
Somebody’s Already Using Verizon’s ID to Track Users - uptown
http://www.propublica.org/article/somebodys-already-using-verizons-id-to-track-users?hn
======
mschuster91
Are you f..ing kidding me? If I pay for Internet access, I demand best-effort
of the provider to transfer the data packets unmodified (except, for IPv4, NAT
usage), shortest way, to the target IP address.

I _do not_ pay and then want to get tracked so that the provider or some other
dickheads can data-mine me and make even more money. If I want this, I can
choose a free plan (e.g. unlimited 3G, but with tracking).

About time everyone switches over to HTTPS with HSTS (so that no provider can
perform a SSL MITM attack using its own trusted certs).

~~~
revelation
I continue to be baffled at this. It seems like we are just all ok with a
communications provider manipulating data?

I was expecting the feds to bust their doors in. This is US Postal opening
every package and rewrapping it to insert advertisements.

~~~
wyager
> This is US Postal opening every package and rewrapping it to insert
> advertisements.

No, because ISPs aren't common carriers. It's a pretty common political
position (among those who care) that ISPs should be common carriers.

~~~
seanp2k2
Frankly, I'm glad that Verizon is doing this, as it weakens their ability to
argue that Title II net neutrality isn't necessary because no one is currently
messing with traffic. Even better that they're doing it with their wireless
network, since, as I understand it, they were given a bit more rope with which
to hang themselves in the wireless ISP space.

~~~
gregcohn
excellent point.

------
MichaelGG
"took steps to secure these Device IDs, and began allowing their users to
delete them, in the same way they could delete cookies in their desktop Web
browser."

That's a joke. Android's permission model encourages users to freely give out
their device serial number. The permission to read device ID is hidden behind
the permission that allows an app to determine if you're on a call. A totally
innocuous permission (which should not be a permission) smuggles in a very
intrusive one.

Oh, and for a kicker, device ID permission also gives apps access to the
_number of who you call or calls you_. So even security conscious users that
check permissions can easily get tricked. "Sure, I want this flashlight app to
turn off if I get a call so I don't blind myself trying to answer" \- bam, you
just gave away your permanent ID and call logs.

This could be a negligent incompetent mistake on Google's part, but it seems
unlikely because it's so nonsensical and they've done nothing to rectify it in
years.

~~~
higherpurpose
I'm also starting to believe that Android's extremely vague permissions are
not that vague because of their engineers' incompetence, but because it was
done this way on _purpose_.

Google promised at I/O that a permission system with more fine-grain control
would come in Lollipop, but it's still nowhere to be seen.

~~~
userbinator
Agree with this, especially after their fine-grain control App Ops, which
received a _very_ positive response, was completely removed, and the reason
they gave for doing so quite nonsensical: "it can break apps" \- obviously,
that's why people want to use it - to prevent apps from "breaking" their
personal privacy.

(My Android's ID/serial number is 0123456789ABCDEF, the same as tens of
millions others out there, so I'm not so worried about it. One of the perks of
owning an unbranded generic Chinese device, along with a new random MAC
address whenever I reset the WiFi...)

~~~
MichaelGG
It's unlikely your IMEI is non unique though.

------
MAGZine
This is so wrong. An ISP is not meant to interject information into a client's
request, build profiles of their subscribers, help "provide targeted content,"
or any such activity. Apparently ISPs are making so little money by providing
services they were originally born to provide, they need to go and do totally
unwanted activity like this. They're _internet_ service providers, not
_customer profiling_ service providers.

It's clear that these companies do not have their customer's best interests at
heart, though I'm not sure that they ever have.

~~~
ams6110
Furthermore the notion that the addition of an HTTP header to the request
would be a patentable invention is absurd. The protocol explicitly supports
it. Nothing was invented here.

------
guelo
> Google has proposed a new Internet protocol called SPDY that would prevent
> these types of header injections – much to the dismay of many telecom
> companies who are lobbying against it

Wow, I was pretty ambivalent about SPDY/HTTP2 before but now I really hope it
catches on.

~~~
mschuster91
Actually a binary format (designed to be machine-friendly) is better for MITM
injections as it's easier to parse and manipulate... the only benefit of
HTTP2/SPDY is that iirc it requires TLS.

I'm waiting for the first carrier to perform SSL MITM.

~~~
jankassens
They're already planning it: "Involve the user: Obtain user consent to trust
service provider to decrypt select HTTPS"

Quote from someone working for a satellite internet provider for airlines.

Source:
[http://www.atis.org/openweballiance/docs/OWAKickoffSlides051...](http://www.atis.org/openweballiance/docs/OWAKickoffSlides051414.pdf)
page 27

~~~
meowface
As bad as it is, at the least it should be easy to opt-out of that (unless
they do something ridiculous like charge you extra if you refuse to opt-in).
Just remove the certificate your ISP gives you.

------
atmosx
Apparently you check your mobile connection here:
[http://lessonslearned.org/sniff](http://lessonslearned.org/sniff)

~~~
ams1
ProPublica reporter/developer here.. There's a tool embedded in the article to
see if your carrier is setting a tracking header.

We also published a follow-up about how AT&T has said they will stop using the
header: [http://www.propublica.org/article/att-stops-using-
undeletabl...](http://www.propublica.org/article/att-stops-using-undeletable-
phone-tracking-ids)

------
Rizz
I wonder in how many states doing this is an illegal form of tampering with
electronic communications. It seems to me interfering with communications
would be illegal unless it is necessary for network operations, which
advertising trackers obviously are not.

------
r0m4n0
Verizon has been pushing their "Smart Rewards" program on me for months
([http://www.verizonwireless.com/wcms/myverizon/smart-
rewards....](http://www.verizonwireless.com/wcms/myverizon/smart-
rewards.html)). After reading the fine print, you are actually consenting to
monitoring of all traffic through your account that will be shared to third
parties. I respect the fact they have some sort of opt in that has some
return... Inho they are swindling the typical oblivious consumer trolling for
a free Jamba Juice gift card

~~~
userbinator
It's a little amusing and rather sad that the word "smart" now seems to be
used to describe products and services that act against their users and often
perform surveillance on them, implying that it's somehow a "smart" thing to
let this happen.

------
gnud
Will the ISPs overwrite this header if already present? If so, isn't that a
kind of huge problem? If not, can't someone make a mobile browser that sets
these headers to some random value?

~~~
gorhill
Yes, it will be overwritten. Someone tried it:
[https://github.com/lightswitch05/Bogus_X-UIDH#update-
verizon...](https://github.com/lightswitch05/Bogus_X-UIDH#update-verizon-
overwrites-the-x-uidh-if-it-is-already-set-so-this-is-not-a-valid-solution-)

~~~
philo23
What if it had a different case? Eg x-uidh:

I remember for a while the only way to change the User Agent header for iOS
UIWebViews was to set the user agent header in lowercase, as long as it's
after the actual header, PHP will uppercase both and the later one will win
(for $_SERVER atleast, obviously this is PHP specific.)

~~~
MichaelGG
Yes, the fun is to figure out what they're using and exploit it. HTTP is a
terrible format to parse, with lots of idiotic extra features that have no
legitimate usage. But it'd be fairly easy for them to harden things, just
abort if they run into anything weird.

Which may be a way around this. Run a local proxy that does stuff like use
line folding, comments in headers, and other things to make their parse code
abort. Of course, you then run the risk of breaking compatibility with actual
HTTP servers (with good reason-those are bad features and such messages are
probably an attack). And of course the ISP can always fix their code.

------
bcl
A solution to this is to setup openvpn on a VM someplace and route all your
phone's data traffic through that. I've done this using the Fedora open vpn
guide
([https://fedoraproject.org/wiki/Openvpn](https://fedoraproject.org/wiki/Openvpn)).
To get it working on the iPhone I also had to add this to the server config:

push "redirect-gateway" push "dhcp-option DNS 8.8.8.8"

~~~
packetslave
The problem with doing this is that now all your web traffic is associated
with the IP of the VM, which is presumably even easier to track back to you.

You'd have to do something exceedingly clever like have the VM automatically
route VPN traffic into Tor.

~~~
bcl
Well, it depends on your goal. In this case it is to avoid Verizon adding
stuff to my http traffic.

------
ben1040
For what it's worth, this article is 2 weeks old and it seems Verizon may have
either stopped this or is now respecting opt-outs. I'm curious if others are
seeing this.

While I was definitely getting that header added to my outbound traffic two
weeks ago, it is not happening to me now. I noticed that a day or two ago, and
it still seems to be the case now.

~~~
sehugg
Nope, they haven't stopped. Reduced a bit, maybe. I'm seeing maybe 5-6% of our
HTTP traffic with the X-UIDH header instead of 10% two weeks ago.

AT&T's x-acr header, though, seems to be gone, as others have reported. They
were about 0.5% of our traffic.

~~~
vonklaus
How can I check for this?

~~~
sehugg
If you have a server? I use ngrep.

------
RexRollman
That's disappointing. So in the end, Twitter is no better than Google or
Facebook when it comes to user tracking.

We are the product, indeed.

~~~
ams6110
Of course you are. Are you paying for Twitter?

~~~
icebraining
People are paying for Verizon, though.

~~~
meepmorp
That you're the product if you're not the customer does not imply that you're
not the product if you are the customer. Companies sell personal data all the
time, cause they can make extra money off their customer base.

------
trvz
When I've read the first part of the first sentence, "Twitter's mobile
advertising arm enables its clients to use a hidden...", I've thought "I'm a
client, but never heard of ... oh, nevermind.".

------
atesti
It would be possible for Verizon to implement this really bad system without
anybody noticing and even if Speedy/HTTP 2 or HTTPS is used:

Currently they inject the header with an ID which changes e.g. daily and
charge third parties to associate the ID with a profile. They can only inject
in HTTP.

If instead the third party (e.g. an adserver) contacts a Verizon server with
the IP (and port number in case of carrier grade NAT) on every request and
that server gives back the profile and Verizon charges the adserver for this,
then nobody would ever know and there would be not much protection against it
(without a third party proxy or vpn to hide the IP).

------
phkahler
Another argument for Net Neutrality. Just pass the data through please.

------
biafra
It should be possible to counter this by running a proxy somewhere and use
that. Privoxy would work for this and while you're at it you can make it
remove the ads too.

~~~
gorhill
Your proxy would need to be after your ISP.

------
lvs
For what it's worth, I am no longer seeing the dox header in requests.
Something has clearly changed without much fanfare.

------
gergles
I still don't understand why I appear to be the only Verizon customer on the
Internet that doesn't have this header injected. There is nothing special
about my account (other than its age, perhaps, I have only been a Verizon
customer since the iPhone 6 release,) but it just doesn't show up for me.

~~~
colordrops
Did you enable Do Not Track in your browser settings?

~~~
gergles
Amusingly, yes, but other people reported doing the same and still seeing the
header be sent.

------
cheezit
www.runads.com is doing the same for their mobile advertising campaigns.

The ad-tech industry is targeting mobile advertising as the Next Big Thing,
and they're right to do so. Anyone not tracking and optimizing ads toward the
permacookie will be left behind.

------
gallerytungsten
It appears that there is a huge business opportunity for someone to find a way
to defeat this type of tracking. Of course, it would probably need to be a
subscription type of service, which bodes well for steady recurring revenue.

~~~
MichaelGG
Just add some mobile-specific marketing to a VPN service.

------
0x0
Has anyone done any research on how robust their MITMing HTTP handling is?

------
tomphoolery
I suppose...but couldn't they just track you by IP address anyway?

------
zer0defex
Textbook example of escalation. Start with relatively easy to remove cookies.
Savvy people clear their caches, the criminals move to automatic localstorage
weapons. The savvy people start wearing AdBlock armor and rejoice. The
criminals move up to armor piercing injection bullets. The everyday mom and
pop don't stand a chance. 1984, yeah right man, orwell is today.

~~~
akerl_
You're aware, of course, that the kind of escalation of force you describe has
no connection to the societal changes described in 1984?

~~~
zer0defex
Yep, I am. I was being facetious. Cheers!

