Verizon supercookie

The Verizon supercookie was an undeletable tracking identifier that Verizon Wireless inserted into its customers' unencrypted web traffic at the network level, where no browser setting could remove it. Verizon began adding the Unique Identifier Header (UIDH) to mobile customers' Internet requests in December 2012 & did not disclose the program until October 2014.^[1] Because the carrier appended the string after traffic left the device, clearing cookies, deleting browser history, & using private or incognito mode did nothing to stop it, & at least one advertising partner used the identifier to revive tracking cookies that customers had deleted.^[2] On March 7, 2016, the Federal Communications Commission settled its investigation through a consent decree that required Verizon to pay a $1,350,000 fine & to obtain a customer's opt-in consent before sharing the identifier with a third party for advertising.^[3]

A standard HTTP cookie is a small text file that a website stores on the user's own device. Because the file sits on the consumer's hardware, the consumer can delete, block, or clear it through the browser's privacy settings. The UIDH worked differently. It was not a file on the device but an alphanumeric character string that Verizon's network inserted into the address header of a customer's HTTP requests as that traffic passed through Verizon's routers.^[4]

The consent decree defined the identifier in its own terms.

The FCC's Enforcement Bureau wrote in the decree:

UIDH means Unique Identifier Header, a unique character string of letters, symbols, and numbers that Verizon Wireless inserts to deliver targeted advertising into address header information that accompanies customers' HTTP requests transmitted over the Verizon Wireless network.

^[4]

Verizon used the UIDH for two targeted-advertising products the FCC named in the decree: Verizon Selects & Relevant Mobile Advertising. The decree stated that these programs associated the identifier with customer proprietary information & other demographic & interest data to build profiles for serving targeted ads.^[2] The string was broadcast in plain text to any unencrypted website the customer visited, whether or not that site had any relationship with Verizon. Critics labeled it a supercookie because, unlike an ordinary cookie, the customer could not reach it.^[1] The EFF called the injected string a perma-cookie.^[5]

Independent researchers documented the header injection in the fall of 2014. The Electronic Frontier Foundation (EFF) brought wide attention to the program in October and November 2014.^[5] Stanford computer scientist & lawyer Jonathan Mayer mapped the technical architecture, showing that any website could read the X-UIDH header to track a user regardless of that user's privacy protections.^[6] Writing for Wired, Robert McMillan called it a privacy-killing machine.^[7]

AT&T had tested a similar tracking header around the same period & announced in November 2014 that it was discontinuing the practice. Verizon continued.^[8]

In January 2015, ProPublica reporters Julia Angwin & Mike Tigas published an investigation titled Zombie Cookie: The Tracking Cookie That You Can't Kill. It found that the online advertising company Turn Inc., whose back-end systems served ads for major platforms, was using Verizon's undeletable identifier to respawn tracking cookies that privacy-conscious users had deleted.^[9]

The mechanism worked in sequence. A user would clear their browser cookies, then visit a site running Turn's ad code. Turn's servers read the Verizon UIDH attached to the incoming request, matched it against Turn's records, & restored the deleted cookie to the user's device.^[9] Turn's chief privacy officer, Max Ochoa, defended the practice to ProPublica.

Ochoa told ProPublica:

We are trying to use the most persistent identifier that we can in order to do what we do.

^[9]

Turn also took the position that clearing cookies was not a reliable signal that a user wanted to avoid tracking.^[9] Within days of the ProPublica report, Turn reversed course & said it would suspend its use of the Verizon header to respawn cookies while it re-evaluated the method.^[10] The FCC's later finding confirmed the abuse: the Bureau wrote that ...at least one of Verizon Wireless's advertising partners used UIDH for unauthorized purposes to circumvent consumers' privacy choices by restoring deleted cookies.^[2]

The EFF gathered more than 2,600 signatures on a petition urging the FCC to investigate Verizon.^[11] On the legislative side, four Democratic members of the Senate Commerce Committee, Bill Nelson of Florida, Edward Markey of Massachusetts, Richard Blumenthal of Connecticut, & Brian Schatz of Hawaii, sent a letter to Verizon CEO Lowell McAdam asking whether the company intended to keep using the trackers & what it would do to protect customer privacy.^[8]

The senators' letter, quoted by the EFF, addressed the Turn revelations:

While we understand that Turn has suspended its utilization of Verizon's supercookies, such a practice, if true, would seemingly constitute a deliberate circumvention of customer choice and a violation of consumer privacy.

^[11]

The Markey office described the core consumer problem in plain terms: unlike regular cookies, which users can delete, Verizon's customers could not delete or evade its supercookies.^[8]

Verizon's initial opt-out mechanism removed a customer only from the Relevant Mobile Advertising program; it did not stop the network from inserting the X-UIDH header into that customer's traffic. After the ProPublica reporting & the Senate letter, Verizon told the New York Times in late January 2015 that it would build a way for customers to opt out of the header itself,^[11] & in March 2015 it updated its privacy policy to disclose the UIDH & let customers opt out of the injection.^[2] The FCC found that Verizon began using the identifier in December 2012 but did not disclose it until October 2014, & waited until March 2015 to update its privacy policy.^[1] In 2015 Verizon acquired AOL for its advertising technology, expanding the data-driven advertising business that the identifier supported.^[1]

The FCC's Enforcement Bureau opened an investigation into whether Verizon's conduct complied with Section 222 of the Communications Act, which governs customer proprietary network information, & Section 8.3 of the Commission's rules, the Open Internet Transparency Rule.^[12] The Bureau summarized the conduct at the start of the decree.

The decree's opening finding read:

The Enforcement Bureau (Bureau) of the Federal Communications Commission has entered into a Consent Decree to resolve its investigation into whether Cellco Partnership, d/b/a Verizon Wireless (Verizon Wireless or Company) failed to disclose to consumers that it was inserting Unique Identifier Headers (UIDH) into consumers' Internet traffic over its wireless network.

^[2]

The Bureau also found that Verizon had inserted the identifier into traffic from lines that could not even participate in its advertising programs: ...Verizon Wireless inserted UIDH into the Internet traffic made from mobile device lines, including enterprise, government, and Mobile Virtual Network Operator (MVNO) lines, which were ineligible to participate in Verizon Wireless's targeted advertising programs.^[2]

On March 7, 2016, Verizon settled the matter, identified as File No. EB-TCD-14-00017601, by entering the consent decree DA 16-242.^[12] The settlement set the fine & the consent rules.

The Bureau stated the terms:

To settle this matter, Verizon Wireless will pay a fine of $1,350,000 and implement a compliance plan that requires it to obtain customer opt-in consent prior to sharing a customer's UIDH with a third party to deliver targeted advertising. With respect to sharing UIDH internally within Verizon Communications Inc. and its subsidiaries, it must obtain either opt-in or opt-out consent from its customers.

^[3]

The compliance plan spelled out the opt-in requirement & a security obligation:

Opt-In. Verizon Wireless will not share the UIDH of a customer with a Third Party to deliver targeted advertising unless Verizon Wireless obtains prior opt-in consent from that customer. Opt-in consent to participate in the Verizon Selects program satisfies this requirement.

^[13]

The plan also required Verizon to generate the identifier using methods that comply with reasonable & accepted security standards & to appoint a senior compliance officer.^[13]

The settlement drew praise from the privacy groups that had pushed for it. Nate Cardozo, a staff attorney at the EFF, told CBS News that the order was an unqualified win for consumers.^[1]

Cardozo added, in a written statement to CBS News:

Today's order will mean that other companies contemplating similar involuntary tracking will think twice before proceeding without explicit consumer consent.

^[1]