informa
/
News

Verizon Wireless Embroiled In Tracking Controversy

Verizon Wireless is in hot water with security and privacy advocates regarding unique identifier headers that function as what one EFF expert calls "perma-cookies."

tracking more sensitive search topics.

"This information on you could be held long-term, depending on Verizon's partners and whether it's sharing web browsing information with data brokers and data resellers," she said in an interview. "And when it comes to sensitive searches, people should be able to search for this stuff without fearing for reprisals based on what they're looking for. This may crimp people's style and their willingness to search for things on the Verizon network."

Verizon did not answer InformationWeek's request for the names of its data broker and data reseller partners.

What you can do
Verizon Wireless's UIDH renders traditional privacy mechanisms -- such as clearing cookies, browsing incognito, and private browsing -- useless, the EFF's Hofmann-Andrews said. And while the header will follow you to most websites, it will not track you on websites that use https, he said.

There are two ways to circumvent Verizon's use of the UIDHs, though neither is especially practical, Hofmann-Andrews said. The first is to always browse the web on your device while connected to WiFi instead of relying on cellular data, since WiFi enables you to bypass Verizon servers. The second is to use a VPN on your device, which insulates the user from the carriers and Internet providers -- but is a solution that he says should be unnecessary.

"Users shouldn't have to install a VPN to protect themselves. When you use a VPN, you're trusting that VPN not to modify your traffic," he said. "You're buying privacy as an add-on, but it should be built into your service."

The preferred solution, privacy experts said, is for Verizon to cease -- or at least modify -- its use of the UIDHs.

"We think Verizon needs to stop modifying users' Internet connections and reengineer this header immediately so it only gets sent when a user explicitly opts in," Hofmann-Andrews said.

"The thing that really strikes me is even the smartest and most conscientious consumer would have had trouble detecting this," said the World Privacy Forum's Dixon. "It's very discouraging for people who are trying hard to stay safe online."

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep your business, conducting in-depth risk assessments -- and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)