Verizon is Tracking Mobile Users Online, Researcher Says

Verizon Wireless is using cookie-like tokens that let advertisers track customers on the Web so they can serve targeted ads

Verizon Wireless, the largest wireless carrier in the United States, has been quietly adding little bits of code, or "tokens," to data requests made via mobile devices on its network for at least two years. The tokens let advertisers build profiles of users' Web activities and deliver targeted ads. The ads, in turn, generate revenue that Verizon shares via partnerships.

The tactics savvy consumers use with their desktop browsers to control cookies -- cookie blockers, cache clearing and incognito modes -- do not disable the Verizon tokens, according to Jacob Hoffman-Andrews, a researcher with the Electronic Frontier Foundation (EFF).

Verizon says the data doesn't contain personal information so advertisers don't know customers' identities. The company also says customers can opt out of the "Relevant Mobile Advertising" program.

However, the tokens, known as a Unique Identifier Headers (UIDH) cannot be turned off, and they broadcast themselves to every website the user visits, Hoffman-Andrews says. "All the opt-out means is that if a Verizon partner requests demographic data about a given header value, Verizon will not provide it. Third parties can continue to do whatever tracking they like," he says.

Verizon spokeswoman Debra Lewis says Hoffman-Andrews is incorrect. "If/when a customer opts out of Relevant Mobile Advertising via their privacy choices, while they may still see the dynamic identifier, there is NO information associated with the ID and therefore, no ability to use it for advertising purposes. Customers can choose not to participate in the program by going to their privacy choices page on MyVerizon or by calling 866-211-0874," Lewis wrote in an email.

Even if Verizon does not itself use the UIDHs to track its customers, advertisers do, according to Hoffman-Andrews. "Third parties, unrelated to Verizon, can use it for their own tracking," he says. "It's as if Verizon implemented a new cookie mechanism for all of their customers, but one that is shockingly insecure."

Verizon uses the term 'Precision ID" to describe the tracking to advertisers, and the company explains it in this PDF. (Hat tip to Robert Lemos at ArsTechnica for finding the document.)

Do other carriers use the same technology? It's not clear. Hoffman-Andrews says researchers have seen similar code on phones from AT&T and Sprint, but not from T-Mobile. I reached out to all three companies but have not received answers. I'll update this post if I do.

Given the focus on privacy today, it's surprising that Verizon's user tracking went unnoticed for so long. "This type of network interference is extremely hard to notice. Because the modification happens after requests leave your phone, nothing on your phone can detect it," Hoffman-Andrews says. Verizon's UIDH use was initially discovered by other EFF technologists.

It's worth noting that Verizon is not just tracking users, but actually modifying the website requests the users' phones make, a tactic that merits the term chutzpah, in my opinion. As Hoffman-Andrews put it: "Verizon is paid by its customers to serve as a trusted connection to the Internet. They should not violate that trust by modifying their customers' traffic without explicit consent."

At the very least, and I'm being generous here, Verizon should have disclosed this practice a long time ago. Instead, it waited for whistleblowers to ferret it out.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityVerizon WirelessElectronic Frontier Foundationprivacy

More about CustomersEFFElectronic Frontier FoundationPrecisionSprintT-MobileVerizonVerizon Wireless

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Snyder

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts