Verizon Wireless Settles FCC 'Supercookie' Complaint - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
08:06 AM
Connect Directly

Verizon Wireless Settles FCC 'Supercookie' Complaint

For failing to inform customers about its ad tracking identifier, the telecom company must pay a $1.35 million fine, a tiny fraction of its annual revenue.

7 Tech Jobs Hardest Hit By Layoffs In 2015
7 Tech Jobs Hardest Hit By Layoffs In 2015
(Click image for larger view and slideshow.)

The Federal Communications Commission on Monday said it has reached an agreement with Verizon Wireless to settle charges that it employed an online advertising identifier without the knowledge or consent of customers.

There's no agreement, however, about how to identify the identifier. The FCC maintains Verizon Wireless inserted "unique identifier headers or so-called 'supercookies' into its customers' mobile Internet traffic" for the purpose of delivering targeted ads.

Verizon chief privacy officer Karen Zacharia in a blog post insists the company's unique identifier header (UIDH) "is not a 'supercookie.' It's not a cookie at all. Cookies are placed and stored on devices. The UIDH is a piece of data included in the header of certain Internet traffic."

Zacharia's definition is conveniently narrow. Cookies exist as fixed files associated with Web browsers, but they don't cease to exist when transmitted as data across a network through an HTTP response. According to the Internet Engineering Task Force (IETF), cookies are simply "name/value pairs and associated metadata." What makes them meaningful in a privacy context is their potential use as a unique identifier, whether that identifier is defanged with cutesy language ("cookie"), made obtuse through abbreviation ("UIDH"), or made threatening through size ("supercookie").

(Image: Aziko25 via Pixabay)

(Image: Aziko25 via Pixabay)

The Electronic Frontier Foundation describes the UIDH thus: "The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy."

Regardless of the relevant terminology, Verizon has agreed to pay $1.35 million to settle the FCC's complaint. It has also agreed to obtain customer opt-in consent before it shares a customer's UIDH with a third-party advertising service.

The penalty amounts to about 0.0015% of the $91.7 billion revenue reported by Verizon Wireless in 2015.

According to the FCC, Verizon began inserting UIDH data into consumer Internet traffic around December 2012 and failed to disclose the practice until October 2014. In a list of FAQs subsequently posted on its website, Verizon said, "It is unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH."

Are you prepared for a new world of enterprise mobility? Attend the Wireless & Mobility Track at Interop Las Vegas, May 2-6. Register now!

Yet, as the FCC notes in its consent decree through the citation of a ProPublica investigation, Verizon ad partner Turn did use Verizon's unique identifier to track the online activities of Verizon customers on their mobile devices.

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they're doing online," said FCC Enforcement Bureau chief Travis LeBlanc, in a statement. "Privacy and innovation are not incompatible."

Zacharia meanwhile defends the need for online advertising and observes that at least Verizon lets customers opt out. "Most of the other leading ad IDs, including those that Google and Apple use, are sent even when customers don't want to be in the advertising program," she said.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/10/2016 | 9:14:04 AM
Re: Take a page from the EU
I wish the US would take another page out of the EU privacy laws and allow people to have their names omitted from searches. It really is scary how people have no control of information about them once it gets to the internet.
Pablo Valerio
Pablo Valerio,
User Rank: Ninja
3/9/2016 | 8:57:21 AM
Take a page from the EU
Tom, the FCC should take a look at the EU privacy directive, and look for fines of 10% of the global annual tunrover of the company. That is the only way the rules are enforced.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll