Researchers have spotted an advertising agency using Verizon’s indestructible cookies to silently track people across the internet.
Back in 2012, Verizon started injecting a "unique identifier token header" (UIDH) into each HTTP request sent through its mobile data network; these identifiers are unique to each subscriber and look something like this:
When your handheld or computer browses a website via Verizon, its requests for all the content on the page – including the ads – are stamped with that identifier. When you move to the next site, again, your requests for the ads are marked with that string. Over time, ad networks – and any companies serving content for multiple sites – can gradually get an idea of the websites you like visiting, and thus show you so-called relevant adverts.
Clearing your cookie cache won’t get rid of this header, since it is added after your browser opens a connection.
To make matters worse privacy-wise, the UIDH is injected irrespective of whether or not the subscriber opts out of Verizon's ad-tracking program. Those who choose not to participate still get the marker stamped on their HTTP requests.
Obviously, the opt out doesn’t stop others taking advantage of the headers. Stanford security and law researcher Jonathan Mayer has spotted online advertising agency Turn is recording UIDHs for its advertising campaigns.
When you visit a website serving a Turn ad, the agency's servers identify the visitor, and hold an auction with advertisers: they have milliseconds to put in the highest bid to appear in the slot. Turn leaves cookies on visitors' machines so it can track your activities across the web.
In December, Mayer built a web-crawler using PhantomJS that browsed through websites, added a spoofed UIDH to each request, and deleted any collected cookies after each visit. Whenever he hit a Turn-served ad, Turn would send over the same identifying cookie again, rather than generating a new one each time, suggesting it was recognizing the UIDH.
This would mean Turn is keeping a database of seen Verizon-injected headers, linked against its own identifying cookies, so it can still recognize netizens even after they had deleted their Turn cookies.
What's more, the Turn ID cookie was shared with other ad networks, so-called cookie syncing – allowing greater tracking across the web.
“In my crawl, Turn’s zombie cookie was sent to or from over thirty other businesses. They included Google, Facebook, Yahoo, Twitter, Walmart, and WebMD,” he explained.
“How those firms use Turn’s ID, I can’t say — it’s entirely possible that some unknowingly tracked users with a zombie value. They certainly possessed sufficient information. It’s especially likely for businesses that dropped their own tracking cookie with Turn’s ID.”