EVIL: Perma-Cookies and Your Privacy
Verizon has quietly developed a way to track its mobile data customers’ web activity and the use of certain apps, and sell that private information to advertisers. It’s done without customers’ consent and there’s no way to turn it off. Are you mad yet? Read on!
What's a Perma-Cookie?
Are you concerned about your online privacy? Dutifully deleting your cookies, surfing surreptitiously, and expeditiously encrypting your web sessions? Well, none of that will protect you from what's being called supercookies or perma-cookies, an insidious online behavior-tracking technique developed by Verizon.
Without getting too geeky, it's like browser cookies on steroids. Except those cookies have some basic security constraints built in. But not perma-cookies, which appear to be designed to circumvent all forms of privacy protection built into web browsers.
The perma-cookie is sent to every website you visit, whether they ask for it or not. So any third party can use Verizon’s tracking trick to build dossiers on Verizon data service users, instantly replace deleted tracking cookies, and pull end-runs around other browser-based security features. They don’t even need to buy anything from Verizon.
And the plague is spreading. “Thanks, Verizon!” says AT&T, which is busily testing its own mobile-targeting service based upon Verizon’s tracking trick. I’ve been watching this tale unfold over the past few days, sitting here shaking my head in dismayed disbelief as more details and their implications arise. “No. NO! They DIDN’T!” But they did. Thanks, Verizon. You can get lots of techy details and analysis from the EFF website if you wish to dig deeper.
Verizon is not noted for respecting its customers’ privacy. The ISP ignores the “do not track” anti-cookie request that can be enabled in every Web browser. The customized versions of iOS and Android that run on Verizon phones likewise ignore the limits those operating systems place on the sharing of data between apps running on the same phone. So a rogue app on your phone may eavesdrop on other apps to learn where you are, when you log in at your bank, how fast your heart is beating, what destination you are requesting directions to, and lots more. Thanks, Verizon.
But now Verizon has jumped the shark. It not only enabled itself to pillage customers’ privacy for profit; it gave the unprecedented gift of mobile user tracking to the whole universe of online marketers, government snoops, scammers, stalkers, terrorists, aliens, etc., for free. Thanks, Verizon.
OK, maybe not the aliens, who are reputed to have more highly evolved ethics than we Earthlings. But all those other guys, yes.
How It’s Done and Why You Can’t Stop It
When your device sends an HTTP request through Verizon’s mobile data service, Verizon adds to it a string of characters in a hidden part of the HTTP request called a X-UIDH header. Verizon does nothing on your computing device, so there’s nothing there for you to control in order to defeat Verizon’s tracking. Using private browsing or incognito mode won't foil this technique, either. All of the skullduggery takes place on Verizon’s data network where you can’t even see it’s happening without help from tools like Sniff or Am I Being Tracked?
That X-UIDH header string identifies the owner of the Verizon data account being used, not just the device that’s sending the HTTP request. So for the first time, it’s possible to tie together all of a person’s devices - phone, tablet, desktop PC or laptop if they’re using Verizon data service – and form a much more comprehensive dossier on the person.
Needless to say, marketers are “interested” in Verizon’s little trick. Because users often are switching from one device to another, it makes tracking of an increasingly mobile prey population difficult. Now advertisers are crying, “Shut up and take my money!” Demand for this highly valuable capability will spur creation of apps that use it and proliferation of online sites and services that take advantage of it. Pandora’s box is open, upside down, and being shaken out.
Any server that receives an HTTP request containing X-UIDH header info can read it; there is no encryption or any other security on the header info. There are no checks or balances on who can use the X-UIDH header info for what purpose. It’s as if some mad geek published step-by-step instructions for genetically engineering Ebola virus from kitchen counter bacteria using common household products. (Hopefully by the time you read this, that's still in the realm of fiction.
Verizon’s False Reassurances
Relax, says Verizon; we only sell aggregated data, not individually identifiable activity. That’s beside the point, even if I believed it. They've also offered an opt-out tool, which stops them from selling your data, but it doesn't stop the injection of the X-UIDH header into every web page request you make. So it's useless, really.
“But they can’t get useful amounts of data because we change the X-UIDH header info every few days,” says Verizon disingenuously. Here’s how that works out: Suppose I have identifier A and Verizon changes it to B. Someone’s server notes that there’s a “new” Verizon user, “B.” But look! He has the same apps on his phone as user “A;” the same desktop browser extensions; and like user “A” he visits a certain website every workday morning to check the weather, or a bus schedule. Let’s assume that user “A” and “B” are the same person. And they got me!
As I mentioned already, deleting browser cookies and the use of incognito mode won't help. Encryption (using HTTPS instead of HTTP) does, but websites and apps can force HTTP requests, to give unencrypted connections even if the user has requested a secured connection. Who looks for the telltale padlock icon or “httpS” in a URL, anyway? Right now, the only sure way to avoid this perma-cookie tracking is to use a VPN on your mobile device. But the free ones are slow, and you never know if you can trust them any more than Verizon or AT&T.
This has to stop. The Electronic Frontier Foundation says that Verizon has been playing this game for two years, and is rallying the political process to prohibit or at least limit this sort of thing. Whatever comes of that will come slowly and it will be watered down from a privacy-protection standpoint. It may help to sign a petition urging the Federal Communications Commision and the Federal Trade Commission to take action.
But there’s another counterattack under way that actually has the ISP-advertiser community sweating. Google is championing a new Internet standard that would enable users to disable the X-UIDH exploit. Enacting a new global Internet standard happens about as fast as a multi-gigabyte download over dialup, in most cases. But it may be humanity’s best hope to exterminate this new privacy plague.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 11 Nov 2014
|For Fun: Buy Bob a Snickers.|
Is There an Echo in Here?
The Top Twenty
Geekly Update - 12 November 2014
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- EVIL: Perma-Cookies and Your Privacy (Posted: 11 Nov 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved