In a startling revelation, Electronic Frontier Foundation (EFF) has claimed that mobile operator Verizon Wireless is tracking its mobile users’ internet habits by injecting a cookie-like tracker at the network level unbeknown to end users thereby not only to allegedly expand their advertising program, but also bypassing privacy controls completely.
EFF claims that this cookie-like tracker is included in an HTTP header called X-UIDH “is sent to every unencrypted website a Verizon customer visits from a mobile device.” EFF further adds that using this particular tracker, third-party advertisers and websites are able to “assemble a deep, permanent profile of visitors’ web browsing habits without their consent”.
The claim goes as far as to establish that the tracking is effective even in cases where users decide to use private browsing mode or clear their cookies. Further, there is no way that users can switch off this particular feature. Verizon does provide an opt-out option to individual users to disable tracking, but it doesn’t cover the header injection mechanism that Verizon is using.
EFF has provided links using which Verizon users can check if the operator is injecting traffic in their connection: http://lessonslearned.org/sniff and http://www.amibeingtracked.com/. Users need to visit this link over a cellular data connection.
EFF is concerned over two aspects of this particular mechanism: 1) the manner in which Verizon is using the header; and 2) the information that it allows third-party advertisers and websites to gather about visitors.
How does this mechanism work?
According to EFF, the tracking mechanism X-UIDH is quite similar to what a cookie is – as far as its functions are concerned. However, the key difference is Verizon adds it at the network level – right when users’ traffic is between user’s device and the servers – something that can’t be controlled by users.
Users are completely blind to the new tracking mechanism and can’t change its behaviour in device’s browser settings. Even if users have a habit of clearing their cookies before and after their browsing sessions, X-UIDH header remains unchanged. Why is this unchanged? EFF claims that the header is tied to a data plan that users opt for thereby allowing advertisers to build profiles based on X-UIDH.
So, even if users clear off the cookies, “ad networks can immediately assign new cookies and link them to the cleared cookies using the unchanged X-UIDH value”, notes EFF.
The seriousness of the issue doesn’t end here. X-UIDH header not only bypasses built-in browser privacy mechanisms, but is also shared across all unencrypted websites a user visits thereby allowing ad networks to profile and track the user across multiple sites – something that they are not able to do with traditional cookies.
EFF goes onto to note that the issue doesn’t affect just web browsers and users of mobile apps are also targeted through this mechanism.
You can read the full account here of EFF’s website.
