Verizon Wireless sells out customers with creepy new tactic

http://www.latimes.com/business/la-fi-lazarus-20140425,0,5339459,full.column

Note: I found some earlier reports of this from February 2014, but I don't see it mentioned here. FWIW, I think this is the Verizon Wireless notice they are referring to, which contains links to more info including supposed opt-out instructions (plained given the subject, take precautions):

https://www.verizonwireless.com/support/information/relevant-mobile-ad.html

 

Seriously, wow. They are a prime contender for worst ISP ever.

EDIT: Posting here works now, jay

 

The free unregulated market will correct itself. Im not too worried.

 

Glad you finally made it. Check your beverage transport folder... I owe folks some beers

I long time ago I remember reading, with surprise, that some telephone companies wanted to... and IIRC some had actually started to... share calling related information with businesses. The context was something like: they monitor the types of businesses you call, which gives them information about your interests, then they turn around and sell your telephone number info to other businesses who would want to compete for your business. As I remember it, this ended up in front of a regulatory committee and they put the kibosh on that idea. Long time ago though, and once when I tried to refind info on the subject I couldn't.

Here's a case of a telecom company trying to work around it, but I think it best not to acquire bundled services from one and hand them info on a silver platter. The triple play type deals are attractively priced at times, but I truly don't think you can miniature t trust any of the big players in the telco/cable space. Small ones, maybe... wasn't it one or more of those that challenged national security letters?

 

Verizon Wireless injects identifiers that link its users to Web requests | Ars Technica

 

Remember Phorm UK? How customers and others rallied against it and BT, Virgin, TalkTalk to protect their Internet connection?

http://www.adexchanger.com/data-exc...e-now-a-deep-dive-on-verizons-data-practices/

http://precisionmarketinsights.com

https://www.reddit.com/r/privacy/comments/2k2nhs/verizon_injecting_unique_id_in_http_headers_even/

 

This "Precision ID" sounds very much like an ETag.

 

One could draw parallels to certain types/uses of ETags. However, a user can directly manipulate/block those on the client side. A PrecisionID inserted into outbound traffic by Verizon is beyond the user's reach and direct control. Here, the context is traffic routed over their Wireless network. What's to stop them from doing the same with wired connections?

From the sound of it, Verizon is intending to go all in. As in not only leverage its own visibility into the lives of Verizon customers (using information datamined from all services I'd imagine), but through relationships with data brokers, etc append externally collected information to expand and improve its database. Since Verizon will be allowing other companies API access to its database, I think we'd say that Verizon is now a data broker of sorts. Given that it has set out on such a course, and cross-device/context tracking is a key objective, I suspect it is only a matter of time until wired connections are explicitly targeted in some way. If not separate identifier, then IP Address based API queries. How sticky are FIOS IP Addresses, btw? Can you force them to change?

Is there any way to inject identifiers into HTTPS traffic? People who haven't taken extra steps to protect themselves from mixed-content would be vulnerable. I'm talking about pure HTTPS scenarios. Since this is basically a "rogue ISP passes unique identifiers to rogue websites" scenario, we'd have to consider any/all means of injecting such identifiers even those that would deviate from the norm.

 

Using VPNs and/or Tor from VMs will sidestep this, right? Although Verizon can certainly tag the outbound traffic to the VPN server or Tor entry guard, there won't be any association with tunneled traffic.

 

It would depend on what specifically is inserting the PrecisionID into the headers. On Windows (and linux when used with Wine) with apps that can use proxy settings such as browsers, Proxomitron could remove such identifiers from outbound headers. On tablets and phones, if it's the OS or the radio component, I'm not sure that much can be done.

 

I'm inclined to think so, but open to thoughts as to where it might fall short. Thinking out loud...

• If there was a Verizon provided component on the client side, it might be able to do its own ID retrieval and injection. So I think you'd want to completely avoid Verizon hardware, software, apps, etc at least to be on the safe side.
• In one of those articles it was mentioned that they want to match their own ID to the IDs used by other companies (Apple, Google, Facebook, etc). So I think users would have to be extra, extra careful about avoiding even one brief slip up.
• I don't know that avoiding the PrecisionID mechanism would assure that you are safe. The main problem is that Verizon is willing stoop to such levels generally, and in most cases it would still have access to information (TV viewing, voice calls, non-VPN/TOR traffic). We really don't know what it is willing to do, and will do in the future. Theoretically, someone might VPN their way around the PrecisionID to access an account at website/corporation X. Verizon might have or create an API that X could use to lookup information based on something other than PrecisionID (telephone number provided for 2FA, name, address, whatever).

 

The descriptions I saw suggested that the insertion is being done somewhere within the Verizon network and external to the client device. Thus the nature of my response to you. However, your point is certainly valid... it depends on how/where it is done. Perhaps things will become clearer in the days ahead.

FWIW, I think someone reported that they visited a site that displays browser headers and: 1) The ID was displayed when they were using the cell network, 2) The ID wasn't displayed when they were using a WiFi connection. I don't remember where I saw that, I don't recall them saying whether they tested both HTTP and HTTPS, I don't recall them saying if the WiFi connection went through Verizon. Perhaps some people here are in a position to test things. I'm not.

http://browserspy.dk/headers.php
https://www.browserleaks.com/whois
http://www.xhaus.com/headers
http://andylangton.co.uk/tools/check-browser-headers
http://www.httpdebugger.com/Tools/ViewBrowserHeaders.aspx

 

Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine | WIRED

 

Vodafone in the Netherlands does it as well.

http://lessonslearned.org/sniff



Somebody’s Already Using Verizon’s ID to Track Users

https://www.propublica.org/article/somebodys-already-using-verizons-id-to-track-users

 

I find the Twitter/MoPub advertising system documentation, linked to by the ProPublica article, disturbing. For it appears to describe an advertising exchange where bid requests... which contain information about the client-device and user... are sent to multiple, potentially numerous, parties.

I think one of the examples shows such a request that contains both an Apple IDFA and Verizon UIDH. Do you think there could be a problem if the user reset their Apple ID for Advertisers while the Verizon UIDH remained constant, or the Verizon UIDH changed while the Apple IDFA remained constant?

Given that carriers/ISPs could selectively insert unique identifiers and/or other information based on destination server (only send something when traffic goes to a Non-Disclosure Agreement signing partner for example), and that such traffic & data-sharing would be invisible to users in general, this is mighty risky business.

 

The Privacy Lowdown On Verizon and AT&T's Smartphone 'Permacookies'
(AT&T experimenting with smartphone supercookie as well)

http://www.forbes.com/sites/kashmir...acy-lowdown-on-verizon-and-atts-permacookies/

 

So the take-away here is that you have to downgrade your ISP to a VPN pipe, just like untrusted WLAN. Which is more or less what it's become - absurd.

Incidentally, it doesn't have to be obvious header modification for an ISP to know information about your viewing and selling that on via an out-of-band mechanism - passive monitoring with packet inspection will do, e.g. back in the mid 90s I did a Netflow project for a major ISP on their Cisco routers.

 

@moderator: perhaps the thread title could be changed to reflect the fact that more than Verizon users may be affected.

 

Has anyone here done their own testing to answer questions such as:

1. Is the same Verizon X-UIDH sent to different servers/sites?
2. Is the same Verizon X-UIDH sent when using different mobile devices tied to the same account?
3. Is the same Verizon X-UIDH sent when the device is assigned different IP Addresses?
4. Does toggling airplane mode, power cycling the phone, etc cause the Verizon X-UIDH to change?
5. Are there separate fields within the (supposedly Base-64 encoded) X-UIDH header? Can you correlate them with anything? Under what circumstances do they change?

If so, I for one would like to hear what they found.

Does anyone here know Verizon mobile device features/apps well enough to say which could compromise a VPN connection, WiFi connection, etc by phoning home another unique identifier or logging into a Verizon account? In light of the original topic (connecting web browsing activity on a desktop computer to mobile device activity), the interest in correlating IDs used by other companies and appending data from third parties, etc I'm inclined to think that users would ultimately want/need thorough isolation from Verizon networks/services. I've heard a number of people say they've started using a VPN, but none mentioned additional precautions to assure that they won't allow identifiable communications with Verizon while using that VPN.

Does anyone here know if there are Verizon mobile device features/apps that don't honor VPN settings?

 

http://www.washingtonpost.com/wp-dyn/content/article/2008/09/25/AR2008092504135.html

 

Verizon Injecting Perma-Cookies to Track Mobile Customers, Bypassing Privacy Controls | Electronic Frontier Foundation

 

"Verizon, AT&T tracking their users with ‘supercookies’

Washington Post, 11/3/14, 7:36PM EST

Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers with what critics have dubbed “supercookies” — markers so powerful that it’s difficult for even savvy users to escape them.

The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.............

One civil liberties group, the Electronic Frontier Foundation, says it has raised its concerns with the Federal Communications Commission and is contemplating formal legal action to block Verizon. AT&T’s program is not as advanced and, according to the company, is still in testing.

The stakes are particularly high, privacy advocates say, because Verizon’s experimentation with supercookies is almost certain to spur copycats eager to compete for a larger share of the multibillion-dollar advertising profits won by Google, Facebook and others.............

The potential legal issues, experts say, stem in part from the Communications Act, which prohibits carriers from revealing identifying information about their customers or helping others to do so. That is at the heart of complaints by the foundation, which is contemplating a lawsuit or other action to stop Verizon, said one of the group’s lawyers, Nate Cardozo.

Also potentially at issue is the federal Wiretap Act, which prohibits altering personal communications during transmission without consent or a court order.....................................................

Full story here: http://www.washingtonpost.com/busin...bbf382-6395-11e4-bb14-4cfea1e742d5_story.html

"Privacy"? What was that?

 

I can verify that this is in fact in place. I use the SIM card of my phone which has unlimited data in my iPad, because tethering from it is more reliable, and faster than the tethering app on my android device. Both devices receive the packet header.

When I employ a VPN, the headers are removed though. So for as long as VPN software remains legal, and available I will use it. With "piracy" and "safety" being keywords though, I have no doubt that at some point VPN's themselves, and VPN (at least end users such as persons, not corporations) may find that they will be more scrutinized or regulated by the powers that be.

From what I understand also, this is going to be implemented by most of the other carriers, and very well could be a good precursor of things to come from the other wireline monopolized carriers. Ironically, I've been doing a lot of reading about mesh networks at the university I attend as a different form of access to the net, or creating an interweb which is not as easily controlled.

 

Verizon should partner with other companies to offer "freebies". When the "who doesn't love freebies?" types take advantage of the offers, Verizon and partners could use that opportunity to connect ids and/or other information they have about each consumer. They could call it "the day we connect information about you", or something like that.

 

I have my own complaint about my former boss, Verizon. As a retiree, I get a concession to lessen my bill. It's a flat rate for only the calls I make. If I don't make any toll calls or long distance calls over a months time, my bill could be $3. Then they add on a $2.99 charge for the privilege of having long distance capability.Then at the bottom of the bill are the other charges which total $3.90. Now the bill is $9.91. I say this in pity for you folks who are paying for a lot more.