Verizon has recently come under increasing fire for its unique identifier header (UIDH) tracking tool which it uses on its customers’ smartphones. The UIDH – dubbed “zombie cookies” for the way in which they reappear on a user’s device after being deleted – are used by Verizon to tag and follow its mobile subscribers around the web. However, the concern from the cybersecurity industry over the last few months has been that third parties are able to use these unique customer identifiers to track mobile users and users are unable to delete the UIDH permanently in the same way as a standard cookie.
In November last year, AT&T stopped using its equivalent version of the UIDH but Verizon at the time chose not to on the basis that “it is unlikely that sites and ad entities will attempt to build customer profiles” using its identifiers. It downplayed the cybersecurity and privacy concerns by explaining that users can opt-out of Verizon’s mobile advertising programs and this stops the unique customer code being used by Verizon and third parties.
However, a recent blog post by Jonathan Mayer reported that Turn, a major ad tech company and advertising partner of Verizon, was using the UIDH to respawn cookies which had been deleted and was able to use Verizon’s unique customer codes to continue tracking users. As a New York Times story last weekend confirmed:
“In effect, Turn found a way to keep tracking visitors even after they tried to delete their digital footprints”
Mayer found that Turn had attached Verizon’s UIDH onto its existing cookie-tracking tools and then used the information contained in the header to reconstruct a missing or deleted cookie. This meant that when a user on a mobile device who had previously deleted the tracking cookie for a site landed on the same site again, Turn was able to identify the user from the device header and use that information to respawn the deleted cookie.
The UIDH also appeared even when Mayer tested accounts which had opted-out of Verizon’s ad targeting programs, Relevant Mobile Advertising and Verizon Selects.
Reporting on Verizon’s use of the ‘zombie cookies’, the Electronic Frontier Foundation identified various ways in which they differ from standard cookies. Firstly, they are tied to a data plan:
“anyone who browses the web through a hotspot, or shares a computer that uses cellular data, gets the same [UIDH] header as everyone else using that hotspot or computer. That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising”.
Secondly, they can’t be seen by the user or changed in the device’s browser settings.
Finally, each customer code doesn’t belong to a single site but instead is
“shared with all unencrypted websites a user visits, making it easier for ad networks to track that user across many sites in a way not possible with cookies alone”.
Following the recent reports and criticism within the tech industry, Turn has reassessed and no longer uses the ‘zombie cookies’. The recent report has also raised questions, particularly in the US, over whether ISPs should be reclassified as “common carriers” (akin to telecoms services) which would restrict their ability to collate and sell customer data to ad targeting companies.