Verizon Wireless Customers Face 'Zombie Cookies'

Cookie files placed on the phones of Verizon Wireless customers by the ad company Turn return to life even after they've been deleted.

Thomas Claburn, Editor at Large, Enterprise Mobility

January 15, 2015

3 Min Read
(Image: <a href=""target="new">Cozinhando Fantasias</a>, <a href=""target="new">CC BY-ND 2.0</a>)

 8 Biggest Tech Disappointments Of 2014

8 Biggest Tech Disappointments Of 2014

8 Biggest Tech Disappointments Of 2014 (Click image for larger view and slideshow.)

If you're a Verizon Wireless customer, you may have a zombie tracking you. Or, more specifically, a "zombie cookie" in your mobile browser.

This cookie contains an identifier that assists Verizon's advertising partner Turn in the delivery of targeted mobile advertising. Through information provided by Verizon, Turn can restore this cookie even after you've cleared it from your browser.

Verizon Wireless makes Turn's persistent identifier possible by sending an HTTP header called X-UIDH to every unencrypted website visited by Verizon Wireless customers.

[Want more on phone security? Read Millions Of Android Phones In China Have Backdoor.]

Verizon Wireless customers who might be inclined to seek privacy should not do so in commonly accepted ways. Rather, they're advised to do so only in ways accepted by the online advertising industry.

That's Turn's recommendation for dealing with what the security researcher Jonathan Mayer calls a "zombie cookie" and Turn calls simply a UID (user identification) cookie.

On Wednesday, Mayer published an analysis of the "Turn-Verizon zombie cookie," in which he cast doubt on the legality of the two companies' advertising practices and asserted widespread collateral damage to the privacy of Internet users.

As far as Turn is concerned, clearing cookies from one's browser doesn't qualify as an acceptable expression of one's desire for privacy. Nor does activating a browser's privacy mode or enabling a browser's Do Not Track setting.

To opt out, users must take it upon themselves to visit the Turn website, the Network Advertising Initiative website, or the Digital Advertising Alliance website.

In his analysis, Mayer contended that these opt-out mechanisms don't really work. Verizon's opt-out mechanism, he said, prevents Verizon from passing along additional customer information but leaves the UIDH identifier intact. Turn's opt-out mechanism appeared to work, but upon clearing his brower state and revisiting the websites that initially spawned the cookie, he found that the cookie had been restored.

A Federal Trade Commission spokesperson declined to comment.

Jacob Hoffman-Andrews, senior staff technologist with the Electronic Frontier Foundation, wrote in a blog post: "This ongoing privacy fiasco reinforces how dangerous it is for ISPs to use their network control to impose non-standard new tracking methods on their customers."

Verizon didn't immediately respond to a request for comment.

Max Ochoa, Turn's general counsel and chief privacy officer, responded to Mayer's findings via a blog post, insisting that the company respects consumers' opt-out choices and disagreeing with Mayer's characterization of the company's approach.

"When a consumer opts out -- either through the industry standard tools provided by the DAA or the NAI, or through Turn's own opt-out -- the record of that choice is preserved on Turn's servers," Ochoa said in his blog. "Subsequently, when Turn receives a bid request associated with that cookie or UID, Turn will see the opt-out flag associated with that ID and will never submit a bid for an online behavioral advertising (OBA) campaign."

In his blog post, Ochoa wrote that Turn does not store or use "any generally recognizable personally identifiable information" such as email addresses or credit card numbers in relation to its services.

However, Turn does store unique persistent identifiers associated with Verizon Wireless customers, and any of the dozens of other advertising companies with access to Turn's unique identifiers, including Facebook, Google, Twitter, and Yahoo, can associate such identifiers with profiles in their own databases.

According to Mayer, ad blocking software offers some protection but might not be easily available on some mobile devices. He recommends a VPN as the only viable way presently to avoid tracking.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights