Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: If you use Verizon, opt out of “Custom Experience”
272 points by beervirus 40 days ago | hide | past | favorite | 108 comments
I just got this text:

> VZ Msg: Introducing Verizon Custom Experience. VZ content & offers are more relevant using web browsing & app usage info. For info or to opt-out: m.vzw.com/CE

And all I can say is: fuck that.

Not sure how many times I have opt-ed out of Verizon's cool new surveillance feature, this appears to be a new one. I will say the typo in the copy that says they might, for example, mark me as a "spots lover" is pretty nice [0]. Bring on the leopard spam!

[0] 'The program uses information about websites you visit and apps you use on your mobile device, your Verizon Fios services, device location and Customer Proprietary Network Informationn (CPNI), including phone numbers you call and those that call you, to help us understand your interests, like "spots lover" or "gamer."'

That's why "opt out" is not an ethical or practical solution. There needs to be a (legally mandated and enforced) requirement for such things to be opt-in.

Any opt-out agreement puts the user signing the contract at a disadvantage; the opt-out could be 'lost' and then the upper-hand in the agreement prefers the service providing the contract, the same party which has the most to gain from the 'loss'. Whereas an opt-in agreement defaults to the upper-hand in favor of the user if the contract is lost, forcing the owning party to keep careful track of the signature.

Of course this doesn't preclude forged signatures/agreements.

I've opted out of Verizon's spam texts, which I would get 3-5 times per day. But I didn't get the text offering me the ability to opt out of this shit, because I opted out of their texts. Cool.

Every year I opt out of emails from Elsevier. Exactly one year later I get spam from one of their journals. I've taken to grabbing a screenshot of the opt-out screen before submitting, and writing them vaguely threatening emails over it.

More than this, I was not even notified by VZW that I was being opted in. I've used VZW for many years, have opted out of surveillance for many years, then suddenly my mom texts me an NPR article and I check to find that I've been opted in to more surveillance? If companies are not legally required to inform me when details of a contract change, what else am I consenting to without my knowledge?

Agree with you completely, but companies/governments do not. See https://en.m.wikipedia.org/wiki/Libertarian_paternalism

I think most/all networks have something like this.

T-Mobile’s can be turned off at: https://www.t-mobile.com/account/profile/line-selector/adver...

But you have to turn each line off one-by-one, there’s no master switch.

I consume mobile broadband only via a portable, battery operated wifi VPN router that speaks only Wireguard back out over the LTE.

I have a Google Fi (t-mobile network) SIM in one of these:


Fuck carrier surveillance.

> I have a Google Fi

> Fuck carrier surveillance.

How about Google surveillance? Google is one of those companies that I find insidiously evil. They have excellent PR and never get hammered on HN, but they own you, your soul and know more about you than you do. Google is completely inside you. Completely outside you.

Far more scarier than Verizon. Although, fuck Verizon too.

> They have excellent PR and never get hammered on HN

You must be reading a different HN than I am.

FB > Amazon > Twitter > Apple > Google > Tiktok. In that order, in terms of the spanking I see on HN.

Google doesn’t surveil app usage or network traffic via their network services (eg. Fi and Fiber).

How are you sure of that? Is there actually a way to be sure of that?

It's a switch away. I'd rather not share the same ISP as my family photos storage provider or health records (Verily) vendor.

I am actively trying to do de-Google my life. It's surprisingly difficult.

You can't actually browse a functional web without loading js from Google. Trying to de-Google your life means giving up web browsing very nearly in full.

Not true, google isn't the only CDN. And you can even just have your own local one


T-Mobile does, and they run the physical network the Fi traffic runs over, which makes this whole "Google is/isn't as bad as T-Mobile on privacy" debate a red herring.

Doesn't mean they don't pay for that same data.

UDP is throttled to about 100 kbps on T-Mobile. Wireguard won't work and TCP based VPNs don't work either because the carrier injects TCP RST packets to all VPN-like connections.

Is this a regional (or plan-related) thing? I have no problem hitting 200Mbps to my wireguard server at home, though I'm on one of the old Simple Choice plans (with the Binge-On throttling disabled if that matters).

Sounds like it's time to get a new ISP. "We won't let you use our network unless you let us look at the traffic" is a pretty clear message to me.

It actually depends on the city. In certain parts of Chicago, what you say reflects my experience, but I haven't run into those issues in most places.

On T-Mobile LTE. Just connect to VPN using NordLynx which is wireguard. Speed test show 16Mpbs down so...

I must clarify this because you're right. I checked with my buddy on T-Mobile that has a Wireguard VPN and it works fine. I think it has to be an MTU setting that needs to be changed. Or it could be a geographic block but I find this theory unlikely.

Looks interesting. However, what gives you trust in this 'Mudi by GL.iNet' device and app ? Genuine question since I am in the market for a hotspot device and reviewing my options.

It runs OpenWRT.

Correct, but the hardware is from a Chinese company.

What's the advantage of this over running WireGuard directly on your phone?

One advantage is OpenWRT versus iOS/Android. User utltimately has no control over the later, whereas user can easily compile OpenWRT from source.

For example, OpenWRT allows more control over DNS settings. There is no user access to /etc/hosts or /etc/resolv.conf on iOS/Android. User can easily run servers on the e750, e.g., DNS or proxies, and inspect the contents of traffic, including TLS. The e750 has fewer limitations when running servers on Android with something like Termux. Using Termux, it is difficult if not impossible to run essential programs like tcpdump. Moreover Termux is not available for iOS. iOS is intentionally "locked down" and Apple prevents users from compiling iOS from source.

The e750 can accept CAT5/CAT6 Ethernet cables. Wired internet is an option. "Smartphones" are wireless-only.

Corrections welcome.

> Corrections welcome.

I'll point out that rooted Android is an option that grants you much more control. You can even build Android for many devices from source if you're so inclined (though perhaps not all of the drivers).

Rooted Android increasingly tends to be an option best reserved for technically-sophisticated users, but compiling OpenWRT from source isn't exactly consumer-friendly.

Of course, there is no requirement to compile OpenWRT. GL.iNet has already done that for the consumer that has no interest in compiling.


What are the resource requirements for building Android from source versus building OpenWRT. The option that requires much more significant resources is less consumer-friendly, IMO. It is certainly less friendly for this user.

OpenWRT is a smaller OS than Android and less complex.

For me, OpenWRT easier to work with than Android. Perhaps I am not "technically-sophisticated". I just want more control. I prefer commandline programs to "smartphone apps".

I am not suggesting a specific course of action to you; if you're happy with the approach you're using, I don't think I have a better one for you.

Instead, I am offering corrections as you requested. It is possible to manipulate the hosts file and low-level DNS configuration on Android with root. It is possible to use tcpdump on Android with root. I expect it's reasonably possible to run servers on Android with root, but there seems to be less interest in that (a long-running server is surely bad for the battery life of a typical Android device, for example).

Your correction has been noted. Thank you.

Correction: s/Android/non-rooted &/

iPhones/iOS leak stuff past the VPN constantly. I am also keeping my location changes private from Apple, and the phone maintains a persistent connection to APNS at all times, leaking the client IP, and will do so even if the VPN on device goes down. There are also DNS leaks exposing the device's client IP.

I also have root on the hotspot device and can block access to specific IPs or hostnames, and can run tcpdump to monitor traffic. It's pretty nice for seeing what spyware various mobile apps have embedded in them.

You could also run the VPN on the phone itself, and just use the firewall on the hotspot to prevent traffic to any IP other than the VPN endpoint, closing the iOS VPN leaks, but I connect 3-4 devices to the hotspot and want VPN on all of them, so doing the VPN on the hotspot is slightly more convenient.

I checked on my account, and it looks like there are only two things total to disable? Not a big deal that there's no master switch, unless there are more things for some people for some reason?

Usually the point of not having a master switch is to retain the ability to retire old "features" and create new almost identical "features" that you need to opt out of again (if you even notice the change). Don't know if T-Mobile specifically is doing that or will be doing that or not, but the smell is there.

Just two. T-Mobile is still the least obnoxious network.

I simply responded directly to Verizon that they are devaluing their premium brand by even asking to surveil & advertise to me.

I pay them 10x or 100x directly what they are going to make with this info and it literally puts their business with me in jeopardy. I also can say it's going to be topic #1 or #2 in conversation about them.

The VP or whoever at Verizon came up with this penny-grabbing scheme is a loser and should be fired.

What provider doesn't do this? Has any said they never would (or have acted in this regard)? I'm all for getting on the anti-VZW bandwagon, but realistically, what are your options?

There's actually two to opt out of - "Custom Experience" and the even more invasive "Custom Experience Plus"

Don't stop there. I see no fewer than five (5) sections in my Verizon privacy settings that were set to share information I never would have agreed to if I knew they existed.

- Custom Proprietary Network Information

- Business & Marketing Insights

- Identity Verification Settings

- Custom Experience

- Custom Experience Plus

It's doubleplusgood!

I mean of course there are.

This is so slimy and infuriating, and it increasingly seems like they will continue to ‘reset’ everyone’s opt-out until enough people get tired/miss the update.

Is there a tech solution? How can we minimize the amount of data that they can even collect? For example, I wonder if just changing DNS (and ideally doing DNS-over-HTTPS) would eliminate most of it. As far as call metadata, I’d say the answer is probably just using some less slimy provider (Signal etc).

Previous discussion, with more background on this change: https://news.ycombinator.com/item?id=29479114

Anyone know if AT&T has a program like this? I’d be curious to know so I can opt out as well

Thanks for mentioning this. Since I turned on Verizon's spam blocking feature, all texts from Verizon are marked as junk. (And I didn't even configure that, Verizon just blocked itself out of the box.) Anyway, I found the message in spam, but it's impossible to opt out right now because the site is having problems.

Why does this keep coming up? You opt-out, then they opt you back in to something "new" 3 months later. Just keep doing it until everybody is opted in. This is bullshit.

Verizon, previously called NYNEX, has always been a sleazy outfit.


Words can’t describe how much I despise PR jargon!

“more relevant offers” now universally means “we’ll spy on you, so we can get more money from you!”

Reminds me of O2. Their app actually requests access to your contacts (!) on Android, for no apparent reason (I see no phonebook feature in the app). Very dodgy, and I ended up isolating it in the Work profile.

Maybe a brain fart but can they even monitor more than just domain names?

From their web page:

You will be part of the Custom Experience program unless you opt out. You must opt in to the Custom Experience Plus program to be a part of it unless you are already participating in Verizon Selects. Verizon Selects participants will automatically be included.

Custom Experience uses information about the websites you visit and the apps you use on your mobile device to help us determine your interests, such as “sports lover” or “outdoor enthusiast.” We make efforts to eliminate the use of websites that may be sensitive in nature.

Custom Experience Plus also uses:

• Device location information we obtain from the Verizon network and from Verizon apps you have permitted to collect location for these purposes;

• Customer Proprietary Network Information (CPNI), including information about the phone numbers you call or that call you and the times you receive these calls. It also includes information about the quantity, type, destination, location, and amount of use of your Verizon telecommunications and interconnected voice over internet protocol (VoIP) services and related billing information.

and this gem:

Q. If I turn off the location settings on my mobile device, will my location information still be used for Custom Experience Plus?

A. We use location information from our network. We will continue to use this type of location information regardless of your device location services setting.

> and the apps you use on your mobile device

how are they getting that info?

domains they might use

What do they mean with this

We make efforts to eliminate the use of websites that may be sensitive in nature.

All we can do is assume.

I'd say banking, investments, porn, etc are good candidates to remove

No way, that's good blackmail data. Imagine the power you could exert over people like Supreme Court Justices if you can buy their porn browsing history.

That's pretty much it. Obviously any unencrypted sites can be sniffed, but those aren't that common anymore.

Is Verizon still using supercookies?

They're optional, you can opt out.

Is it just me or does anyone else notice that everything which has the word "experience" in its name or marketing material seems to be user-hostile these days?

UX is definitely user hostile

The most shocking thing about this new preference is not the obvious fact that Verizon is blatantly trying to collect even more data about their users in creepy ways (or that it was "opt in" by default, which should probably be illegal), but rather how badly their announcement was written. Sample below from their email. The shocking part is that there is absolutely zero benefit to the user.

"Introducing Verizon Custom Experience. It’s your experience, tailored to your interests. The program uses information about websites you visit and apps you use on your mobile device to help us better understand your interests. This helps us personalize our communications with you, give you more relevant product and service recommendations, and develop plans, services and offers that are more appealing to you."

Tired of the carriers. They are all the same, no safe alternative.

Is twilio SuperSIM feasible as a self managed mobile service in the US? Can I pop in a sim, roam without thought and manage voice/sms/data accordingly? Will switch ASAP if so.

Is this only for Verizon Wireless or does it apply to their fiber service as well?

It's not exactly the same, but FIOS does use data for advertising preferences. Turn it off on the manage my internet page under 'manage online advertising preferences'.

If you use T-Mobile Netherlands (or Tele2/Ben/Simpel), go to My [T-Mobile|Tele2|Ben|Simpel] > More > Personal Data > Privacy Settings and switch the appropriate options to 'No'.

OT/meta: has anyone else noticed an increase in low effort tell/ask HN posts over the last year or so? Seems like there has been a large increase to me and they resemble karma farming Reddit posts, that while they may generate lots of comments, bring little actual value. As a counter example, here is a better post with an article discussing the same thing as this post: https://news.ycombinator.com/item?id=29479114

I have. I'm sure there have always been a lot of low effort posts but I don't know why it feels like more recently. What I've also seen an uptick in are the various status posts from SaaS and cloud providers. Each one of these posts consist of the exact same ax grinding and grousing about how awful everything is. There is never any new discussions to be had there.

Those status posts are another great example.

If you peruse 'New' often enough, you will note there are not more in quantity, but, yes, many more lately are garnering upvotes and making the front page. Some brief, some gain traction.

I may have. But FWIW, I'm also very glad to have seen this particular submission. If it wasn't on HN I may not have known about it, not saying that's a justification.


As an write this, about 25% of the front-page posts are Ask/Tell/Show HN. (7/30) That feels high.

> they resemble karma farming Reddit posts

But what does one do with HN karma ? Is there a shop I don't know about.

I thought they were just for burning on downvotes, saved for a rainy day when you are feeling in a particularly unpopular, disagreeable or controversial mood and you want to say it anyway >:) bring on the -votes Mwawahahaha.

Most of the major telecoms seemed to tried to get into this ad targeting business. I think there is still Verizon Media and they still have a DSP?

To me it makes huge sense to allow advertisers to bid on known user data - since cookies, IP address, iOS policy are killing that type of targeting for everyone except google.

But they never seem to make it work and bridge that gap.

ATT was looking to sell Xandr though they might not be going through with that I haven't read anything about it recently.

If you use Verizon they have reverted/ignored your privacy settings. You should switch carriers immediately. You should also report them to your state’s attorney general. This is illegal (at least it is in my state)

This kind of behavior cannot be permitted. Perhaps a fine (I propose $50M) would help remind them of their obligations to their customers’ privacy preferences.

> You should switch carriers immediately.

They all do this.

Google Fi seems decent. But course it is Google itself, not sure what shenanigans the pull.

Google? Hahaha, they have orders of magnitude more data on you than carriers and are absolutely aggregating google Fi data into your profile.

Google Fi runs on T-Mobile's network, so any tracking T-Mobile does to a T-Mobile customer, they can also do to a Fi customer.

I get a 404. So they probably disabled the site.

404 for me as well.

I had to be signed into verizon's site and then click the link, but now can't get that to work, but it appears the direct page is https://myvpostpay.verizon.com/ui/acct/secure/profile/privac...

This all seems intentionally difficult

Just worked for me.

I see a lot of vitriol in this thread, but I can't seem to understand what harm would actually be caused?

Would appreciate it if someone could give me an example or two. As in, "A bad thing that can happen to you as a result of Verizon's actions is: [insert actual bad thing that can happen here]"

What if I don't want Verizon to collect and accidentally leak for the whole world to see who calls me and what websites I visit? Is it not enough that I don't want my personal life to sit on pastebin four years from now?

Cell phone carriers are the ones who are ultimately responsible for the huge uptick in phishing attempts because they're monetizing selling phone number records.

It may only be a minor annoyance but I still get junk phone calls and the FTC is spineless to standup to do anything about it. Until only this year, the former head of the FTC was a former Verizon exec (talk about a revolving door in industry/regulation)

Who's to say they won't do the same to surreptitiously use the data internally for their own (somewhat shady) divisions or their former adtech owned divisions (Verizon Media, now known again as Yahoo)

By this line of thinking… if a computer service tech finds and shares compromising pictures of you or your loved ones with their friends it’s all good because nothing bad happens to the customer.

it's more unnecessary tracking of the user that is masquerading as a benefit. I don't pay monthly subscription fees to get tracked without my explicit consent. If you want this data, reduce my subscription fee to $0/month.

t-mobile enabled this enhanced tracking by default on all accounts earlier this year. I had to disable it on each individual line.

For such a "free market" the US has it really seems like Version can really annoy you without any competition. All hail StarLink!

There can never be a free market for mobile networks because wireless spectrum is a limited resource that mobile carriers need exclusive access to.

So you opt out of letting them personalize and communicate to you what they're going to track for themselves anyway. Pretty naive.

I'm on a Verizon phone currently and that link gives me a 404. Perhaps the service hasn't rolled out to everyone yet?

Verizon Fios keeps asking me permission to take a voiceprint for security purposes.

VPN + DNS over HTTPS might solve part of this, then using VoIP for calls/texts

If you tunnel everything over the VPN, including DNS, then that should be enough.

Totally agree.

Thank you!

Is that even real ... if you don't know already it's best to avoid/ignore and even block dumb stuff(texts) like that... most of it from scammers who want you to click a link to their site and do whatever bad thing their goal is.

Vzw.com is an actual domain owned by Verizon, yes. On a desktop, it redirects to the Verizon login portal.

That's cool but my brain is trained to ignore all links from texts as I get tons from AT&T that clearly not legit.

The cost of spammers as they have forever changed how we use the telephone in terms of bother answering unknown calls. They are doing or have done the same with text.

Also why should I as a consumer have to do a domain search to verify legit or not. I personally just ignore all and tell everyone in my family and friends to do the same.

That’s cool but I hope you like automatically being opted in to have your data slurped up since you won’t click on links or investigate whether they’re real.

If your online(email, social media, websites, etc) then your data is almost everywhere. Rather they take my data secretly then break into things that matter the most online and off.

I got an email stating the same, and appears legit, mailed and signed by customer.verizon.com

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact