dslreports logo
 story category
Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'

Verizon Wireless has started taking heat from privacy advocates for altering their customers' traffic and inserting unique identifiers that users have no control over. We've already explored how over the last two years Verizon has been ramping up data collection on its wireless customers via programs like Verizon Selects and their Relevant Mobile Ad department, which track your personal information and web habits for more tailored advertisements (that data's also sold to third parties).

Click for full size
Curiously, while Verizon has been tracking users' online activity for two years, it was only last week that people started noticing that Verizon was using a controversial sort of "super cookie" that modifies user traffic to uniquely identify users. This Unique Identifier Header, or UIDH, broadcasts your identity across the web -- and remains -- and can be abused -- even if you opt-out of Verizon's programs.

That's a huge problem, notes Stanford lawyer and computer scientist Jonathan Mayer, who writes that broadcasting that unique identifier is rather ham fisted:

quote:
Whatever the merits of Verizon’s new business model, the technical design has two substantial shortcomings. First, the X-UIDH header functions as a temporary supercookie. Any website can easily track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required. Second, while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. All they do, seemingly, is prevent Verizon from selling information about a user.
The fact that Verizon is modifying traffic at all has raised eyebrows over the last five days. Wired has a good write up that notes that this traffic manipulating was only observed when an EFF member configured their web traffic to log all headers. Note that this doesn't work if you're connected to Wi-Fi via your phone or if you're using mobile Chrome, but security researcher Kenneth White has set up this website to illustrate if you're broadcasting a unique identifier.

Back in July, Verizon launched a new rewards program designed to push more users to opt in to the program. Verizon states that if you opt-out of their relevant ad program they (and their ad partners) won't use the UIDH to pitch you targeted ads -- but again that's irrelevant if you're broadcasting that unique, 50-character identifier to every website you're visiting.
view:
topics flat nest 

UIDtracker
@50.182.138.x

UIDtracker

Anon

Not just Verizon suspected

From test web site in story it appears that it isn't just Verizon that is of concern. Apparently AT&T and Sprint are too.

Checking AT&T, Verizon, Sprint & Vodacom Unique Identifiers...

Browser/user agent: Mozilla/5.0
Do Not Track setting: 1
Your UID is reporting:

My UID is blank, so I guess I am not being tracked.

batterup
I Can Not Tell A Lie.
Premium Member
join:2003-02-06
Netcong, NJ

1 recommendation

batterup

Premium Member

Re: Not just Verizon suspected

said by UIDtracker :

Not just Verizon suspected

We all know Verizon is the favorite whipping boy on this site.
It gets the juices flowing.

rebus9
join:2002-03-26
Tampa Bay

3 recommendations

rebus9

Member

Re: Not just Verizon suspected

said by batterup:

said by UIDtracker :

Not just Verizon suspected

We all know Verizon is the favorite whipping boy on this site.

And the whippings are quite well-deserved. They're the epitome of a bad net actor.

MBalcerak
@8.11.166.x

MBalcerak

Anon

Re: Not just Verizon suspected

Bloggers everywhere should make posts saying thanks to Verizon for implementing a system generates ad revenue to lower everyone's bill. Forcing them to publicly say "We don't lower your bill, we keep the ad revenue for ourselves."

Think is blogs like engadget got involved, it would generate some sort of response.

Because it's not like you're gonna see a dime from this new system that requires you use your expensive data in order for them to generate this ad revenue.

batterup
I Can Not Tell A Lie.
Premium Member
join:2003-02-06
Netcong, NJ

batterup to rebus9

Premium Member

to rebus9
said by rebus9:

said by batterup:

said by UIDtracker :

Not just Verizon suspected

We all know Verizon is the favorite whipping boy on this site.

And the whippings are quite well-deserved. They're the epitome of a bad net actor.

Ma Bell is dead and yet the people weep.

battleop
join:2005-09-28
00000

battleop to batterup

Member

to batterup
Verizon is #3 on the list behind Comcast and Frontier.
an3951
join:2001-02-18
Brook Park, OH

an3951

Member

Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'

As the article stated you must be on their network to be tracked. My test shows I am being tracked on their network with a unique UID which does not change even if I clear all data, including cookies from my browser.

UID is not present while connected via WiFi nor is it tracking when using VPN through Verizon's network. Using VPN seems a reliable way to put an end to the shenanigans.

cowboy
So Much For Subtlety
Premium Member
join:2000-03-14
La Grange, KY

cowboy

Premium Member

Re: Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'

One can easily opt out of this, and potentially speed up browsing -- if they are using a recent android build.

Both chrome and chrome beta have a knob in settings to improve bandwidth via compression. This setting forces data through a google proxy... where the UID is apparently stripped

tito79
join:2010-03-14
Port Saint Lucie, FL

tito79

Member

Re: Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'

How do you think they get your location for local ads?

DaveRickmers
join:2011-07-19
Canyon Country, CA

DaveRickmers

Member

Re: Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'

Because Google hacked your router when the Street View photographed your house?

ropeguru
Premium Member
join:2001-01-25
Mechanicsville, VA

ropeguru to cowboy

Premium Member

to cowboy
So do I let Verizon track me or Google track me? I just looked at the Chrome bandwidth management setting on my S4 and it sends all my traffic to Google's servers.

So who should I trust more?

tshirt
Premium Member
join:2004-07-11
Snohomish, WA

tshirt

Premium Member

Re: Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'

It's not just them but "others" that may intercept and track not just your browsing habits but your location and travel patterns and eventually distribute it for criminal use.
i'e No doubt local burglars/raves /scammers would love to know when your family goes to the airport to use those tickets to HI you bought last month. or that you just entered the theater so plenty of time to borrow your car from the lot. or go for a shopping spree at the mall on the CC that never arrived.

Flyonthewall
@206.248.154.x

Flyonthewall

Anon

Re: Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'

It doesn't even take that much.

All they need to do is leave a letter in the mail with movie tickets telling you that you won them. How many people would intelligently realize someone was trying to get them out of the house for a robbery but instead get all excited over 'winning' free movie tickets out of the blue?

battleop
join:2005-09-28
00000

battleop to ropeguru

Member

to ropeguru
Neither...

GroovyPhoenx
Premium Member
join:2006-05-22
Gloucester, ON

1 recommendation

GroovyPhoenx to ropeguru

Premium Member

to ropeguru
said by ropeguru:

So do I let Verizon track me or Google track me? I just looked at the Chrome bandwidth management setting on my S4 and it sends all my traffic to Google's servers.

So who should I trust more?

Google already owns your son and your soul, so might as well let em track you

tmh
@173.13.197.x

tmh to cowboy

Anon

to cowboy
said by cowboy:

Both chrome and chrome beta have a knob in settings to improve bandwidth via compression. This setting forces data through a google proxy... where the UID is apparently stripped

Thereby adding oneself to Google's Super-Duper Tracking Program instead.
dj_eric
join:2004-11-19
Kennett Square, PA

dj_eric to an3951

Member

to an3951
I don't think this is in all markets yet at least. I tested my phone with my own server using tcpdump as well as the lessonslearned.org link and both came out negative.
Philadelphia area: 174.252.81.0/24 subnet block
I did opt-out a very long time ago, but I'm thinking this advertizing scam just hasn't hit here yet.

Camelot One
MVM
join:2001-11-21
Bloomington, IN

Camelot One to an3951

MVM

to an3951
said by an3951:

My test shows I am being tracked on their network with a unique UID which does not change even if I clear all data, including cookies from my browser.

I am curious to know if the UID is unique to the device or the phone number itself.
an3951
join:2001-02-18
Brook Park, OH

an3951

Member

Re: Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'

I don't have a spare phone to swap sim cards but if I had to guess the UID is probably tied to the ESN. Maybe someone can perform this test but I am not sure how it would really make a difference on our end.

CST
@76.103.77.x

CST

Anon

TOR

Would this include TOR traffic?

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA

Napsterbater

MVM

Re: TOR

This is modifying HTTP headers, has nothing to do with TOR.

gdj50
join:2001-02-01
Spokane, WA

gdj50 to CST

Member

to CST
I just checked »lessonslearned.org/sniff using TOR on my verizon HTC over 3g and site reported no cookie.
mikeluscher159
join:2011-09-04

mikeluscher159

Member

Re: TOR

Droid Maxx on Chrome Beta in Staten Island on LTE (AWS XLTE) if it matters, and yes they're tracking.

lacibaci
join:2000-04-10
Export, PA

lacibaci

Member

AT&T also

On AT&T, I see "x-acr" header...

InPA
@104.129.194.x

InPA

Anon

Re: AT&T also

AT&T is definitely tracking in my area. When I shut off my wifi and use the website mentioned in the article, there is a UID. It does not change even after I clear cookies. There is none when I am on wifi so this is not just limited to VZW.
wkm001
join:2009-12-14

wkm001

Member

So now what?

Mine was changed by AT&T even when using mobile Chrome. Do we all file complaints with the FCC because our providers are changing/injecting unique identifiers into our web traffic?

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

Napsterbater

MVM

Re: So now what?

said by wkm001:

Mine was changed by AT&T even when using mobile Chrome. Do we all file complaints with the FCC because our providers are changing/injecting unique identifiers into our web traffic?

You have to turn on the "Reduce Data Usage" feature so it uses googles proxies for it to be stripped out.

sick of it
@70.198.129.x

sick of it to wkm001

Anon

to wkm001
Same here with VZW and mobile chrome. The Internet is quickly becoming too much trouble.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA

Napsterbater

MVM

On in GA on AT&T

Looks like its turned on in Georgia on AT&T :-/

But I can confirm using Chrome with "Reduce Data Usage" turned on does strip it out.

battleop
join:2005-09-28
00000

battleop

Member

So how exactly does this track back to me?

I found on my iPhone 6+ that I get a Broadcast UID: of something like SKDjldkfjowiefjpsdlkfjp3i4reighpqoeihgwpriperoivwproipaosidur. How exactly does one translate SKDjldkfjowiefjpsdlkfjp3i4reighpqoeihgwpriperoivwproipaosidur into my phone number or email address or street address or name if I'm not giving any site I visit any of this information?

I can see if I visit dslreports.com and I were to enter my real name and contact info that they could build their own database that tells them that I am SKDjldkfjowiefjpsdlkfjp3i4reighpqoeihgwpriperoivwproipaosidur but if I never give real information to a site how exactly do they know who SKDjldkfjowiefjpsdlkfjp3i4reighpqoeihgwpriperoivwproipaosidur is?

bluefox8
join:2014-08-20

bluefox8

Member

Re: So how exactly does this track back to me?

said by battleop:

I found on my iPhone 6+ that I get a Broadcast UID: of something like SKDjldkfjowiefjpsdlkfjp3i4reighpqoeihgwpriperoivwproipaosidur. How exactly does one translate SKDjldkfjowiefjpsdlkfjp3i4reighpqoeihgwpriperoivwproipaosidur into my phone number or email address or street address or name if I'm not giving any site I visit any of this information?

I can see if I visit dslreports.com and I were to enter my real name and contact info that they could build their own database that tells them that I am SKDjldkfjowiefjpsdlkfjp3i4reighpqoeihgwpriperoivwproipaosidur but if I never give real information to a site how exactly do they know who SKDjldkfjowiefjpsdlkfjp3i4reighpqoeihgwpriperoivwproipaosidur is?

But Verizon knows. That's exactly where Verizon can set itself up to monetize because they have that info the others want. May even throw in your geolocation data for a little extra

Or buy their "family package" and your wife and kids will be included too.
dj_eric
join:2004-11-19
Kennett Square, PA

dj_eric to battleop

Member

to battleop
It's not just the site you are logging in to that might be getting that information. So for example, you log into your bank account which gets your UID, than surf a porn site which you don't. They both are using the same Ad company, so company Y has now been able to correlate that you both go to bank A and Porn site B and as you travel across the web to all the sites that use that company, it's possible to know a lot more than just your name even when the data is obfuscated like it should be.

battleop
join:2005-09-28
00000

battleop

Member

Re: So how exactly does this track back to me?

Even with that how does it track back to me? How does the ad company or porn site come up with my name, address, phone number etc? To the add tracking site my name is still ksdlfjeiru304i3EIHg0f3eoir034oiu50en304ury.

Unless the sites who do have information about me are sharing my Broadcast UID they still don't know I am anymore than any other ad tracking site.

Eina
@175.139.159.x

Eina

Anon

Not just Verizon - and it gets worse...

I just checked using my phone and my local telco is transmitting my PHONE NUMBER! So, I assume this means any website in the world could just harvest my phone number? That would explain the spam sms I sometimes get after visiting websites.
rmdir
join:2003-03-13
Chicago, IL

rmdir

Member

Re: Not just Verizon - and it gets worse...

Which carrier, and how do you check for that?

Eina
@175.139.159.x

Eina

Anon

Re: Not just Verizon - and it gets worse...

Use the website mentioned in the article:
»lessonslearned.org/sniff
from your phone while using the data package (not WiFi) and with Google Chrome 'Reduce data usage' option turned off.
Oh, and the website has been improved - now I find not only is my phone number sent but so is my IMEI!

Just Me
@192.19.194.x

Just Me

Anon

Verizon vs the VPN

Saw a UID on Verizon 4G network... Turned on the VPN that I bought, and poof, gone...
VPN Unlimited... Usually a sale price at Android Authority every so often...

Guess I'm going to be using it a lot more now...

pnjunction
Teksavvy Extreme
Premium Member
join:2008-01-24
Toronto, ON

1 edit

pnjunction

Premium Member

Bell/Virgin hand in this cookie jar?

Browser/agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-I337M Build/KTU84Q) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Do Not Track: (not set)
Broadcast UID: [X-REQUESTED-WITH] com.android.browser [X-UP-SUBNO] 00000000XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-XXXX_wap2.bellmobility.ca

Where the XX are numbers and I presume 'SUBNO' is short for subscriber number.

verizon_user
@99.5.72.x

verizon_user

Anon

chrome isn't exempt

Article mentions the tracking doesn't take place when using wifi or mobile Chrome. Using a Motorola Moto-X with the packaged Chrome browser, on Verizon's network, the Broadcast UID: [X-UIDH] ReallyLongRandomStringofChars is revealed on lessonslearned.org/sniff.

Suggest correcting the article since using Chrome alone is not sufficient to prevent this, unless I've missed something.

notaverizon
@98.183.188.x

notaverizon

Anon

Re: chrome isn't exempt

You need to have the reduced data option turned on.