Twitter's MoPub ad exchange grabs Verizon tracking cookies, and more may follow

The privacy and security critics were right: Third-parties can and are using Verizon's UIDH strings for their own purposes.

Earlier this week we told you privacy and security critics were concerned about how Verizon inserts unblockable cookies into HTTP requests sent via the company's wireless network. One of the major concerns was that other companies might use this identifier, called a UIDH, and potentially build a dossier on a user's web usage.

Well, it turns out privacy critics were right to be concerned, because it looks like other advertising companies are using the identifier. MoPub, a mobile advertising exchange acquired by Twitter in September 2013, uses Verizon's UIDH as one of several ways to deliver advertising to a device, as first reported by ProPublica.

In its privacy policy, MoPub says its services are designed to avoid collecting personally identifying information about users. However, the company also warns, "the information we collect does enable us to recognize your device over time."

Why this matters: Whether or not you find it concerning that MoPub is using Verizon's identifier, it automatically begs the question of how many other advertising networks are using this identifier. Not all advertising networks are owned by a reputable company and may be less scrupulous about using the UIDH to track and identify users.

Tip of the iceberg

Earlier this week, Verizon told PCWorld that it changes each device's UIDH "on a regular basis to prevent third parties from building profiles" with it. The company did not specify how often it changes the UIDH.

But advertising companies creating user profiles may not be the biggest problem.

As pointed out in other reports following the Verizon UIDH news, AT&T also had a program that inserted a unique identifier into users' web traffic. That program has since been discontinued, but AT&T told ProPublica it is now testing inserting identifiers for a potential new program.

AT&T and Verizon aren't the only ones. Vodafone in Britain is also inserting headers, ProPublic says.

The bigger issue may not be whether advertisers build dossiers on users with these identifying codes, but whether we find it acceptable for carriers to tamper with HTTP requests traveling across their wireless networks.

As we reported earlier this week, you can prevent UIDH tracking on Verizon when using the company's wireless network. You could connect to sites you visit via SSL (HTTPS) or by connecting to the Internet through a virtual private network.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags privacyinternetadvertisingtwitterverizon

More about VerizonVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

More videos

Blog Posts