
Verizon fined $1.3M for supercookie header injection [pdf] - tshtf
https://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0307/DA-16-242A1.pdf
======
rektide
131b revenue in 2015. So, at 1.3m, a 0.001% fine, aka _half a minute of
revenue._

Interestingly it doesn't _directly_ fix the problem either (although it wrecks
the current free-profit model, yay!), _" To settle this matter, Verizon
Wireless will pay a fine of $1,350,000 and implement a compliance plan that
requires it to obtain customer opt-in consent prior to sharing a customer’s
UIDH with a third party to deliver targeted advertising"_

But lest anyone think this is a UIDH prohibition, the next line goes on to say
customers must at least have the ability to opt-out from _internal_ Verizon
usage, meaning the UIDH will be there (unless the customer opts out) and that
a persistent, unique identifier that follows the user wherever they go is
permitted. This ruling is primarily about Verizon _sharing_ the targeting
information: Verizon is still permitted a persistent attack on their users,
but they are now only permitted to sell customer data on an opt-in basis. Ad-
networks will have to do their own tracking themselves for everyone else.

Hopefully Verizon's profits from this schtick are shorn from this shift, to a
degree where they give up this _disgraceful corpoate panopticon_ they've been
going to the bank on.

~~~
asuffield
I'm not interested in defending Verizon here, but your math is wrong.
Comparing fines (or taxes, the other popular variation of this error) to
revenue is meaningless. You need to compare them to profit. The amount of
money that they handled but didn't benefit from is irrelevant.

Verizon's profits for 2015 were $4.22bn. That makes it a 0.03% fine.

But that's still not close enough, because this infraction was in "Verizon
Wireless", not the entire company. So to really get a sense of its relevance,
you need to figure out what the profit of that arm of the business was.

I can't find that number anywhere. Anybody got a hint?

~~~
marincounty
I think it's time we tie criminal/civil fines/fees to income. I'll even accept
net.

All I know is when I'm fined, there's a possibility that it might be the last
straw. The last straw to homelessness.

When a rich man, or remotely successful corporation is fined it's just
someting to talk about.

It seems to violate one of those admendments that people seem to forget about
--the 8th? It doesn't matter because nothing will change.

~~~
asuffield
That's not unreasonable in principle, but then it gets more complicated: do
you propose to hold the entire company accountable for the actions of a small
part of it? If not, then it devolves into the kind of accounting complexity
that results in random internet outrage because it's beyond the understanding
of most people.

If you do propose to hold the entire company accountable for any action taken
in its name, then consider what you are enforcing: this would mean companies
would be immediately obliged to disempower their entire staff from making
decisions at any level, and require review and approval for all actions, to
make sure that nobody ever makes a mistake that could be punitively expensive.

Neither of these is going to turn out to be a simple solution to a complex
problem.

Worse, you can't even use a simple rule here, because what do you do about
companies that aren't making a profit? Do they effectively have carte blanche
to violate the law in order to improve their situation? That's probably not
what you want, so you'd end up with some complicated mix of both systems.

~~~
narag
_That 's not unreasonable in principle, but then it gets more complicated: do
you propose to hold the entire company accountable for the actions of a small
part of it?_

Of course.

 _this would mean companies would be immediately obliged to disempower their
entire staff_

No.

Their entire staff is _already_ "disempowered" to make decisions that could
put the company in legal trouble. Also this is intended, not merely reckless.
Do you really believe this was some nobody's idea? Come on!

Please, someone with real legal knowledge could you explain why this is not
like Volkswagen.

I suspect that privacy violations are not quantified or else a "class action"
would dry any and all the profits.

~~~
asuffield
There's a big difference between "not authorised" (the current reality) and
"disempowered". You are not authorised to send emails that place the company
in legal jeopardy. You are disempowered from doing so if every email that you
send has to be reviewed by a company officer first. The norm today is that you
are trusted to not exceed the limits of your authority.

How about every line of code that you write being reviewed by legal to make
sure it was within the bounds of the law?

There's plenty of scope here for a far more defensive position on ensuring
compliance. That is what you would expect and desire from any attempt to
massively increase the liability of errors, no?

~~~
narag
So were you talking about sending emails?

OK then.

I don't know why I thought it was about a deal of hundred of thousands or
maybe millions of dollars affecting customers' privacy :->

~~~
paulddraper
What if the deal was over email?

To be serious, I think you're making an arbitrary destinction.

~~~
narag
Please check your sarcasm dectector, it might be malfunctioning.

------
jcr
VerizonWireless does all sorts of _ahem_ questionable things to the network
traffic passing through it, particularly unencrypted traffic like plain HTTP.
If you're concerned about image quality, one of their more insidious but
unnoticed intrusions is their on-the-fly recompression and/or resizing of
images.

Always using a VPN (or SSH tunnel) solves most of the problems.

    
    
      $ ssh me@example.com -4ND 127.0.0.1:1080
    

But you'll need to make sure ppp(8) ignores the HLDC errors they inject into
long standing sessions. It will work if your settings and chat script are
correct.

Lastly, check your contract; you might be one of the lucky ones who have the
clause stating VPN traffic is not counted towards your bandwidth cap and/or
rate limit.

~~~
chejazi
T-Mobile got called out pretty hard when it was discovered they were
downscaling videos [0] under the guise of their "Binge On" program. But hidden
tracking cookies are far more disturbing that (noticeably) downscaled
images/videos. Ultimately, the people are the consumers of images/videos. Who
knows who the consumers of that tracking data might be... Obviously
advertisers, but who else? The NSA?

[0] [https://www.eff.org/deeplinks/2016/01/eff-confirms-t-
mobiles...](https://www.eff.org/deeplinks/2016/01/eff-confirms-t-mobiles-
bingeon-optimization-just-throttling-applies)

~~~
spacemanmatt
my tmo network service is often a crude joke. 10gb/mo of basically trash
service. at least i get 4 bars!

~~~
sethhochberg
Are you in an area where T-Mobile offers band 12 LTE, and does your device's
radio support it?

[http://www.spectrumgateway.com/t-mobile-700a-spectrum](http://www.spectrumgateway.com/t-mobile-700a-spectrum)

Band 12 is rolling out pretty quickly and is spectrum that allegedly helps
with a lot of issues caused by buildings / dense urban environments / long
range / etc. I can't confirm personally since I don't own a device that
supports LTE band 12 (purchased before TMo bought this spectrum....) but
reports seem to be very positive.

------
vonklaus
This is a big victory:

> 16\. Termination of Investigation. In express reliance on the covenants and
> representations in this Consent Decree and to avoid further expenditure of
> public resources, the Bureau agrees to terminate the Investigation. In
> consideration for the termination of the Investigation, Verizon Wireless
> agrees to the terms, conditions, and procedures contained herein.

Verizon has agreed to pay $1.35M and will likely notify the FTC by mail if it
makes a change. It has agreed to abide by the law. If you put this in
perspective, this is way more than a slap on the wrist. If we assume a gb
costs ~$10 and an average user uses ~6gb then:

($1,350,000 fine / $10/gb) / (6gb/user * 12months) = 1875

This is almost very nearly 1900 people! A huge number. Obviously this is back
of a napkin, and the actual size of headers is pretty negligible so there
isn't any sense in backing that out of the calculation, because the users
already paid for the bandwith.

Plus, verizon is _literally_ the only company out of hundreds of providers
doing this. Surely between the weight of this fine and the competition the
company will go bankrupt soon.

Big win! Say what you want about the FTC but they closed down the
investigation saving an untold number to the US tax payer, Verizon is forced
to break the bank, and the response time was rapid, 4 years open shut.

The FTC has been super sharp on policing the industry, by allowing the
Governement to subsidize huge swathes of infrastructure costs and selling a
finite amount of bandwith, they have been able to keep companies on their
toes, not allowing any one company to own telephone, wireless, and internet
capabilities.

I hope they can keep this up because Verizon is the only bad actor in the
entire space, so it is pretty much all taken care of now.

~~~
javajosh
There is a thing in the world called "petty injustice". It's when you get
screwed a little bit. Entities like Verizon make a great deal of money on
_aggregate petty injustice_. There is no legal recourse: things like this FTC
investigation are (as you intimate) like the buzzing of a fly. A minor cost
center (mostly legal fees). And even those minor bites are used to attack
regulation as "bad for business". Class-action lawsuits are forbidden by
virtually all contracts. The only real recourse is to switch carriers; however
even that is not real because they all play by the same rules.

Computers are really the thing that make _aggregate petty injustice_ a
workable business model, because doing any computation millions of times with
humans would cost far too much. This is one reason why dealing with the
problem is actually a hacker/programmer moral imperative.

The last piece of the puzzle is why the FTC, SEC, etc. are so ineffective.
These are the police of big business. Why are the police of individuals so
harsh and powerful, but the police of business so weak and ineffective? I
think it has to do with the politics of ignorance. There is no political
pressure on the FTC to do it's job; it's too far removed from any elected
official. No-one is going to pick the next president based on who they appoint
as FTC chairman. One of the reasons is that the country is divided on
regulation itself, which means that a large fraction of people, even the
victims of petty injustice, would prefer that Verizon simply get away with it.
These are the same people who would interpret a harsher penalty as an "anti-
business" Obama/Democrat move, instead of simple enforcement of the law.

It's the 21st century and I think it's time that we enumerated some new rights
in the face of unprecedented assaults on our freedoms. There needs to be the
equivalent of a "fiduciary responsibility" for communications companies.
People should not be allowed to give away their legal rights (the right to
file class-action lawsuits). The justice system needs to be reformed, with
technology and simplifying policies, to make it much faster and much much
cheaper. (Not quite related to this case, but our personal devices that
represent a very real extension of our minds should be absolutely protected
from intrusion.)

~~~
forgotpwtomain
> There is a thing in the world called "petty injustice". It's when you get
> screwed a little bit. Entities like Verizon make a great deal of money on
> aggregate petty injustice.

That's a very succinct and clear way of putting it. I wonder if there is an
essay or other origin for the particular term you are using?

~~~
zimpenfish
"Wartime: Understanding and Behavior in the Second World War" (1989) links
"petty injustice" to "chickenshit behavior" \- "the petty harassment of the
weak by the strong; open scrimmage for power and authority and prestige;
sadism thinly disguised as necessary discipline; a constant 'paying off of old
scores'; and insistence on the letter rather than the spirit of ordinances."

------
DKQKFE
It took about 10 days for the opt out to work for me.

"Overall, Verizon reported a profit of $4.22 billion" reported by forbes for
the 2015 operating year. That is profit, not revenue.

So, 1,300,000 / 4,220,000,000 = .000308 ouch..

~~~
hallman76
I just found opt-out instructions[1]. How did you validate that the opt-out
worked?

[1] [http://www.clarkhoward.com/how-opt-out-verizons-super-
cookie...](http://www.clarkhoward.com/how-opt-out-verizons-super-cookie-
tracking)

------
Animats
Verizon was fined for _not disclosing_ supercookie injection. They can still
do it, but have to allow for opt-out.

Amusingly, they don't do it for "government or enterprise" accounts.

~~~
spacemanmatt
I'd like to benefit from collective bargaining with mobile carriers, too.

------
yclept
Here is a discussion from a year or two ago that explains the header:
[https://news.ycombinator.com/item?id=8500131](https://news.ycombinator.com/item?id=8500131)

------
incongruity
The punishment should fit the crime. If penalties were tied to some sort of
assessment of economic gains from the violations, it might start to make
companies weigh their actions a bit more...

------
jmsdnns
$1.3m? They won't even notice.

~~~
mtgx
They probably paid their lobbyists more to fight against the FCC over this.

------
RandomBK
A lot of threads here are focused on the miniscule fine, but the larger impact
is that this is another case study that can be used in the next net neutrality
debate. Verizon is giving evidence to the argument that they can't be trusted
with network communications, evidence that will surely come back to bite them
in the future.

------
tomschlick
Even more reason to use HTTPS for everything... We can't even trust the
providers we do pay not to sell data on us.

------
rasz_pl
$1.3M is less than their lawyer fees.

------
biturd
And there is now going to be yet another misc 8 cent charge on my bill. Where
is my 50 cent rebate for going paperless and saving them the stamp?

~~~
harryh
To be fair, most the the surcharges on your bill are government taxes of
various kinds.

------
joering2
0.001%.

Is there any reason why Verizon would even bother to comply??

Just wait and see what happens if you get another suit that penalize you
0.01%, then comply.

I'm being sarcastic of course.

------
IMTDb
ELI5 what is/was the super cookie ? What is/was the purpose, and how does/did
it work ?

~~~
icebraining
When you did an request for a web page on their network, Verizon would
silently add an header to your request with an ID tied to your data plan
contract. The point was to enable them to sell analytics services that tracked
users from their network across the sites of their clients.

~~~
wnevets
so even if the service isn't free you're still the product.

~~~
justinjlynn
If they can sell you and get paid by you for the privilege, why wouldn't they?
Capitalism, as a good and effective market philosophy, is built on all parties
being aware of all aspects of the transaction and ideally of all
transactions... a perfect market. If such a thing doesn't exist, which it does
not, then it's selective fuckery. However, it tends to exhibit less fuckery
than most other systems... except when it doesn't.

~~~
wnevets
sounds like "If you're not paying for the product, you are the product. needs
to be updated to just "you are the product"

~~~
justinjlynn
well, it's more like, "You may be the product even if you're paying. Who knows
because nobody will tell you because they're not required to tell you." But
yeah, 'you are the product' is probably the most accurate.

------
PedroBatista
With such a dent in their profits I'm sure Verizon will learn their lesson.

------
ComteDeLaFere
Despite all the outrage against Verizon, a small part of me feels sorry for
them. Having consulted with large corporations in the past, I know that most
(all) of them don't generally have expertise in this kind of thing, and
usually outsource it to a variety of digital agencies. My guess is that they
will be having a very hard conversation with one or more of their vendors.

~~~
jakub_g
I can not believe such a huge company did not consult lawyers and that the guy
who was forced to write the code didn't speak to their managers about
potential implications (whether it went up the chain is another matter).

Besides that, ignorantia iuris nocet. Governments don't have problems with
fining individuals unaware of arcane and complex laws. Why would we feel sorry
for unscrupulous corporations?

~~~
ComteDeLaFere
Agreed on all points, however -

 _the guy who was forced to write the code didn 't speak to their managers
about potential implications_

That isn't really the way things work in an agency/Fortune 500 relationship.
What _really_ happens is something like:

-> the development manager attempts to translate the implications of said software to an account manager who is directly responsible for client communication -> the account manager has little idea of what the development manager is talking about, which does not stop them from attempting to translate in turn to the client's marketing team -> the one tech representative from the client company listens to the translation in abject horror, knowing that any questions they ask will never be adequately answered -> everyone goes out for drinks on the agency's tab

This isn't a raging critique of the process, it's just what normally happens.

That said, Verizon got fined for a good reason.

~~~
pdkl95
[http://ogun.stanford.edu/~bnayfeh/plan.html](http://ogun.stanford.edu/~bnayfeh/plan.html)

