Jump to content

Concern Arises Over Verizon's New Sneaky 'Stealth Cookie'


securitybreach

Recommended Posts

securitybreach
Concern Arises Over Verizon's New Sneaky 'Stealth Cookie': Verizon Wireless has started taking heat from privacy advocates for altering their customers' traffic and inserting unique identifiers that users have no control over

 

 

Verizon Wireless has started taking heat from privacy advocates for altering their customers' traffic and inserting unique identifiers that users have no control over. We've already explored how over the last two years Verizon has been ramping up data collection on its wireless customers via programs like Verizon Selects and their Relevant Mobile Ad department, which track your personal information and web habits for more tailored advertisements (that data's also sold to third parties).

 

 

thumb200.jpg

 

Curiously, while Verizon has been tracking users' online activity for two years, it was only last week that people started noticing that Verizon was using a controversial sort of "super cookie" that modifies user traffic to uniquely identify users. This Unique Identifier Header, or UIDH, broadcasts your identity across the web -- and remains -- and can be abused -- even if you opt-out of Verizon's programs.

 

That's a huge problem, notes Stanford lawyer and computer scientist Jonathan Mayer, who writes that broadcasting that unique identifier is rather ham fisted

http://www.dslreport...h-Cookie-131034

 

Source: https://www.reddit.c...stealth/clm7ret

 

Verizon isn't the only carrier doing it. @kennwhite noted on his sniff page the following carriers his tool will identify: AT&T, Verizon, Sprint, Bell Canada, & Vodacom.

You can check to confirm if your device's requests are being injected at http://lessonslearned.org/sniff[1]

 

**Edit: It has been confirmed that T-Mobile doesn't inject UID into http traffic. Note that these carriers can only inject into HTTP traffic, so any site that uses HTTPS will be protected from this. Larger sites like Amazon, Facebook, Yahoo all use HTTPS, effectively protecting you from this nonsense.

 

So glad I moved to T-Mobile two years ago.

  • Like 2
Link to comment
Share on other sites

My quiet retirement and very small family (along with financial considerations) stopped me from investing in a smart phone--I don't even have a data plan with the "dumb" phone I do have. While I think every once in a while that a smart phone might be handy, I read something like this and figure I'm fine just the way I am.

Link to comment
Share on other sites

securitybreach

Well all of the companies do not do this. Out of the big 4, T-Mobile is the only one who isnt doing this. I wonder if that is because they are the only company not american owned.

Link to comment
Share on other sites

securitybreach

I moved to tmobile from Att last year and I couldn't be happier. As I buy unlock, nexus phones I was able to take advantage of Tmobile's no contract bring your own device plan. I pay $50 a month for unlimited talk/text and 3gb of data which is fine as I am on wifi 98% of the time.

Link to comment
Share on other sites

Guest LilBambi

I went to lessonslearned.org/sniff and there is nothing in the broadcast UID:

 

So it is not something being universally done. I tried with both Safari and Google Chrome on iOS 8 on my iPhone 6 and it showed:

 

1. date tested

2. the brower/agent was correct

3. showed do not track enabled on both

4. broadcast UID was empty

5. and showed the IP address correctly

Link to comment
Share on other sites

securitybreach

Hmm, that is odd. DSL Reports is usually pretty good at reporting on issues.

 

It must be selective as you said or perhaps something else. I dunno

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...