AT&T, Verizon Using 'Perma-Cookies' to Track Customer Web Activity

Both Verizon and AT&T appear to be engaging in some unsavory customer tracking techniques, using unique identifying numbers to deliver targeted advertisements to customers in what's called "Relevant Advertising." As outlined by Wired, Verizon is altering the web traffic of its customers by inserting a Unique Identifier Header or UIDH, a temporary serial number that lets advertisers identify Verizon users on the web.

According to Jacob Hoffman-Andrews of the Electronic Frontier Foundation, the UIDH serves as a "perma-cookie" that can be read by any web server to "build a profile" of internet habits. Verizon users cannot turn off the UIDH, but opting out of the Relevant Mobile Advertising Program prevents the information from being used to create targeted ads.

Verizon has been using Relevant Advertising techniques for two years, but the tracking has gone largely unnoticed until recently, when extra data from Verizon customers was noticed. AT&T appears to be engaging in similar tracking activities, and is testing its own Relevant Advertising system.

According to Forbes, AT&T is testing a similar code insertion program that will allow websites to track AT&T customers. Like Verizon, AT&T has plans to make the tracking codes temporary as a "privacy-protective measure," but according to one of the researchers that discovered the tracking, Kenneth White, the codes that AT&T is sending to some customers are persistent.
AT&T does not currently have a mobile Relevant Advertising program. We are considering such a program, and any program we would offer would maintain our fundamental commitment to customer privacy," read a statement from AT&T. "For instance, we are testing a numeric code that changes every 24 hours on mobile devices to use in programs where we serve ads to the mobile device. This daily rotation on the numeric code would help protect the privacy of our customers. Customers also could opt out of any future AT&T program that might use this numeric code."
Unlike Verizon, AT&T will not include the unique identifier code in the IP packets of customers who have opted out of the company's Relevant Advertising program.

Both Verizon and AT&T customers can check whether their devices are sending identifying codes by visiting a website created by aforementioned security researcher Kenneth White. Verizon customers appear to be unable to opt out entirely, but AT&T customers can visit the following website on their mobile devices (while connected to the AT&T network) to turn off Relevant Advertising:

Top Rated Comments

(View all)

68 months ago
Thank for the PSA. I'm going to opt out now.

Here's the link to Verizon (can be from any device):

Here's the link to AT&T (must be from your phone, with wi-fi turned off):

Note that this only opts out of getting targeted junk ads, not VZW or AT&T inserting perma-cookies.
Rating: 26 Votes
68 months ago
It should be an Op-In. Bad enough that Google inserts products into my web pages from sites I've visited. These are baby steps toward total control.
Rating: 13 Votes
68 months ago

Thank for the PSA. I'm going to opt out now.

You can only opt out of the relevant advertising. There is no option to opt out of them collecting web activity from you.

Just read AT&T gives you the option.

Still, these 2 companies are messing with our privacy.
Rating: 12 Votes
68 months ago
Slimy bastards.
Rating: 7 Votes
68 months ago
can I just say how happy I am since switching from many years with Verizon to T-Mobile last month when the new iphone came out?

Sooooooo much happier with T-Mobile - and saving a LOT of money since the switch.
Rating: 7 Votes
68 months ago
Am I the only one who finds it outrageous that these companies are inserting tracking IDs into our HTTP requests? I pay them to transport my data, they have *no* business in altering my traffic in any way, shape or form. How is this even legal? :mad:
Rating: 6 Votes
68 months ago

I don't see how encryption (VPN or otherwise) can have any effect on this. You send an encrypted request via web and they inject a tracking ID on top of your encrypted request. If the website you visit has any trackers or beacons looking out for that tracking ID your visit is immediately identified and shared with Verizon/AT&T's network, so they can effectively track any site you've visited that has an affiliated tracker/beacon.

HTTPS/SSL/TLS means the data is sent encrypted from the originating host to the receiving host. In addition to proving the server is who he says he is, those technologies guarantee confidentiality. The telco can't see/change anything.

YOU ----------- TELCO ------------ SERVER <-- unencrypted
x *************************** x <-- encrypted

There is an exception to this, but if ATT and VZW are doing it, I'd be surprised. If they're configured as a root certificate authority on your device, they could decrypt the traffic from the server, insert their tracker and then re-encrypt it, posing as the original server. Your device wouldn't care because the certificate would look valid. Many corporations do this for their internal networks. If the telcos were doing this, it would be even bigger news than an HTTP header.

Once again, this has nothing to do with cookies and VPN is useless against it.

Do you know how cookies are sent by a web server? They're HTTP headers, just like the nastiness ATT & VZW are sending. They're part of the HTTP response. That HTTP response is enveloped by SSL/TLS when you use an https link.

The only thing that makes cookies differ from any other HTTP header is that when your browser makes a second request back to the web server, any cookies matching that domain are automatically sent back too--as HTTP request headers.

VPNs do defeat this.
Rating: 4 Votes
68 months ago

I don't see how encryption (VPN or otherwise) can have any effect on this. You send an encrypted request via web and they inject a tracking ID on top of your encrypted request.

No, they can't. If you use HTTPS, the traffic is encrypted end-to-end between you and the web server. If you use a VPN, it's encrypted between you and the VPN provider. In both cases the access providers cannot manipulate the traffic because they can't decrypt it.

Note that what they do is a pretty deep intrusion into your traffic. Web traffic (HTTP) is transported over a protocol called TCP, which is supposed to create a reliable end-to-end connection between you and the web server. It has mechanisms to ensure the integrity of the traffic (using checksums). Basically, what the carriers are doing is altering the TCP payload and manipulating the TCP packets in a way that neither you nor the remote server will notice it. This is a blatant violation of the so-called end-to-end principle which is a cornerstone of the Internet's architecture. Not to mention that it is also a blatant violation of their customers' trust.
Rating: 4 Votes
68 months ago
I should have to opt-in not out!
Rating: 4 Votes
68 months ago
Corporate STALKER LAWS need to be created.

I'm already paying for my cell and data service, I see no reason corporations should be allowed to track and/or sell your metadata without first, explicitly and in plain language, asking the end-user for permission.
Rating: 3 Votes

[ Read All Comments ]