
Verizon revives "zombie cookie" device tracking on AOL's ad network - mtigas
https://www.propublica.org/article/verizons-zombie-cookie-gets-new-life
======
Steko
_AOL’s ad network will be able to match millions of Internet users to their
real-world details gathered by Verizon, including — “your gender, age range
and interests.” ... AOL will also be able to use data from Verizon’s
identifier to track the apps that mobile users open, what sites they visit,
and for how long. Verizon purchased AOL earlier this year...

"I think in some ways it’s more privacy protective because it’s all within one
company,” said Verizon’s (chief privacy officer) Zacharia"_

Good to know she's looking out for our interests.

~~~
sslalready
I think this happens pretty much everywhere a mobile carrier can profit from
selling data about who's doing what. For example, Norwegian company
Mobiletech.no has API access to the largest, Nordic mobile carriers' billing
gateways and can turn an IP address:port pair from an HTTP/HTTPS connection
into a MSISDN, sometimes with additional subscriber details. They're working
with advertisers and analytics companies to help them count mobile subscribers
instead of unreliable, cookie-based visitors. Similarly, mobile carriers in
Denmark have been caught injecting HTTP request headers which leaked the
subscriber's phone number, phone model, etc to arbitrary web sites. In Sweden,
someone used a similar service to blackmail visitors who watched porn.

~~~
Steko
We only hear about this in mobile but I presume Comcast, Time Warner and
friends do the same thing for broadband users, or is there some regulation
that stands in their way?

For that matter I've always wondered why the tv industry pays so much for
inaccurate Nielson data (sometimes still based on diaries) when presumably the
cable providers have much more accurate data for many more users.

~~~
kalleboo
Because Nielsen gives them numbers they like. I'm sure the real data proves to
advertisers exactly how few people really watch TV ads rather than skip/change
channels/mute etc.

~~~
Steko
If so presumably the cable companies also know the networks are scared of
seeing how many people flip channels during commercials and so they would
package the data into larger chunks to hide this.

------
devit
They should be sued for that.

There is no way most customers are informed and intentionally consenting to
them tampering with the HTTP requests they send to include their customer ID.

The obvious expectation of a customer of an ISP is that it sends the data
through unchanged.

~~~
astrodust
It's things like this that drive people to want HTTPS everywhere, but even
that is subject to subterfuge when the provider inserts their own "trusted"
certificates to proxy that traffic.

There really should be provisions in the telecom bill that data traffic is to
remain absolutely untouched.

Just imagine phone calls where mentioning the word "pizza" would trigger an
advertisement being injected into it.

~~~
13throwaway
I don't know of any ISPs that are currently MITMing HTTPS. That seems like
something that would be big news and get a CA revoked. Do you have a source
for that?

~~~
charonn0
Not an ISP, but I think this was a reference to Lenovo's recent Superfish
scandal.

[0]: [http://arstechnica.com/security/2015/02/lenovo-pcs-ship-
with...](http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-
the-middle-adware-that-breaks-https-connections/)

------
beagle3
I've left Verizon when the story first broke. The coverage I get from T-Mobile
is not quite as good as Verizon was - but it is a small price to pay ...

... if indeed I'm getting any privacy in return. Which I'm not at all sure
about.

~~~
selimthegrim
Well given that Experian leaked your SSN last week (if you gave it to
T-Mobile), that's debatable.

~~~
beagle3
I didn't. Neither did I give any to Verizon when I signed up (they said they
can't, but after insisting they "graciously" agreed to get a $400 deposit
instead).

------
qzervaas
Apple's already shown they don't like this behaviour with their randomised MAC
addresses in iOS 8+. Obviously what this article references is done at the
carrier level, not on open wifi networks.

I expect them to do something about this carrier-level behaviour next iOS.
From a technical perspective, what could they do to prevent this?

~~~
jameshart
Run everything from the phone through a VPN over iCloud servers, so all
traffic from every iPhone in the world hits the internet as if it comes out of
Cupertino? Install Tor as an OS-level feature?

~~~
_-__---
Tor as an OS-level feature may not spark the best reaction. It's been given a
bad name ("deep web," silk road, etc) in mass media and many people don't
understand it enough to think of it as anything other than bad.

I think that it'd be cool to have, but I don't think that Apple would ever
implement it.

~~~
jerf
I never dreamed Apple would in any way officially support, or even acknowledge
the existence of, ad blocking.

~~~
bduerst
It's an aggressive strategy.

Apple is only blocking internet ads, not in-app ads, which makes it obvious
that they're targeting content creators to push them to either Apple newsstand
or iOS apps, where Apple gets a cut of the ads.

It's disappointing because Apple is using their mobile marketshare to attack
and fragment the open web. Users either don't understand or don't care because
they have cognitive bias towards ads to begin with - e.g. people only
attribute negative ad experiences to ads, never good experiences (w/ few
exceptions like the superbowl).

~~~
aikah
Ads considerably degrade the browsing experience on mobile.

Most ads used to be in Flash which was blocked by default since not working on
Ios, then everything turned into big and slow HTML5 stunts to replace Flash,
which has the exact same effect as Flash : battery drain,... .

Apple, on the other hand controls the in-app anything experience.

Not saying to it's right , just saying that how Apple justifies its strategy.

------
rcurry
I really think we are way past the point where we need a serious regulatory
adjustment on all of these large data service providers - I don't think any of
them should be allowed to facilitate targeted advertising based on our
browsing habits, our phone calls, or the content of our emails.

------
revelation
This is the state of ISP regulation in the US, providers willfully
manipulating the payload they have been paid to transport.

I think a ISP that manipulates data beyond what is necessary for transport
should lose it's immunity and associated privileges.

------
SapphireSun
Lovely. [https://www.verizonwireless.com/support/unique-identifier-
he...](https://www.verizonwireless.com/support/unique-identifier-header-faqs/)

"Verizon Wireless will stop inserting the UIDH after a customer opts out of
the Relevant Mobile Advertising program or activates a line that is ineligible
for the advertising program. GOVERNMENT AND ENTERPRISE LINES ARE EXAMPLES OF
INELIGIBLE LINES. The UIDH will still appear for a short period of time after
a customer opts out of the Relevant Mobile."

Emphasis mine. This sort of clause is indicative that anyone with bargaining
power would not put up with this. Business users are probably even more
valuable to have data on, but the individuals just deal.

------
lukev
So I have a VPN I use already on my iPhone for sensitive things. Seems like I
should use it all the time.

Is it possible to make a VPN connection mandatory on a consumer iPhone? It's
really a pain having to reconnect manually after I haven't used it for a few
minutes.

~~~
jeff_tyrrill
Yes.

getcloak.com is a combination app and subscription VPN service that makes it
easy. You can either switch it on, or set it to always on. You can decide
which wi-fi networks (or cellular) to "trust" (exception to always-on).

The VPN, including always-on functionality, is implemented by iOS. The Cloak
app merely configures it via API (or via configuration profiles prior to iOS
9).

------
wyattjoh
I wrote a small Heroku app a while back for viewing request headers:
[http://rocky-brook-3183.herokuapp.com/](http://rocky-
brook-3183.herokuapp.com/)

Source for the site is here if you're interested:
[https://github.com/wyattjoh/HeadersCheck](https://github.com/wyattjoh/HeadersCheck)

~~~
kibibu
Some of those headers are generated by the Heroku infrastructure

[https://devcenter.heroku.com/articles/http-
routing](https://devcenter.heroku.com/articles/http-routing)

    
    
        > X-Forwarded-For
        > X-Forwarded-Proto
        > X-Forwarded-Port
        > X-Request-Start
        > X-Request-Id
        > Via
    

Plus

    
    
        > X-Request-Id
    

Are all Heroku-generated headers

~~~
wyattjoh
Exactly. I wasn't sure at the time what the name for the Verizon headers was,
so I just showed all of them.

------
on_
The article just below it indicates users can opt-out but mobile tracking is
such a big business I sm sure that if it actually is possible, it is not easy.

Anyone have good privacy resources for mobile/iOS. My phone security is
nowhere near where it should be.

~~~
bndw
You can visit [http://checkyourinfo.com](http://checkyourinfo.com) to see all
of the HTTP headers your device is sending in requests, including any your ISP
may tack on.

Disclosure: I maintain the site

~~~
Abundnce10
Nice! I'm seeing an `X-Uidh` attribute in my request headers, is that the
Verizon Zombie Cookie?

~~~
bndw
Looks like that's the one: [http://www.verizonwireless.com/support/unique-
identifier-hea...](http://www.verizonwireless.com/support/unique-identifier-
header-faqs/)

~~~
nandhp
Not that I approve at all of what Verizon is doing, but apart from the item
about opting out ("Verizon Wireless will stop inserting the UIDH after a
customer opts out of the Relevant Mobile Advertising program"), this stands
out:

They plan to (eventually) only send this to Verizon-owned (or contracted)
servers. This has two roughly equivalent corollaries:

1\. They don't need to use a header for this because they can trivially
accomplish the same thing with a database of IP addresses.

2\. They can trivially accomplish this with a database of active IP addresses,
so it doesn't really matter if they use a header or not.

Incidentally, other ISPs do this too, but for more benign reasons because they
don't (as far as I know) own an ad network: for example, T-Mobile
automatically logs you in to My T-Mobile when you access it over 3G.
Basically, if your ISP wants to track you, they will have no trouble with this
(except to the extent that they can be stopped with SSL). You'll just have to
switch ISPs, if possible.

------
nly
If your ISP really wants to provide customer/household level tracking to
advertisers/partners, they could easily provide an API to them like
getCustomerId(IPAddress, Timestamp).

It's not entirely clear from the article whether it's "Set-Cookie" being
injected in to replies, or the "Cookie" header in to requests, or both.

Interesting times nonetheless.

~~~
yclept
It is an http header: X-UIDH added to http requests

~~~
andymurd
It occurs to me that a mischievous person could easily write a Firefox plugin
to (over)write that header with random garbage. If enough people used the
plugin, it would render Verizon's data useless.

~~~
clort
except that the ISP is adding this header. They could (or do already?) just
replace your header with their own..

~~~
yclept
Yep, and Verizon does. They will overwrite your header.

------
jp_rider
Opt out [instructions]([http://www.techlicious.com/blog/verizon-uidh-
supercookie-tra...](http://www.techlicious.com/blog/verizon-uidh-supercookie-
tracking-program-opt-out/)).

------
th0ma5
Previously:
[https://news.ycombinator.com/item?id=10354692](https://news.ycombinator.com/item?id=10354692)

~~~
dang
There's a lot of randomness in what gets traction on HN, so sometimes a story
needs to be posted a few times before it does. So we don't consider reposts to
be duplicates until the story has had significant attention on HN (see
[https://news.ycombinator.com/newsfaq.html](https://news.ycombinator.com/newsfaq.html)).

One downside is that the original submitter of a story doesn't always end up
with the karma for it.

~~~
on_
Hey dang,

Thanks for getting back to me quickly yesterday and restoring my old hn name.
I still seem to be unable to connect from my entire network, and I have gotten
a few arbitrary upvotes, but no one has responded to any comment or submission
since yesterday. Coupled with connectivity issues, would you mind double
checking there is not a ri.ri.cox.net ip address that was banned at a software
level, begins with 72 and ends with 48. Sorry to reply here, just trying to
confirm if i am visible. Thanks for the reply yesterday, cheers.

======================

Edit

====•==================

i somehow am having traffic timeout to most cloudflare severs. Sorry to bother
you again, you were super helpful. Going to try and figure this out or find a
direct ip if it exists. Super fast, really pleasant response yesterday. Thanks
again. I am def. visible.

~~~
PhantomGremlin
_i somehow am having traffic timeout to most cloudflare severs_

I had all sorts of intermittent problems like this about 18 months ago. In my
particular case it was

    
    
       The web server reported a bad gateway error.
    

Dan and I went back and forth a few times in email but didn't conclude
anything before things cleared up. I haven't seen the problems since.

One thing to try is to set up a Personal Hotspot on a phone, and point your
laptop at that. In my case I would _still_ see the same errors.

Good luck.

Edit: this may be nothing but IIRC I had more problems trying to access HN
anonymously than if I was logged in. Sounds crazy, but most intermittent
problems are exactly that: crazy.

------
manigandham
What exactly is the big aversion to tracking? The vast majority has shown (via
actions, not internet noise) that they don't care so what exactly is the big
downside?

Not arguing for/against, just want to know reasons beyond "i just dont like
it".

~~~
ihsw
Zombie cookies in particular are insidious -- while you are actively trying to
conceal your identity by proactively deleting cookies or using incognito mode,
your ISP re-adds them without your consent.

This kind of aggressive and underhanded behavior should be shamed as it
violates the trust that users have in their ISPs.

~~~
manigandham
A lot of this came about because of the "war" on the 3rd party cookie which
was unfairly demonized.

I get why zombie cookies are bad as it takes control away, but what is the
issue surrounding plain tracking of behaviours? So what if a company knows the
history of sites you've visited - what does this do against you?

~~~
fuzzywalrus
Since this is tied to an account, it means data that never dies. While
currently unlikely, imagine being vetted for a job by the websites you visit.
Do you want an employer to be able to purchase your online history? There's
more to hide the the usual things like pornography or political sites. Imagine
you've visited several competitor employers, including past job listings. One
could easily deduce you likely applied and failed if the job listings no
longer exist and you're applying for this new job. Perhaps this makes for a
lower offer on the new employers behalf.

I could invent many hypotheticals in this vain but privacy is something worth
protecting.

~~~
manigandham
Makes sense. Isn't this more of an issue of discrimination and what data a
company can have access to?

Are employers getting access to search data today? I'm not sure that's
happening. Most 3rd party tracking isn't that accurate in coming up with
interests/segments for the user in the first place and 1st party data is well
protected in that it's what gives the holder value.

I think privacy is important, but there a lot of levels here and browsing
history (while valuable) for advertising is not as big of an issue as other
wholesale data collection that we see out there.

~~~
thephyber
> Are employers getting access to search data today?

The more it's used, the cheaper it becomes to collect and sell. The issue is
never about how it is used today; always about how it can be used in the
future.

You can always find a way to work for yourself and avoid passing an employer
background check. I'm more worried about political parties and private eyes --
blackmail, extortion, ugly divorce proceedings, etc. This can have a chilling
effect on free speech and curiosity.

The Jacob Applebaum talk explaining linkability.[1]

Anyone who has access to any website where you logged into an account you
publicly admit to owning can link your public identity to any
private/anonymous persona, given another marketing data source. Verizon "owns
the data", but not really. They are the original owner of the data, but
eventually Expirion (target of the recent T-Mobile-Experion data theft) and
the other credit reporting agencies will have your X-UIDH. Facebook, Twitter,
and Google will know as soon as you log in once. They will be able to identify
all of your accounts, perhaps even if you use a VPN.

As with any other high tech tracking, the average end-user is either unaware
of the zombie cookie or unaware of the full capabilities of the linkability of
it.

[1]
[https://www.youtube.com/watch?v=HHoJ9pQ0cn8](https://www.youtube.com/watch?v=HHoJ9pQ0cn8)

