Verizon Wireless Settles FCC 'Supercookie' Complaint - InformationWeek
Mobile // Mobile Devices
08:06 AM
Connect Directly

Verizon Wireless Settles FCC 'Supercookie' Complaint

For failing to inform customers about its ad tracking identifier, the telecom company must pay a $1.35 million fine, a tiny fraction of its annual revenue.

7 Tech Jobs Hardest Hit By Layoffs In 2015
7 Tech Jobs Hardest Hit By Layoffs In 2015
(Click image for larger view and slideshow.)

The Federal Communications Commission on Monday said it has reached an agreement with Verizon Wireless to settle charges that it employed an online advertising identifier without the knowledge or consent of customers.

There's no agreement, however, about how to identify the identifier. The FCC maintains Verizon Wireless inserted "unique identifier headers or so-called 'supercookies' into its customers' mobile Internet traffic" for the purpose of delivering targeted ads.

Verizon chief privacy officer Karen Zacharia in a blog post insists the company's unique identifier header (UIDH) "is not a 'supercookie.' It's not a cookie at all. Cookies are placed and stored on devices. The UIDH is a piece of data included in the header of certain Internet traffic."

Zacharia's definition is conveniently narrow. Cookies exist as fixed files associated with Web browsers, but they don't cease to exist when transmitted as data across a network through an HTTP response. According to the Internet Engineering Task Force (IETF), cookies are simply "name/value pairs and associated metadata." What makes them meaningful in a privacy context is their potential use as a unique identifier, whether that identifier is defanged with cutesy language ("cookie"), made obtuse through abbreviation ("UIDH"), or made threatening through size ("supercookie").

(Image: Aziko25 via Pixabay)

(Image: Aziko25 via Pixabay)

The Electronic Frontier Foundation describes the UIDH thus: "The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy."

Regardless of the relevant terminology, Verizon has agreed to pay $1.35 million to settle the FCC's complaint. It has also agreed to obtain customer opt-in consent before it shares a customer's UIDH with a third-party advertising service.

The penalty amounts to about 0.0015% of the $91.7 billion revenue reported by Verizon Wireless in 2015.

According to the FCC, Verizon began inserting UIDH data into consumer Internet traffic around December 2012 and failed to disclose the practice until October 2014. In a list of FAQs subsequently posted on its website, Verizon said, "It is unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH."

Are you prepared for a new world of enterprise mobility? Attend the Wireless & Mobility Track at Interop Las Vegas, May 2-6. Register now!

Yet, as the FCC notes in its consent decree through the citation of a ProPublica investigation, Verizon ad partner Turn did use Verizon's unique identifier to track the online activities of Verizon customers on their mobile devices.

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they're doing online," said FCC Enforcement Bureau chief Travis LeBlanc, in a statement. "Privacy and innovation are not incompatible."

Zacharia meanwhile defends the need for online advertising and observes that at least Verizon lets customers opt out. "Most of the other leading ad IDs, including those that Google and Apple use, are sent even when customers don't want to be in the advertising program," she said.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/10/2016 | 9:14:04 AM
Re: Take a page from the EU
I wish the US would take another page out of the EU privacy laws and allow people to have their names omitted from searches. It really is scary how people have no control of information about them once it gets to the internet.
Pablo Valerio
Pablo Valerio,
User Rank: Ninja
3/9/2016 | 8:57:21 AM
Take a page from the EU
Tom, the FCC should take a look at the EU privacy directive, and look for fines of 10% of the global annual tunrover of the company. That is the only way the rules are enforced.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Annual IT Salary Report 
Base pay for IT professionals has remained flat this year with a median annual salary of $88,000 for staff and $112,000 for management. However, 58% of staff and 62% of managers who responded to our survey say they're satisfied with their compensation. Download this report to find out which positions earn the highest compensation.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll