this game for two years, and is rallying the political process to prohibit or at least limit this sort of thing. Whatever comes of that will come slowly and it will be watered down from a privacy-protection standpoint. It may help to sign a petition urging the Federal Communications Commision and the Federal Trade Commission to take action.

But there’s another counterattack under way that actually has the ISP-advertiser community sweating. Google is championing a new Internet standard that would enable users to disable the X-UIDH exploit. Enacting a new global Internet standard happens about as fast as a multi-gigabyte download over dialup, in most cases. But it may be humanity’s best hope to exterminate this new privacy plague.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 11 Nov 2014

For Fun: Buy Bob a Snickers.

Prev Article:
Is There an Echo in Here?

The Top Twenty
Next Article:
Geekly Update - 12 November 2014

Most recent comments on "EVIL: Perma-Cookies and Your Privacy"

Posted by:

11 Nov 2014

Hi Bob
I don't remember which site did it, but didn't there used to be a few site you could set your browser to go through other than your primary ISP's server? Would using one of those site, just like DuckDuckGo help prevent perma-cookie tracking?

EDITOR'S NOTE: Changing your DNS won't help.

Posted by:

Wm. Cerniuk
11 Nov 2014

Unfortunately the links shown do not detail the tracking properly While the carrier like AT&T or Verizon may not be collecting the permacookie (UIDH) information, the web site you go to can easily use it regardless because the UIDH is still there.

For a real test and to see what your UIDH is (the unique identifier) go to this link (expands to Berkley University link)


and note the last line you see in your browser. If you are being tracked on your cellular data plan connection by your provider, you will see an extra "header" that has some gobblty gook like this:

Header: Via: HTTP/1.1 artnz43krd6ts55.wnsnet.attws.com

The artnz43krd6ts55 part is unique to your data connection and will be presented to every web site you visit, and represented each time you visit. Permacookie nothing, it is the STD (surreptitiously transmitted determinant) of the internet.

Posted by:

11 Nov 2014

If you do not access the internet via your cell phone is this still a way they can track you?

Posted by:

Leo McCarron
11 Nov 2014

Well as a Canadian I could say " wow I am glad that is not us" but it does make me wonder if our big 3 service providers are either looking at this or have it already in place and no one knows about it.... Yet--- time will tell

Posted by:

11 Nov 2014

My question is, are they doing this to their DSL and FIOS internet customers?

EDITOR'S NOTE: Not that I have seen or heard.

Posted by:

Dave Roche
11 Nov 2014

Ultimately to defeat Internet bugs, cookies and viruses, all operating systems will have to have the option of surfing in RAM, thus minimizing any potential threats leaking into the main hard drive OS.

Secondly, if you have a Windows desktop then the HyperOS system does allow you to partition a section on your hard drive for Internet use only. If the delegated internet version of Windows becomes infected, then the system allows you to drag a backup copy over the affected one and within minutes you are back in business, all this without compromising your main operating system.

Posted by:

11 Nov 2014

This could bring online business to a screeching halt. How can online financial transactions coexist with capabilities like this?

Posted by:

11 Nov 2014

Dave Roche--
Are you talking about sandboxing?

Posted by:

11 Nov 2014

So, should I get rid of my bank app on my VZW phone? How about sites like Amazon, QVC, HSN?

Posted by:

11 Nov 2014

This is one of those things we knew was inevitable because there are just too many people out there who have NO integrity.

I am intrigued by the comment Dave Roche made. Would the HyperOS system work? How about a SandBox setup?

Posted by:

11 Nov 2014

!!!!![redacted expletives]!!!! YIKES!
Thanks for the warning and petition link. During the Ruth Ginsburg hearings they asked her if she felt that we had a right to privacy, she said something to the effect of "F-ing A yeah!" only she used a lot more fancy words. That was around 1993 I think. Just over 20 years ago. Whoda thunk how prophetic the question was, or how Right a Left person can be? Sigh, SCREAM!

Posted by:

John Silberman
12 Nov 2014

All the more reason to subscribe to a VPN sevice like PrivateInternetAccess. The next article should be on the several VPN services are starting up and how some ISPs and web sites like Hulu are fighting back.

Posted by:

top squirrel
12 Nov 2014

How about this:
You get internet service through a normal non-Verizon route -- whether cable or wireless -- and cell phone service via a "dumb phone" that only makes and receives calls; no internet access.
You can call it the Luddite Solution.
Any problem with it working?

Posted by:

14 Nov 2014

What is worrying me is that the next step could be Internet Sevice Providers using this feature for normal desktop internet connection. I hope there are so may ISPs out there that it would be a marketing disaster for those that adopted the system.

Posted by:

14 Nov 2014

Trying to figure out a workaround and complaining doesn't get anything accomplished, overall.

Verison subscribers should start a class action suit (any lawyers who use Verison out there?) with regard to personally identifiable information being spread willy-nilly throughout the internet, by the service provider. Others should join in as they find that their service provider is doing the same as Verison.

While that process is slowly grinding along, contact the FCC and your representatives and tell them to make the practice illegal. Do this on a personal basis. Although signing petitions is OK, I think you'll find that 100 people contacting someone has a lot more influence than 100 names on a petition...

At the same time, provide this article to as many people as you can, to make the disgruntled base as large as possible. That will help with the class action suit AND with convincing those who make the rules to make it illegal.

Posted by:

17 Nov 2014

For those of you worried about the Desktop side of things, just remember you can run, but you can't hide!


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- EVIL: Perma-Cookies and Your Privacy (Posted: 11 Nov 2014)
Source: https://askbobrankin.com/evil_permacookies_and_your_privacy.html
Copyright © 2005 - Bob Rankin - All Rights Reserved