Do Verizon and AT&T’s Super Cookies Count as Sesson Identifiers?

Over the past weeks, we’ve been learning more and more about a supercookie that Verizon and AT&T have stuck in the phone browsing of users on their mobile network. In the case of Verizon, you can’t opt out of sending the supercookie any time you browse using Verizon’s network, and websites you visit will be able to use Verizon’s supercookie to track you as well.

Whatever the merits of Verizon’s new business model, the technical design has two substantial shortcomings. First, the X-UIDH header functions as a temporary supercookie.3 Any website can easily track a user, regardless of cookie blocking and other privacy protections.4 No relationship with Verizon is required.

Second, while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header.5 All they do, seemingly, is prevent Verizon from selling information about a user.

Unless you opt out, this cookie will also track your your geography and demography.

Kashmir Hill has been doing great work on it, including today’s responses from the two phone companies about what they’ve been doing.

How long have they been tagging their users this way?

Verizon: Two years. Given how long Verizon has been doing it, Kasowic said she was “surprised” by the attention this week.
AT&T: “A little while.” AT&T is just “testing it” at this point.

Why are they tagging customers this way?

Verizon: To deliver ads, to authenticate users and allow them to avoid filling out forms, and for fraud prevention.
AT&T: To deliver ads.

Is there any privacy protection built in?

Verizon: The code is “dynamic” and will change on a “regular basis” — at least once per week.
AT&T: The code is dynamic and will change daily.


Can they opt out of anything?

Verizon: Customers can’t opt out of the header code being sent “because it’s used for multiple purposes,” says Kasowic. But they can opt out of it being used to show them relevant ads. “When it’s used for the advertising program, there’s a place where information is tied to the UIDH (Unique Identifier Header) — such as ‘Females in Alexandria, VA. between the ages of 25 and 50,” said Kasowic. “It’s just segments that other people wouldn’t understand. There’s no personal identification. If you opt out, there’s no information stored there.” But the tracking code remains.
AT&T: Siegel says customers will be able to opt out of ad delivery and tracking.

Among all the other worries I have about this, I have my lingering worry: that the government will use the supercookie if and when USA Freedom Act passes. As a reminder, here’s how USAF defines “call detail record,” which is a key part of their ongoing daily production.

(2) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location information.

This definition uses language tied to phone calls, but with the limited exception of the CDR definition used for NSLs, there is a well-established tradition of using phone CDR language to get Internet records. And a cookie is the quintessential “session identifier.” While Verizon’s supercookies might provide access to things that might qualify as content — “any information concerning the substance, purport, or meaning of that communication” — it would not seem to necessitate this. Plus, the supercookie would provide generalized location without cell site location.

In other words, the Verizon supercookie would provide FBI and NSA a way to get rich information on the target and his online actions — including co-presence on sites that might include chat rooms (which would serve as your hops) — that they could then match up to the backside, tracking the cookie on across the web. Depending on what Verizon uses it to authenticate users for, it may give a lot more. (Note, too, that Sprint appears to be working on the equivalent of a burner phone application for mobile devices based off cookies; this supercookie would seem to make that even easier.)

The Yahoo example — where the government moved from requesting emails and instant messages to requesting 9 things, potentially across all of Yahoo’s business units in 5 months — is instructive. Even if they aren’t already planning on using this (which I doubt, given that it has been out there for 2 years), they will use it. And nothing in the bill seems to prohibit it.

I’m not convinced this is the only answer to my question about what connection chaining does. But I think it is one of answer.

Update: Propublica reports that Twitter has adopted Verizon’s UIDH for its own advertising purposes.

The data can be used by any site – even those with no relationship to the telecoms — to build a dossier about a person’s behavior on mobile devices – including which apps they use, what sites they visit and for how long.

MoPub, acquired by Twitter in 2013, bills itself as the “world’s largest mobile ad exchange.” It uses Verizon’s tag to track and target cellphone users for ads, according to instructions for software developers posted on its website.

25 replies
  1. Desider says:

    Heh heh heh – who needs 666 on your forehead when you have supercookie speed dial in your phone.

    Whether the Vatican or NSA needs to get hold of you, they’ll have your child porn habits, political affiliation & activism, and pertinent health/demographic data with which to process your case quickly.

    Just sit back and enjoy it, as Ross Perot once suggested.

  2. bloopie2 says:

    Does this relate to only Internet browsing on a smartphone? If so, then if I don’t use my smartphone go access the Internet it doesn’t affect me? How about this – I have a laptop with a Verizon plug-in USP thingy that I use to access the Internet – is that affected?

    • P J Evans says:

      For a while, I had data available on my phone for locating stuff. I got it turned off, because if I wanted to find a place to eat near where I worked, the first three or four screens were all ads for restaurants several miles away. (This is downtown LA, I don’t want to see places in Beverly Hills.) So ads are a big part of their data delivery.

  3. orionATL says:

    i assume this:

    1) this is for the purpose of selling customers data to make money

    2) this will serve the purpose of meeting verizon or at&t’s “service obligation in the war on “terror” “.

    isn’t it a nice trap our politicians and regulators have put us in – super-consolidation in phone industry has left us with only two major phone networks, both coincidentally adopting an unerasable data collection mini-program for browser users of their cellphones.

    of course there’s sprint. want to sign up? before they too accede?

    i want to have access to european networks :)

    • Phil Perspective says:

      … super-consolidation in phone industry has left us with only two major phone networks, both coincidentally adopting an unerasable data collection mini-program for browser users of their cellphones.

      Aren’t there three, and maybe four? Verizon, AT&T, Sprint and T-Mobile?

      • orionATL says:

        t-mobile is owned by deutsche telecomm indirectly thru a “buyout” of t-mobile by metro pcs thus giving the formerly foreign owned t-mobile a name on the ny stock exchange.

        sprint is owned by softbank (japanese?).

        quest is owned by centurylink, but they seem to be regional (at least they are available to me for adsl).

        from a consumer viewpoint (mine) there is little competition.

  4. TarheelDem says:

    Well now, that’s a great way to deal with expensive infrastructure. Securitize it to death. But then, not having a phone or internet connection will de-privilege you in the same way that failure to have a residential address or a bank account does today. Failing to connect is prima facie evidence that you are or have become untrustworthy.

    Boycotting becomes real only as a mass boycott that aggregates large numbers of those $50 and up charges for connections. Short of that, you are as they are saying about so much of human behavior in contemporary US society–suspicious.

    And joy of joys, we continue to get to pay for it whether we have any relationship with the corporations doing this. On one side of the wire or the other. So when do Verizon and ATT require the supercookies as part of the data stream on their backbone broadband networks? In internet of thing applications, such as autos with preset capabilities to access EZ-Pass and other toll collection services? As a universal event-tracking envelope for all sorts of transactions?

  5. jerryy says:

    Has anyone asked if this is limited to just the phone browsers on their networks?
    After all, both Verizon and AT&T offer web-site hosting, which could mean anyone that visits a site they host might be considered a customer. Most folks do not know how to find out who actually hosts the site.

  6. earlofhuntingdon says:

    Luscious non-answers by AT&T and Verizon, the two largest providers of mobile services in the United States. Makes the President’s Analyst look understated. But hey, what could go wrong?

  7. earlofhuntingdon says:

    One proof of the pudding will be to what extent open source apps that turn off such supercookies are prohibited by service providers.
    Revenue made from drift netting personal consumer data is already a surreptitious multibillion dollar a year business. Tying it to govt surveillance powers would ensure, among other things, that the US never enacts the kind of data privacy and data use and disclosure rules that the rest of the industrialized world has had for more than a decade.

  8. earlofhuntingdon says:

    Consider this supercookie in conjunction with the efforts by large banks and others surreptitiously to collect and use consumer voice prints as the de facto personal identifier for all account transactions.

  9. abbadabba says:

    Wow, what a train wreck at the Intercept…Way to wind the whole thing up with a Swedish massage, folks! The story is now the busted story tellers. I’m telling!

    Orange you glad you didn’t go there, Marcy? Talk about a spiraling squadron! Do they seriously think it is OK to display ANYONE’S harassment investigation outcomes even if the laundry came out clean? See what I mean? Meanies. I hope Matt sues the Intercept into the dirt so we can all start over, Phoenicians.

    Cookies have always meant crookies in my family. We loved to coyly cling to mother and beg her…”Could I have a crookie?”

    AT&T and Verizon control the most crooked of creeks up which they have taken our paddles! Here’s hoping for some major rain.

    Encryption and justice for all!

  10. abbadabba says:

    Earl of Huntington? How many times do you think we pay providers for the same data streams, king of fishers? I imagine multiple agencies purchase multiples of same multiples. Does the government mint hoodie billionaires just to hornswaggle us? OMG, that is NOT what I meant.

    Just how over valued is that hay stack? Couldn’t be as ridiculous as their CDS stack. That’s still in the hundreds of trillions. They just won’t let it die. Poor little P-PPIP. Ugly baby thing from Eraserhead.

  11. abbadabba says:

    Just rewatched “The Contender”….say NO-THING! The topic of why it didn’t work out with those iceholes in beneath your dignity!!

    You didn’t do anything wrong to have parted ways, so let them say it for you? Can you get over that BS excuse for violating Matt’s privacy and revealing the harassment inquiry? Now folks are slandering him with OTHERS words in the comment section, too! Mona, you are such a person.

  12. abbadabba says:

    Sorry to have to air that dirty laundry here, but the suppression section at the Intercept is much like its management’s. You cannot believe what passes for strange there.

    I go there to get a direct line into GCHQ so they can go fuck themselves daily. Hay, way to rain hellfire on a useless Racket, Q. Who’s the snub nosed gal? Of course to reveal her identity would be WRONG, right? Especially since NOTHING HAPPENED other than this honey snot shot.

Comments are closed.