Verizon Wireless Customers Face 'Zombie Cookies' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
06:30 PM
Connect Directly

Verizon Wireless Customers Face 'Zombie Cookies'

Cookie files placed on the phones of Verizon Wireless customers by the ad company Turn return to life even after they've been deleted.

 8 Biggest Tech Disappointments Of 2014
8 Biggest Tech Disappointments Of 2014
(Click image for larger view and slideshow.)

If you're a Verizon Wireless customer, you may have a zombie tracking you. Or, more specifically, a "zombie cookie" in your mobile browser.

This cookie contains an identifier that assists Verizon's advertising partner Turn in the delivery of targeted mobile advertising. Through information provided by Verizon, Turn can restore this cookie even after you've cleared it from your browser.

Verizon Wireless makes Turn's persistent identifier possible by sending an HTTP header called X-UIDH to every unencrypted website visited by Verizon Wireless customers.

[Want more on phone security? Read Millions Of Android Phones In China Have Backdoor.]

Verizon Wireless customers who might be inclined to seek privacy should not do so in commonly accepted ways. Rather, they're advised to do so only in ways accepted by the online advertising industry.

That's Turn's recommendation for dealing with what the security researcher Jonathan Mayer calls a "zombie cookie" and Turn calls simply a UID (user identification) cookie.

On Wednesday, Mayer published an analysis of the "Turn-Verizon zombie cookie," in which he cast doubt on the legality of the two companies' advertising practices and asserted widespread collateral damage to the privacy of Internet users.

As far as Turn is concerned, clearing cookies from one's browser doesn't qualify as an acceptable expression of one's desire for privacy. Nor does activating a browser's privacy mode or enabling a browser's Do Not Track setting.

To opt out, users must take it upon themselves to visit the Turn website, the Network Advertising Initiative website, or the Digital Advertising Alliance website.

In his analysis, Mayer contended that these opt-out mechanisms don't really work. Verizon's opt-out mechanism, he said, prevents Verizon from passing along additional customer information but leaves the UIDH identifier intact. Turn's opt-out mechanism appeared to work, but upon clearing his brower state and revisiting the websites that initially spawned the cookie, he found that the cookie had been restored.

A Federal Trade Commission spokesperson declined to comment.

Jacob Hoffman-Andrews, senior staff technologist with the Electronic Frontier Foundation, wrote in a blog post: "This ongoing privacy fiasco reinforces how dangerous it is for ISPs to use their network control to impose non-standard new tracking methods on their customers."

Verizon didn't immediately respond to a request for comment.

Max Ochoa, Turn's general counsel and chief privacy officer, responded to Mayer's findings via a blog post, insisting that the company respects consumers' opt-out choices and disagreeing with Mayer's characterization of the company's approach.

"When a consumer opts out -- either through the industry standard tools provided by the DAA or the NAI, or through Turn's own opt-out -- the record of that choice is preserved on Turn's servers," Ochoa said in his blog. "Subsequently, when Turn receives a bid request associated with that cookie or UID, Turn will see the opt-out flag associated with that ID and will never submit a bid for an online behavioral advertising (OBA) campaign."

In his blog post, Ochoa wrote that Turn does not store or use "any generally recognizable personally identifiable information" such as email addresses or credit card numbers in relation to its services.

However, Turn does store unique persistent identifiers associated with Verizon Wireless customers, and any of the dozens of other advertising companies with access to Turn's unique identifiers, including Facebook, Google, Twitter, and Yahoo, can associate such identifiers with profiles in their own databases.

According to Mayer, ad blocking software offers some protection but might not be easily available on some mobile devices. He recommends a VPN as the only viable way presently to avoid tracking.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
1/15/2015 | 7:32:20 PM
Where's the Zombie hunters when you need them?
Good discussion, Tom, on how Turn and Verizon pose as protecting your privacy when in fact they collaborate to violate it. I also liked Pro Publica's Julia Angwin:
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll