Verizon advertising partner Turn is using the carrier’s Unique Identifier Header, or UIDH, to maintain tracking cookies on smartphones even after privacy-minded users have deleted them, Jonathan Mayer, a computer scientist and lawyer at Stanford University, reported this week.
Turn shares the cookies with dozens of major websites and advertising networks, resulting in the creation of a “vast web of non-consensual online tracking,” according to Jacob Hoffman-Andrews, a senior staff technologist at the Electronic Frontier Foundation.
Facebook is one of those sites.
“Turn works with Facebook Exchange and LiveRail as a DSP; however, our work with them is restricted to desktop — not mobile,” Facebook spokesperson Tim Rathschmidt told the E-Commerce Times.
“We don’t directly support the type of mobile persistent cookie they refer to, nor do we believe it’s a good thing for people or the industry,” he added.
Mobile phones aren’t the only devices that could be infected with zombie cookies — so named because they keep rising from the dead.
“If a Verizon customer tethered with their phone, their notebook could get stuck with the zombie value,” Mayer wrote.
Neither Turn nor Verizon responded to our requests to comment for this story.
However, Verizon claims on its website that when a mobile user opts out of advertising programs, no information associated with its UIDH is available to its ad partners, and that it doesn’t know of any unintended uses of its UIDH.
Nevertheless, Turn appears to be engaging in an unintended use.
“Turn is using the UIDH header value to re-identify and re-cookie users who have taken careful steps to clear their cookies for privacy purposes,” Hoffman-Andrews said.
“This contradicts standard browser privacy controls, users’ expectations, and Verizon’s own claims that the UIDH header won’t be used to track users because it changes periodically,” he pointed out.
Turn’s Not Alone
“Turn is explicitly and intentionally overriding a user’s expressed privacy choice,” Hoffman-Andrews told the E-Commerce Times. “They’re circumventing what is a basic privacy control.”
All mobile platforms supported by Verizon are affected by the cookies, as well as any device that uses a Verizon mobile hotspot, he added. When the device returns to your home network, you can delete the cookie and it will remain dead — until the next time you connect to the Verizon mobile network.
While users can’t delete the Verizon UIDH, they can blind Turn with an ad-blocker, such as AdBlock Plus with Easy Privacy List enabled, Disconnect Pro, and the EFF’s own Privacy Badger.
However, “I’d be surprised if Turn was the only one doing this,” Hoffman-Andrews observed.
“We can spot Turn doing this because it resurrects the literal cookie,” he explained, “but I strongly suspect that other ad networks are maintaining connections between cookies without resetting the same literal cookie, which is something we would not be able to observe as consumers.”
Whether this latest flap over the UIDH will persuade Verizon to reevaluate its use remains to be seen.
“Mobile is the place where advertisers want to be, so the more an audience can be tailored for marketers, the more attractive and appealing a platform is going to be,” said John Carroll, a mass communications professor at Boston University.
“Clearly, there’s a financial vested interest in this for Verizon,” he told the E-Commerce Times, “but it could also backfire on them in way that’s going to be completely counterproductive.”
AT&T also used UIDHs in the past. However, it scrapped them at the end of last year, citing privacy concerns.