Online advertising agency Turn has promised to stop using repurposed Verizon undeletable cookies to track people's online habits and sell them stuff.
For the last couple of years Verizon has been injecting a "unique identifier token header" (UIDH) into HTTP requests sent by customers online. It then sells that data to advertisers, unless customers opt out of the scheme.
Even then the UIDH code is still included – Verizon just promises not to use the data it collects. But because the UIDH is injected at a network level conventional cookie deletions won't kill off the code.
Last week research from Stanford graduate student Jonathan Mayer showed that Turn, a San Francisco-based advertising agency with customers like Google and Yahoo!, has found out a way inject its own code into the UIDH and then use the software to harvest data on Verizon customers, whether they like it or not.
The discovery sent the ad agency into firefighting mode. Turn insisted it was doing nothing wrong and that internet users could still opt out if they applied to Turn directly (although testing revealed some problems with this) or via national advertising agency 'Do not track' lists. But now Turn has backed down.
"We have heard the concerns and are actively re-evaluating this method," said Turn's chief privacy officer Max Ochoa in a blog post.
"We have begun work to suspend the re-association of a Turn cookie ID with a Verizon UIDH. By early February Turn will not "respawn" cookie IDs associated with the Verizon UIDH."
That's not to say Verizon customers can relax. The EFF, which anticipated these problems, thinks that other advertising agencies, and other firms, will be using Verizon's indestructible software in the future. ®