Verizon Wireless Customers Face 'Zombie Cookies' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
06:30 PM
Connect Directly

Verizon Wireless Customers Face 'Zombie Cookies'

Cookie files placed on the phones of Verizon Wireless customers by the ad company Turn return to life even after they've been deleted.

 8 Biggest Tech Disappointments Of 2014
8 Biggest Tech Disappointments Of 2014
(Click image for larger view and slideshow.)

If you're a Verizon Wireless customer, you may have a zombie tracking you. Or, more specifically, a "zombie cookie" in your mobile browser.

This cookie contains an identifier that assists Verizon's advertising partner Turn in the delivery of targeted mobile advertising. Through information provided by Verizon, Turn can restore this cookie even after you've cleared it from your browser.

Verizon Wireless makes Turn's persistent identifier possible by sending an HTTP header called X-UIDH to every unencrypted website visited by Verizon Wireless customers.

[Want more on phone security? Read Millions Of Android Phones In China Have Backdoor.]

Verizon Wireless customers who might be inclined to seek privacy should not do so in commonly accepted ways. Rather, they're advised to do so only in ways accepted by the online advertising industry.

That's Turn's recommendation for dealing with what the security researcher Jonathan Mayer calls a "zombie cookie" and Turn calls simply a UID (user identification) cookie.

On Wednesday, Mayer published an analysis of the "Turn-Verizon zombie cookie," in which he cast doubt on the legality of the two companies' advertising practices and asserted widespread collateral damage to the privacy of Internet users.

As far as Turn is concerned, clearing cookies from one's browser doesn't qualify as an acceptable expression of one's desire for privacy. Nor does activating a browser's privacy mode or enabling a browser's Do Not Track setting.

To opt out, users must take it upon themselves to visit the Turn website, the Network Advertising Initiative website, or the Digital Advertising Alliance website.

In his analysis, Mayer contended that these opt-out mechanisms don't really work. Verizon's opt-out mechanism, he said, prevents Verizon from passing along additional customer information but leaves the UIDH identifier intact. Turn's opt-out mechanism appeared to work, but upon clearing his brower state and revisiting the websites that initially spawned the cookie, he found that the cookie had been restored.

A Federal Trade Commission spokesperson declined to comment.

Jacob Hoffman-Andrews, senior staff technologist with the Electronic Frontier Foundation, wrote in a blog post: "This ongoing privacy fiasco reinforces how dangerous it is for ISPs to use their network control to impose non-standard new tracking methods on their customers."

Verizon didn't immediately respond to a request for comment.

Max Ochoa, Turn's general counsel and chief privacy officer, responded to Mayer's findings via a blog post, insisting that the company respects consumers' opt-out choices and disagreeing with Mayer's characterization of the company's approach.

"When a consumer opts out -- either through the industry standard tools provided by the DAA or the NAI, or through Turn's own opt-out -- the record of that choice is preserved on Turn's servers," Ochoa said in his blog. "Subsequently, when Turn receives a bid request associated with that cookie or UID, Turn will see the opt-out flag associated with that ID and will never submit a bid for an online behavioral advertising (OBA) campaign."

In his blog post, Ochoa wrote that Turn does not store or use "any generally recognizable personally identifiable information" such as email addresses or credit card numbers in relation to its services.

However, Turn does store unique persistent identifiers associated with Verizon Wireless customers, and any of the dozens of other advertising companies with access to Turn's unique identifiers, including Facebook, Google, Twitter, and Yahoo, can associate such identifiers with profiles in their own databases.

According to Mayer, ad blocking software offers some protection but might not be easily available on some mobile devices. He recommends a VPN as the only viable way presently to avoid tracking.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/17/2015 | 2:08:32 PM
Not a winning strategy
This is kind of creepy. Why do companies think this is a good idea? People tend to get bent out of shape when their privacy is concerned, especially if, say, their kids are using phones too. I can't imagine the short term gains of selling a few more things is going to outweigh the long term violation of trust going on here.
User Rank: Ninja
1/17/2015 | 12:28:53 AM
It's only software
This isn't some magical spell. There must be a way to find, and remove this. Here is where companies like Symantic and others would do us a service. The OS companies could also figure this out.
Charlie Babcock
Charlie Babcock,
User Rank: Author
1/15/2015 | 7:32:20 PM
Where's the Zombie hunters when you need them?
Good discussion, Tom, on how Turn and Verizon pose as protecting your privacy when in fact they collaborate to violate it. I also liked Pro Publica's Julia Angwin:
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll