Verizon Wireless Settles FCC 'Supercookie' Complaint

For failing to inform customers about its ad tracking identifier, the telecom company must pay a $1.35 million fine, a tiny fraction of its annual revenue.
7 Tech Jobs Hardest Hit By Layoffs In 2015
7 Tech Jobs Hardest Hit By Layoffs In 2015
(Click image for larger view and slideshow.)

The Federal Communications Commission on Monday said it has reached an agreement with Verizon Wireless to settle charges that it employed an online advertising identifier without the knowledge or consent of customers.

There's no agreement, however, about how to identify the identifier. The FCC maintains Verizon Wireless inserted "unique identifier headers or so-called 'supercookies' into its customers' mobile Internet traffic" for the purpose of delivering targeted ads.

Verizon chief privacy officer Karen Zacharia in a blog post insists the company's unique identifier header (UIDH) "is not a 'supercookie.' It's not a cookie at all. Cookies are placed and stored on devices. The UIDH is a piece of data included in the header of certain Internet traffic."

Zacharia's definition is conveniently narrow. Cookies exist as fixed files associated with Web browsers, but they don't cease to exist when transmitted as data across a network through an HTTP response. According to the Internet Engineering Task Force (IETF), cookies are simply "name/value pairs and associated metadata." What makes them meaningful in a privacy context is their potential use as a unique identifier, whether that identifier is defanged with cutesy language ("cookie"), made obtuse through abbreviation ("UIDH"), or made threatening through size ("supercookie").

The Electronic Frontier Foundation describes the UIDH thus: "The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy."

Regardless of the relevant terminology, Verizon has agreed to pay $1.35 million to settle the FCC's complaint. It has also agreed to obtain customer opt-in consent before it shares a customer's UIDH with a third-party advertising service.

The penalty amounts to about 0.0015% of the $91.7 billion revenue reported by Verizon Wireless in 2015.

According to the FCC, Verizon began inserting UIDH data into consumer Internet traffic around December 2012 and failed to disclose the practice until October 2014. In a list of FAQs subsequently posted on its website, Verizon said, "It is unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH."

Are you prepared for a new world of enterprise mobility? Attend the Wireless & Mobility Track at Interop Las Vegas, May 2-6. Register now!

Yet, as the FCC notes in its consent decree through the citation of a ProPublica investigation, Verizon ad partner Turn did use Verizon's unique identifier to track the online activities of Verizon customers on their mobile devices.

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they're doing online," said FCC Enforcement Bureau chief Travis LeBlanc, in a statement. "Privacy and innovation are not incompatible."

Zacharia meanwhile defends the need for online advertising and observes that at least Verizon lets customers opt out. "Most of the other leading ad IDs, including those that Google and Apple use, are sent even when customers don't want to be in the advertising program," she said.