If you're a Verizon Wireless customer, you may have a zombie tracking you. Or, more specifically, a "zombie cookie" in your mobile browser.
This cookie contains an identifier that assists Verizon's advertising partner Turn in the delivery of targeted mobile advertising. Through information provided by Verizon, Turn can restore this cookie even after you've cleared it from your browser.
Verizon Wireless makes Turn's persistent identifier possible by sending an HTTP header called X-UIDH to every unencrypted website visited by Verizon Wireless customers.
[Want more on phone security? Read Millions Of Android Phones In China Have Backdoor.]
Verizon Wireless customers who might be inclined to seek privacy should not do so in commonly accepted ways. Rather, they're advised to do so only in ways accepted by the online advertising industry.
That's Turn's recommendation for dealing with what the security researcher Jonathan Mayer calls a "zombie cookie" and Turn calls simply a UID (user identification) cookie.
On Wednesday, Mayer published an analysis of the "Turn-Verizon zombie cookie," in which he cast doubt on the legality of the two companies' advertising practices and asserted widespread collateral damage to the privacy of Internet users.
As far as Turn is concerned, clearing cookies from one's browser doesn't qualify as an acceptable expression of one's desire for privacy. Nor does activating a browser's privacy mode or enabling a browser's Do Not Track setting.
To opt out, users must take it upon themselves to visit the Turn website, the Network Advertising Initiative website, or the Digital Advertising Alliance website.
In his analysis, Mayer contended that these opt-out mechanisms don't really work. Verizon's opt-out mechanism, he said, prevents Verizon from passing along additional customer information but leaves the UIDH identifier intact. Turn's opt-out mechanism appeared to work, but upon clearing his brower state and revisiting the websites that initially spawned the cookie, he found that the cookie had been restored.
A Federal Trade Commission spokesperson declined to comment.
Jacob Hoffman-Andrews, senior staff technologist with the Electronic Frontier Foundation, wrote in a blog post: "This ongoing privacy fiasco reinforces how dangerous it is for ISPs to use their network control to impose non-standard new tracking methods on their customers."
Verizon didn't immediately respond to a request for comment.
Max Ochoa, Turn's general counsel and chief privacy officer, responded to Mayer's findings via a blog post, insisting that the company respects consumers' opt-out choices and disagreeing with Mayer's characterization of the company's approach.
"When a consumer opts out -- either through the industry standard tools provided by the DAA or the NAI, or through Turn's own opt-out -- the record of that choice is preserved on Turn's servers," Ochoa said in his blog. "Subsequently, when Turn receives a bid request associated with that cookie or UID, Turn will see the opt-out flag associated with that ID and will never submit a bid for an online behavioral advertising (OBA) campaign."
In his blog post, Ochoa wrote that Turn does not store or use "any generally recognizable personally identifiable information" such as email addresses or credit card numbers in relation to its services.
However, Turn does store unique persistent identifiers associated with Verizon Wireless customers, and any of the dozens of other advertising companies with access to Turn's unique identifiers, including Facebook, Google, Twitter, and Yahoo, can associate such identifiers with profiles in their own databases.
According to Mayer, ad blocking software offers some protection but might not be easily available on some mobile devices. He recommends a VPN as the only viable way presently to avoid tracking.
Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.