Page 51 - index
P. 51
Verizon's Supercookies and using a VPN as Defense
In a new form of online user tracking, Verizon have confirmed that they have been uniquely
identifying their wireless users to advertisers for the last two years using so called supercookies.
Privacy Compromised
In a process first described by privacy group Electronic Frontier Foundation, supercookies, or
perma-cookies as they’ve also been coined, involve directly changing the HTTP request
between the client and server platforms. Verizon is the US’s most used mobile data provider
and has been rewriting the headers of all HTTP requests from non-business and government
users on their wireless network.
By injecting a custom header titled X-UIDH with a unique identifier, Verizon then allows a paid
API call to get a profile linked to that identifier. In this way websites can effectively track the
entire non encrypted browsing history for any given Verizon user.
Since the process takes place at the network level after the request has left the requesting
device, do-not-follow-me, anti-cookie software, and private browser tabs will do nothing to
combat the privacy concerns that have left many Verizon’s users reeling.
The primary privacy issue with this tracking technique is that every single website, not just
selected Verizon partners, can view this header without anyone knowing they are doing it. All
the data the website owners need to start building a permanent profile of a user is right there in
the HTTP request.
In a conversation with Verizon Kashmir Hill, writer for Forbes, the mobile giant confirmed that
the system had been running for “two years”. Given that amount of time, Senior Verizon privacy
officer Kathy Zanowic said she was “surprised” by the attention the story had got. Kashmir also
spoke to AT&T who confirmed that they had a similar system “in testing” for “a little while”.
The Wider Moral and Legal Issues
It’s clear that more people, especially Verizon’s own customers, are now picking up on this
issue. “It’s gone relatively unremarked by the security, privacy, and broader technical
community, in part, because it’s so hard to observe,” says Jacob Hoffman-Andrews of the
Electronic Frontier Foundation.
As debate moves from initial anger to more analytical nature, the central question, one of the
overarching morality and legality of this new form of ISP intervention has been raised. While it is
51 Cyber Warnings E-Magazine – November 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
