Twitter's MoPub ad exchange grabs Verizon tracking cookies, and more may follow

The privacy and security critics were right: Third-parties can and are using Verizon's UIDH strings for their own purposes.

Earlier this week we told you privacy and security critics were concerned about how Verizon inserts unblockable cookies into HTTP requests sent via the company's wireless network. One of the major concerns was that other companies might use this identifier, called a UIDH, and potentially build a dossier on a user's web usage.

Well, it turns out privacy critics were right to be concerned, because it looks like other advertising companies are using the identifier. MoPub, a mobile advertising exchange acquired by Twitter in September 2013, uses Verizon's UIDH as one of several ways to deliver advertising to a device, as first reported by ProPublica.

In its privacy policy, MoPub says its services are designed to avoid collecting personally identifying information about users. However, the company also warns, "the information we collect does enable us to recognize your device over time."

Why this matters: Whether or not you find it concerning that MoPub is using Verizon's identifier, it automatically begs the question of how many other advertising networks are using this identifier. Not all advertising networks are owned by a reputable company and may be less scrupulous about using the UIDH to track and identify users.

Tip of the iceberg

Earlier this week, Verizon told PCWorld that it changes each device's UIDH "on a regular basis to prevent third parties from building profiles" with it. The company did not specify how often it changes the UIDH.

But advertising companies creating user profiles may not be the biggest problem.

As pointed out in other reports following the Verizon UIDH news, AT&T also had a program that inserted a unique identifier into users' web traffic. That program has since been discontinued, but AT&T told ProPublica it is now testing inserting identifiers for a potential new program.

AT&T and Verizon aren't the only ones. Vodafone in Britain is also inserting headers, ProPublic says.

The bigger issue may not be whether advertisers build dossiers on users with these identifying codes, but whether we find it acceptable for carriers to tamper with HTTP requests traveling across their wireless networks.

As we reported earlier this week, you can prevent UIDH tracking on Verizon when using the company's wireless network. You could connect to sites you visit via SSL (HTTPS) or by connecting to the Internet through a virtual private network.

Join the CSO newsletter!

Error: Please check your email address.

Tags advertisingsecurityverizontwitterinternetprivacy

More about VerizonVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place