Verizon?s undeletable ?supercookies? track users? web activities
 

The profits made by Google and Facebook from trading users? choices and habits to ad companies are prompting other communication giants such as Verizon, to collect data on their customers, mostly without their knowledge.

Verizon Wireless has been actively implementing its new advertising program called Precision Market Insights (reportedly started in 2012), which tracks web activities of approximately 106 million Verizon customers when they are web surfing from portable devices, the Electronic Frontier Foundation reports.

The tracker registers which sites people visit and how much time they spend there, and even what apps they use on their smartphones and how exactly.

The most interesting is the way Verizon collects the valuable data ? by forcibly installing ?perma-cookies? that track people?s activities on the web on personal devices, reports Wired. And since the header gets injected at the network level, any device could be infected, even if it belongs to those who have never been Verizon customers.

The tracker, called X-UIDH, is injected on a device in an HTTP header, which is then being sent to every unencrypted website a Verizon customer visits from a his smartphone or media tablet. These ?supercookies? allow advertising companies that pay for the Verizon service to put together a comprehensive dossier on every web surfer?s browsing habits - without Verizon customers? knowledge.

The cookie was identified the X-UIDH header. It remains invisible to the user and cannot be disabled or changed via browser settings. The X-UIDH header bypasses built-in browser privacy mechanisms, ignoring such modes as Do Not Track, Incognito, Private Browsing or Limit Ad Tracking settings in both iOS and Android.

Also, Verizon ?supercookies? can?t be turned off, so no web browser privacy mode or clearing cookies will help you to get rid of them. That means that even when cookies are cleared out of a device, the intact X-UIDH with the known profile of a user gives an ad company a chance to quickly restore the necessary cookies on a user?s device and continue to ?guide? his requests for goods and services.

Because X-UIDH is shared with all unencrypted sites visited by Verizon customers, it gives advertisers more data that only cookies get. On top of all, X-UIDH is installed into all used mobile apps that send HTTP requests, thus correlating users' behavior on the web and in using apps.

However, according to AdAge: ?Corporate and government subscribers are excluded from the new marketing solution.?

Verizon maintains that third parties that are not members of the Verizon?s Precision Market Insights advertising program cannot use the supercookie to track Verizon customers.

?The way it?s built, it wouldn?t be able to be used for that,? company spokeswoman Adria Tomaszewski said.

But web security specialists warn that ?de-anonymizing? a user has become commonplace these days, so once a personal profile with a unique ID code gets to advertisers and data brokers, it is relatively straightforward to link the X-UIDH personal profile with a customer.

For intelligence agencies such as America?s NSA, reportedly using cookies to track down individuals as The Washington Post reported last year, the X-UIDH service could become an invaluable source of personal information on citizens.

There are several solutions that would prevent X-UIDH from modifying your traffic and they all imply encryption, as the ?ad virus? can only operate on a plaintext traffic, an attempt to modify an encrypted data flow would simply break the whole connection.

Full protection is guaranteed by a virtual private network (VPN) technology or Tor, but you can also try to surf safely using an encrypted proxy or HTTPS.

If you want to know whether your mobile device is already infected ? go to Amibeingtracked.com right from it and pass an injected header test.

http://rt.com/usa/202035-att-verizon-supercookies-web/

I'm thinking they are about to get hit with some backlash

So who is the "enemy" -- you reap what you sow ...

Not surprising at all.

~Ray
www.hardlinks.org

Before people jump up and down they may want to learn a little more about UIDH.
http://www.faqs.org/patents/app/20130318346

It is used by most if not all mobile carriers.

So you're saying I shouldn't have searched for "Aussie chick blows her dog" on my cell phone last week?

lol, shity

LoL no you should search that 1000 times a day...

People should also understand that the "supercookie" is just an easier method than tracking you by your phones IMEI or MSN ID # ... The both the IMEI and MSN have more power than just tracking your data.

Another NSA program.

Anither reason to why folks should wake up to the fact that you HAVE to use vpn...

I capture all HTTP headers on one site that has a high incidence of extended human interaction, in order to research fraud prevention.

In about 5 months it has captured 6402 unique X-UIDH device IDs.

There are other headers that also seem to present a unique device ID. Some of the values even look like they could be phone numbers. :Oh crap

This is just a regular site. I'm not a part of any ad network.

-- ostensibly to track advertising. Interesting ...

nice read thanks for sharing

Google, Face Book, etc. has been tracking your web activity for years to better target you with ads.

Most cellphone users are clueless to how easy it is to track them. With the proper equipment you can listen to them and intercept text messages also. Lots of intel is gathered this way, of course they can't use that in court but they do not need to when they catch a criminal act as it happens.

Information/Data has significant value if you know what to do with it and/or how to use it.

Quick scan of the header logs, these are some of the more obscure headers... (they appear for a tiny fraction of a percent of the total visitors)

X-jinny.cid:
X_UP_CALLING_LINE_ID:
X_UP_SUBNO:
X-London-GUID:
x-wsb-billing:
X-Newrelic-Id:
imsi:
x-uidh:
x-nokia-imsi:
X-UP-NAI:
X-Nokia-IMSI:
X-IMSI:
X-Up-Calling-Line-Id:
X-Nokia-MSISDN:
x-imsi:
X-Unique-Identifier:
X-MSP-CLID:
X-msisdn:
X-WAP-Network-Client-MSISDN:

etc, etc.

All these headers have values that appear to be unique IDs, in some cases possibly a phone number.