Spying for ads: Verizon’s undeletable ‘supercookies’ track users’ web activities

4 Nov, 2014 11:19 / Updated 10 years ago

The profits made by Google and Facebook from trading users’ choices and habits to ad companies are prompting other communication giants such as Verizon, to collect data on their customers, mostly without their knowledge.

Verizon Wireless has been actively implementing its new advertising program called Precision Market Insights (reportedly started in 2012), which tracks web activities of approximately 106 million Verizon customers when they are web surfing from portable devices, the Electronic Frontier Foundation reports.

The tracker registers which sites people visit and how much time they spend there, and even what apps they use on their smartphones and how exactly.

The most interesting is the way Verizon collects the valuable data – by forcibly installing “perma-cookies” that track people’s activities on the web on personal devices, reports Wired. And since the header gets injected at the network level, any device could be infected, even if it belongs to those who have never been Verizon customers.

The tracker, called X-UIDH, is injected on a device in an HTTP header, which is then being sent to every unencrypted website a Verizon customer visits from a his smartphone or media tablet. These ‘supercookies’ allow advertising companies that pay for the Verizon service to put together a comprehensive dossier on every web surfer’s browsing habits - without Verizon customers’ knowledge.

The cookie was identified the X-UIDH header. It remains invisible to the user and cannot be disabled or changed via browser settings. The X-UIDH header bypasses built-in browser privacy mechanisms, ignoring such modes as Do Not Track, Incognito, Private Browsing or Limit Ad Tracking settings in both iOS and Android.

Also, Verizon ‘supercookies’ can’t be turned off, so no web browser privacy mode or clearing cookies will help you to get rid of them. That means that even when cookies are cleared out of a device, the intact X-UIDH with the known profile of a user gives an ad company a chance to quickly restore the necessary cookies on a user’s device and continue to ‘guide’ his requests for goods and services.

Because X-UIDH is shared with all unencrypted sites visited by Verizon customers, it gives advertisers more data that only cookies get. On top of all, X-UIDH is installed into all used mobile apps that send HTTP requests, thus correlating users' behavior on the web and in using apps.

However, according to AdAge: “Corporate and government subscribers are excluded from the new marketing solution.”

Verizon maintains that third parties that are not members of the Verizon’s Precision Market Insights advertising program cannot use the supercookie to track Verizon customers.

“The way it’s built, it wouldn’t be able to be used for that,” company spokeswoman Adria Tomaszewski said.

But web security specialists warn that “de-anonymizing” a user has become commonplace these days, so once a personal profile with a unique ID code gets to advertisers and data brokers, it is relatively straightforward to link the X-UIDH personal profile with a customer.

For intelligence agencies such as America’s NSA, reportedly using cookies to track down individuals as The Washington Post reported last year, the X-UIDH service could become an invaluable source of personal information on citizens.

There are several solutions that would prevent X-UIDH from modifying your traffic and they all imply encryption, as the “ad virus” can only operate on a plaintext traffic, an attempt to modify an encrypted data flow would simply break the whole connection.

Full protection is guaranteed by a virtual private network (VPN) technology or Tor, but you can also try to surf safely using an encrypted proxy or HTTPS.

If you want to know whether your mobile device is already infected – go to Amibeingtracked.com right from it and pass an injected header test.