
Verizon Wireless injecting tracking UIDs into HTTP requests - pillfill
See @KennWhite: https:&#x2F;&#x2F;twitter.com&#x2F;kennwhite&#x2F;status&#x2F;525110471733817344<p>Verizon Wireless is injecting a UID into all HTTP requests made on the VZW network, regardless of whether or not you&#x27;ve opted out of their Customer Proprietary Network Information (CNPI) options.<p>It&#x27;s injected at the network level- So it tracks across browsers and ignores &#x27;private browsing&#x27;, do-not-track headers, overriding the UIDH in the client&#x2F;curl, everything. My confirmation showing the headers only appearing in unprotected HTTP requests (disappearing when VPNed):<p>https:&#x2F;&#x2F;twitter.com&#x2F;rammic&#x2F;status&#x2F;525360201361530880<p>If you&#x27;re on the VZW cell network and not using wifi, you can check your own ID here (via @j4cob):<p>http:&#x2F;&#x2F;uidh.crud.net&#x2F;
======
youzer
Let's say I want to send some TCP. That TCP happens to kind of look like HTTP,
but it's not. It's just some protocol I made up which looks HTTPish enough to
trigger this injection.

Doesn't that mean that Verizon isn't actually offering TCP/IP (Internet)
access, since they corrupt my protocol stream in transit? Shoudln't that mean
they should be charged with fraud if they continue to advertise the fact that
they provide internet access when what they really provide is a broken version
of TCP they made up?

It's a serious question.

~~~
peterwwillis
When most mobile providers get you on the internet, it's through NAT. They're
already terminating and re-creating your connections for you, and not
providing your "real" tcp/ip packets to the internet, and thus neither the
world's "real" internet packets to you. All you get is a translation.

You've never gotten "the real internet" on a mobile device. The idea that they
may change one more part of your fake connection seems pretty irrelevant.

The same happens on "real" routers, firewalls, etc when they massage the
traffic going through them. Sometimes they barely change anything at all.
Sometimes they make minor adjustments. Sometimes major ones. You don't have an
agreement with any of them specifically to modify your packets; they just do.
So do you have a claim of harassment against your packets? Have they
trespassed on your property? Are you trespassing on their routers?

The answer to all these questions is: nobody has ever guaranteed to you what
you get from the internet, other than "availability" if you're a business
user, and even that's not set in stone.

~~~
srj
NAT doesn't terminate and recreate connections. It modifies packet headers and
forwards them.

Modifying headers in order to facilitate transit over a network is one thing,
modifying the L7 payload is another.

~~~
peterwwillis
Well you're right in a sense. But it modifies packets to a point where they
are indistinguishable from the original connection, and tracks the incoming
and outgoing interface sides as if they were discrete connections (there are
at least four flows for every NAT connection).

Often carrier-grade routers will replace every aspect of a tcp/ip packet, like
sequence numbers, windows, flags, source and dest ports, etc. Routers like
these see everything going through them as a form of NAT; it's just some
connections are modified more than others. The exception to this would be
interfaces in bridge or monitor mode.

To your second point that modifying some layers is OK but modifying other
layers is not: what rationale explains this double standard? What about the
application layer do you find to be unique in that there's some expectation of
purity? Does a proxy not modify layer 7 to cache and pass traffic? Does DNS
not do the same?

------
gergles
They don't appear to be doing this if you've opted out of "Relevant Mobile
Advertising", which is another option [separate from CPNI] on
[http://verizonwireless.com/myprivacy](http://verizonwireless.com/myprivacy).

Here's the setting you're looking for:

[http://i.imgur.com/QFJJNV5.png](http://i.imgur.com/QFJJNV5.png)

Mods may also want to update the title to include "Wireless" after Verizon;
Verizon landline is not doing this anywhere AFAIK.

~~~
ewzimm
I have a prepaid account, and I'm not allowed to change privacy settings
either online or over the phone. The web tells me I am an account member and
not owner, and the phone just says prepaid is not eligible to opt out. I can
fix it by using a VPN, but isn't it illegal to not even allow me to opt out?
Postpaid is significantly more expensive than prepaid and not available to
people with bad credit. How can they discriminate like that?

~~~
smeyer
I'm not clear why you think it would be illegal. There may be rules against
not allowing people to opt out, I don't know. But when you ask "How can they
discriminate like that?", there's nothing illegal about discriminating on the
basis of credit or willingness to pay for a more expensive product.

~~~
ewzimm
I can understand discriminating on quality or something like that, but we're
talking about not being able to opt out of having your personal information
sold. It seems like there should be some kind of a law where that has to be
made absolutely clear. It doesn't even seem to be buried anywhere in the Terms
of Service, which say:

"Verizon Wireline consumers and certain business customers may opt-out by
calling 1-866-483-9700. Verizon Wireless consumer and certain business
customers may call 1-800-333-9956."

Only after calling that number are you told you are ineligible because you are
prepaid.

This is advertised as a prepaid account, not a personal-information-selling
subsidized account. It's also not even really competitive with other plans.
Verizon gives you up to 1GB/month for $45, only with recurring payments, while
Cricket gives you 10GB 4G with unlimited throttled data for $55.
Unfortunately, Verizon has a monopoly in most of my area. T-Mobile and Sprint
don't operate here, and AT&T is spotty.

~~~
smeyer
I'm attracting a lot of downvotes, and I feel like people think I'm supporting
Verizon. I agree with you in that I think they're being scummy, but I guess I
was just saying that when you ask "How can they discriminate like that?" the
answer is that lots of scummy things aren't illegal. I agree it might be nice
to see much stronger privacy laws in this area, but they don't exist yet and
that's most of what I was trying to say. I think I thought you were saying
that you thought it was illegal ("isn't there a law...") whereas you were
really just saying you thought it should be illegal.

~~~
ewzimm
I do think it should be illegal, but "isn't it illegal?" was a genuine
question. I don't know the specifics, but I'm surprised there isn't some legal
requirement. You can't even send e-mail without allowing an opt-out, and every
ad network I know of has an opt-out policy, so sending tracking information to
every website you visit and selling that information with no option to opt-out
just seems over the top and out of step with what everyone else offers.

------
kator
This has been going on for ages, not sure why people just now noticed it.

They were testing it last year, you could clearly see these headers on a large
percentage of traffic coming from their gateways.

I'm not expressing an opinion one way or another but they clearly felt the UID
is not directly identifiable and thus does not become a privacy issue until
they share the mapping of the UID to customer data.

My guess is in their minds if you opt-out they just do not provide your UID to
3rd parties for targeting.

In the ever increasing dream of cross device marketing (think your iPad,
iPhone and Laptop) many companies are trying to figure out ways to connect
these devices to a single individual or family.

IIRC Verizon quietly started rolling out service wide TOS changes to allow
this sort of thing a couple years back. That said I'm not sure if their TOS
makes it clear how this is implemented and what potential side effects might
be caused by the way they've implemented them.

~~~
pillfill
The news is that they are injecting it even when you have opted out of CNPI.

The disturbing part is a unique ID that follows you despite private browsing
and across browsers. The worst part is that it goes to every site you visit
(not just VZW or selected advertisers). It can be trivially linked to your
existing cookies/identity to follow you even after clearing cookies, changing
browsers, switching devices, etc.

~~~
kator
Yes it's disturbing, again I'm no mind reader, but I guess they assume when
you opt-out they just don't map your UID. Meanwhile you're still trackable and
just one small data point could be used to reverse everything you visit.

As an example if you sign up for some random blog and they capture UID's they
could quickly map your email to your UID and onward into the spiral we go.

IP Addresses are a similar problem for home users, nobody seemed to have
noticed that quite some time ago ISP's started making DHCP lease times quite
long. Not to put on a tin foil hat, but I assume this was done more
strategically then just to reduce load on DHCP servers in their networks.

------
jo_
This makes me rather unhappy. I'm seeing this on Verizon. Can someone with an
alternative mobile provider like Sprint or T-Mobile test this, too?

~~~
hackuser
> This makes me rather unhappy. I'm seeing this on Verizon. Can someone with
> an alternative mobile provider like Sprint or T-Mobile test this, too?

I would guess that voting with your feet would be the most effective response.
While many think consumers don't care (or don't understand), we can see many
vendors beginning to emphasize confidentiality features.

~~~
jo_
I'm not sure if I value my confidentiality more than the unlimited
talk/data/text plan on which I'm grandfathered. It's a hard change to make,
especially considering I no longer see the tracking data after I disabled it
in my settings.

------
tedchs
On my Verizon Moto X (Android), the header is not visible if I use the Chrome
feature "Reduce data usage", but it is visible if I disable that feature or,
ironically, use Incognito mode. This feature causes non-SSL, non-Incognito
traffic to be proxied through Google's servers, using the SPDY protocol. Some
info on how this works: [https://developer.chrome.com/multidevice/data-
compression](https://developer.chrome.com/multidevice/data-compression)

------
danyork
It seems that [http://uidh.crud.net/](http://uidh.crud.net/) is not working
right now (gives a 502). However the UIDH header can be seen here:

[http://lessonslearned.org/sniff](http://lessonslearned.org/sniff)

Also [http://verizon-uidh.tk/](http://verizon-uidh.tk/) gives a yes/no if you
have the UIDH header (and shows you the header if you do)

------
ChuckMcM
Bummer, the iPad (LTE version) sends this tracking information and there is no
way to turn it off.

~~~
zackify
setup a vpn with digitalocean like I do, it's about all we can do.

~~~
ChuckMcM
Well to be clear, on WiFi it does _not_ send the tracking data, only when
using the LTE network. That said the only SSL tunnel software I saw was Junos
Pulse which is sitting on a ton of bad reviews at the moment because
apparently it doesn't work with iOS 8. What VPN software do you use with your
iPad?

~~~
codezero
I use OpenVPN Connect, it's a bit of a pain to set up, but it works well.
[https://itunes.apple.com/us/app/openvpn-
connect/id590379981?...](https://itunes.apple.com/us/app/openvpn-
connect/id590379981?mt=8)

------
scintill76
Seems similar to Apple's Spotlight phone-home thing: unsolicited extra data
being sent, a somewhat buried disclosure that it's happening, people having
difficulty getting their opt-out preference honored (possibly caused by
several confusingly-similar options to disable.)

It does sound like Verizon's is more a case of simply not honoring the option,
though, unless some commenters here have just not found the magic checkbox
yet.

------
mfkp
Hmm, confirmed on Verizon 4G LTE network.

Can anybody recommend a good VPN service that works on android?

~~~
bobbyi_settv
If you use Chrome and enable Google's Data Compression Proxy, all http traffic
is proxied via Google's servers and sent to them via spdy (which is
encrypted), so Verizon can't tamper with the requests or see what they are:

[https://developer.chrome.com/multidevice/data-
compression](https://developer.chrome.com/multidevice/data-compression)

~~~
ams6110
So you trade Verizon's tracking for Google's?

~~~
teraflop
At the very least, it would only be Google that could track you, instead of
every website you visit being able to read your Verizon-assigned ID.

------
edallme
Apparently Verizon has two patents on the process:

[http://www.faqs.org/patents/app/20130318346](http://www.faqs.org/patents/app/20130318346)

[http://www.google.com/patents/US20130318581](http://www.google.com/patents/US20130318581)

~~~
rockdoe
Excellent news, that means their competitors are safer to use?

~~~
blumkvist
It would make sense for Verizon to license the technology to other carriers.

1) The more widespread the technology is, the more advertisers will be aware
of it and will seek it. This means more revenue for Verizon (bigger market for
this product).

2) If all carriers do it, then people won't have an incentive to switch from
Verizon.

3) Licensing fees.

------
13throwaway
Here's a scary thought: How do we know every ISP isn't doing this, it would be
undetectable if they only injected these on certain domains e.g. facebook,
google. However I don't see how much more tracking ability that would grant
over IP tracking.

------
tedks
Doesn't examining/modifying data exempt you from the DMCA safe harbor
protections?

~~~
jimktrains2
VZW doesn't use SIMs except in some new 4G tech.

~~~
tedks
Um, how is this relevant?

IANAL, but the DMCA seems to protect you from liability only if you don't
examine and modify traffic. If they're looking at the protocol to see if it's
HTTP and therefore modifiable, they could look at the host to see if it's
going to the pirate bay and block it. This means that when someone goes to the
pirate bay on the Verizon Wireless network, Verizon is liable for their
actions under the DMCA.

This is like YouTube reviewing videos before they're uploaded. If they were
reviewing videos, they could catch copyright violations from the start and
thus should.

There's probably legal trickery they could use to get out of it but it seems
like a valid point.

------
pillfill
Just confirmed that the UID follows the SIM, so even swapping phones won't
save you.

------
kator
Just checked my Verizon 4G LTE MiFi and the headers are not there, I've not
done anything special to my account settings.

On ATT I see the X-Acr thing but not clear if it's UID like or not in nature,
would need to see more of them.

~~~
13throwaway
I just checked my AT&T phone and I have an X-Acr header too.

~~~
kngspook
How're you checking?

~~~
13throwaway
Go to this page over a cellular connection. (Turn off your wifi)
[http://checkyourinfo.com/request](http://checkyourinfo.com/request) Then look
for a long number.

------
micah_chatt
When I try to 'withdraw consent' for 'Verizon Selects Participation Status', I
get this prompt [http://imgur.com/sbVpMhR](http://imgur.com/sbVpMhR)

~~~
cddotdotslash
That's because that program gives you rewards points specifically for sharing
your private information [1].

[1] [http://time.com/money/3025429/verizon-smart-rewards-
loyalty-...](http://time.com/money/3025429/verizon-smart-rewards-loyalty-
programs-retail/)

------
bndw
You can view all of your device's request headers at
[http://checkyourinfo.com/request](http://checkyourinfo.com/request)

~~~
pacino
I just checked my AT&T iPhone and it includes a "X-Acr" HTTP header that has a
long GUID? Is this a similar tracking ID?

~~~
acdha
Curious, I don't see this but if that's the same acronym used here it's a
tracking ID:

[http://www.gsma.com/oneapi/anonymous-customer-reference-
beta...](http://www.gsma.com/oneapi/anonymous-customer-reference-beta/)

------
mgamache
As a prepaid account I don't have access to the privacy settings. I spent an
1:15 on the phone with Verizon with no luck (no one had any idea what I was
talking about). This has huge potential to be abused. It won't take long for
companies to link your real name to web traffic and know exactly everything
you look at on your phone. Wait until the cable/DSL companies realize the
untapped revenue potential.

------
Spooky23
VZW does all sorts of weird traffic management. They proxy everything and will
throttle applications deemed to chatty as well.

------
ArtDev
This looks like a job for Tunnelbear VPN!
[https://www.tunnelbear.com/](https://www.tunnelbear.com/)

I am huge fan since I starting using it when traveling Europe. The mobile
version works great as well.

~~~
higherpurpose
Whatever you do, do _not_ uninstall TunnelBear!

[http://i.imgur.com/1YQfGRN.png](http://i.imgur.com/1YQfGRN.png)

~~~
ToastyMallows
TunnelBear probably has the best branding I've seen in the while, very well
executed.

------
chatmasta
I'm on Verizon and got "did not receive X-UIDH header" message from
uidh.crud.net. Possibly because it says "1x" at the top of my phone and that
means it's on another network?

~~~
Eiriksmal
Could be 4G only? Just did it from a 4G LTE tablet, got a big ol' X-UIDH
string of what appears to be Base64.

Edit: Also, on a positive match, the page displays a link to an NBC News
article on Verizon's CPNI (Customer Proprietary Network Information).

[http://www.nbcnews.com/tech/security/why-you-should-check-
yo...](http://www.nbcnews.com/tech/security/why-you-should-check-your-verizon-
wireless-privacy-settings-right-f1C6370918)

~~~
ewzimm
I get the header injected on 3g.

------
srj
As this requires reassembling the HTTP request to add the additional header,
this probably introduces extra latency too.

Fortunately https is becoming more pervasive which bypasses this and any other
transparent proxies.

~~~
tedd4u
The carriers are working to subvert this -- see the IETF draft for "HTTP/2.0
Explicit Trusted Proxy" or read this article:
[http://www.theregister.co.uk/2014/02/25/evil_or_benign_trust...](http://www.theregister.co.uk/2014/02/25/evil_or_benign_trusted_proxy_draft_debate_rages_on/)

------
mbelshe
Kinda makes you wish the IETF had adopted all-TLS-all-the-time in HTTP/2.0.

We need HTTP/3.0 to be SSL all the time and nix the CAs so we can avoid MITM
from VZ.

------
arca_vorago
What about LTE modems on Verizon? I am testing them and was planning a fairly
big rollout to replace some services that previously relied on Sat internet.

~~~
signifiers
Yes, modems, access points, LTE tablets included. Consumer and Enterprise
users (including me) are seeing it. Eg:
[https://twitter.com/innismir/status/525279100907560961](https://twitter.com/innismir/status/525279100907560961)

------
leejoramo
I assume there are similar opt-outs for AT&T, Sprint, T-Moblie, etc. Anyone
maintain a page of links for how to access the opt-outs?

~~~
pdabbadabba
Interesting, I just tested my device over AT&T LTE, but there was no UIDH
header.

Edit: There _is_ an x-acr header, which contains a curiously large amount of
encoded data, far too much to be any reasonably sized id. Anyone know what it
is?

~~~
kyrra
I see this as well. AT&T LTE with iPhone 5 (running 8.1).

------
peterwwillis
[https://www.verizonwireless.com/b2c/support/customer-
agreeme...](https://www.verizonwireless.com/b2c/support/customer-agreement)

" _We collect personal information about you._ We gather some information
through our relationship with you, such as information about the quantity,
technical configuration, type, destination and amount of your use of our
telecommunications services. You can find out how we use, share and protect
the information we collect about you in the Verizon Privacy Policy, available
at verizon.com/privacy. By entering this Agreement, _you consent to our data
collection, use and sharing practices described in our Privacy Policy_. We
provide you with choices to limit, _in certain circumstances_ , our _use_ of
the data we have about you. You can review these choices at
verizon.com/privacy#limits. If there are additional specific advertising and
marketing practices for which your consent _is necessary_ , we will seek your
consent (such as through the privacy–related notices you receive when you
purchase or use products and services) before engaging in those practices.
[..]

DISCLAIMER OF WARRANTIES

We make no representations or warranties, express or implied, including, to
the extent permitted by applicable law, any implied warranty of
merchantability or fitness for a particular purpose, about your Service, your
wireless device, or any applications you access through your wireless device."

[https://www.verizon.com/about/privacy/policy/](https://www.verizon.com/about/privacy/policy/)

"We collect information about your use of our products, services _and sites_.
Information such as call records, _websites visited_ , wireless location,
application and feature usage, _network traffic data_ , product and device-
specific information _and identifiers_ , service options you choose, mobile
and device numbers, video streaming and video packages and usage, movie rental
and purchase data, FiOS TV viewership, and other similar information may be
used for billing purposes, to deliver and maintain products and services, or
to help you with service-related issues or questions. In addition, this
information may be used for purposes such as providing you with information
about product or service enhancements, determining your eligibility for new
products and services, _and marketing to you_. This information may also be
used to manage and protect our networks, services and users from fraudulent,
abusive, or unlawful uses; and help us improve our services, research and
develop new products, and offer promotions and other services.

[..]

When you register on our sites, _we may assign an anonymous, unique
identifier_. This may allow select advertising entities to use information
they have _about your web browsing_ on a desktop computer to _deliver
marketing messages to mobile devices on our network_. We do not share any
information that identifies you personally outside of Verizon as part of this
program. You have a choice about whether to participate, and you can you can
visit our relevant mobile advertising page (link to www.vzw.com/myprivacy) to
learn more or advise us of your choice.

Customer Proprietary Network Information (CPNI): [..] Verizon Wireline
consumers and certain business customers may opt-out by calling
1-866-483-9700. Verizon Wireless consumer and certain business customers may
call 1-800-333-9956. Other customers may decline to provide or withdraw CPNI
consent by following the instructions in the Verizon notice seeking consent.
For additional information, you can read examples of common consumer CPNI
notices for Verizon Wireline and Verizon Wireless.

Please note that many opt-outs are cookie-based. If you buy a new computer,
change web browsers or delete the cookies on your computer, _you will need to
opt-out again_. Please also note that some wireless devices, portals and
websites have limited ability to use and store cookies. As a result,
advertising entities may have a limited ability to use cookies in the manner
described above or to respect cookie-based opt out preferences. However, ads
may still be tailored using other techniques such as publisher, device or
browser-enabled targeting. You should check the privacy policies of the
products, sites and services you use to learn more about any such techniques
and your options. If you do not want information to be collected for marketing
purposes from services such as the Verizon Wireless Mobile Internet services,
you should not use those particular services."

~~~
caf
The identifier seems more pseudonymous than anonymous.

In fact, isn't "anonymous, unique identifier" an oxymoron?

~~~
sarciszewski
> In fact, isn't "anonymous, unique identifier" a tautology?

I believe the word you are looking for is "oxymoron" which is the opposite of
a tautology.

------
Floegipoky
Where's the class-action lawsuit?

------
sbarker
I'm on Verizon and got "did not receive X-UIDH header". 4G, droid ultra, FL

------
ericlitman
Useful to note that the UIDH changes every 7 days.

------
dzhiurgis
How is this UID different to an IP address?

~~~
acdha
It's stable across devices and sessions – if you have a cell phone and a
tablet, the UID is the same and it won't change over time even as you move
around their network.

~~~
dzhiurgis
In some sense having one ID instead of two unique IPs is better?

------
sp332
How do you opt out of CPNI?

~~~
Eiriksmal
The linked NBC News article explains you can do it through Verizon's customer
account web interface, but the parent says that won't work.

..."regardless of whether or not you've opted out of their Customer
Proprietary Network Information (CNPI) options."

------
booleanbetrayal
also seeing this despite CNPI settings. class-action time?

------
lpgauth
This as been known for a while and it's used by some advertisers...

~~~
pillfill
The news is that it's ignoring the opt-out selections (including mine that I
set a while ago).

------
abhishekmdb
Verizon Wireless tracking on its customers browsing habits, but why?
[http://www.techworm.net/2014/10/verizon-wireless-tracking-
on...](http://www.techworm.net/2014/10/verizon-wireless-tracking-on-its-
customers.html)

