Tuesday, April 14, 2015

The Verizon SuperCookie Won't Go Away

Update 4/21/2015:
It's been pointed out to me that Relevant Mobile Advertising (RMA - the thing responsible for the SuperCookie) and Customer Proprietary Network Information (CPNI) are not the same thing. That may be, but the link in the opt out instructions on Verizon's RMA info page goes to the CPNI settings below. If there's an RMA opt-out lever available to me somewhere on verizonwireless.com, I sure can't find it. I spoke with a new Verizon phone rep today. She claims to have sorted things out. My HTTP traffic still has the extra header attached. We'll see if that changes in the next few days...
Verizon Wireless made the news a few months ago when somebody noticed that they were adding extra HTTP headers which uniquely identified subscribers to every web request which traversed their network.

There was something of an uproar about it. I checked at least one of my phones, and was disappointed to find the tracking header attached to my traffic.

Then, less than two weeks ago, Verizon announced that customers would be allowed to opt out of having their web requests marked in this way. Many news outlets covered the announcement, Twitter rejoiced, and I headed over to my account's privacy settings page to opt out. I found that my already-paranoid privacy settings looked like this:

Don't Share!
My account was already configured no information sharing (I had set these levers years ago), and when I checked using the browser in my phone, I found that the tracking header had disappeared.

So, maybe it wasn't that there was a new privacy option, so much as it was a case of Verizon acknowledging that uniquely identifying customers to every website they visit just miiiiight constitute sharing of Customer Proprietary Network Information as defined by 47 U.S. Code § 222. With this policy change, customers who'd opted out of CPNI sharing would have their information protected.

Also, the $4.7M smackdown Verizon received for CPNI oversharing a few months prior may have had something to do with their sudden clarity on the matter.

Several US Senators (Sen. Bill Nelson, D-Fla., Sen. Edward Markey, D-Mass., and Sen. Richard Blumenthal, D-Conn.) have now urged the FCC to investigate Verizon's "SuperCookie", and FCC chairman Wheeler has reportedly responded by saying:
"We are looking specifically into carriers’ injection of header information and the collection and use of information about their subscribers’ Internet activity. As you suggest, we will be considering the extent to which our rules and policies relating to consumer privacy, data security and transparency may be implicated,"
So, aside from another possible smackdown, this matter should be settled, right? Folks who want no super cookie should be able to opt out?

Unfortunately, no.

Note my privacy settings above. Well, in spite of them, at least one of those lines is still attaching the damned tracking header (X-UIDH) to my HTTP traffic:
Note the X-UIDH: header line
Here are sanitized capture files from the client and server which demonstrate the problem.

I spent a long time on the phone with Verizon folks today. The CSRs insist that all of my CPNI is safe, and there's nothing to worry about. Yet the injected header persists. My next step in the Verizon escalation chain involves licking envelopes because apparently the real tech wizards at Big Red have neither email nor telephones...

It's crazy that the escalation path through my Senators and the FCC looks easier to manage than the one Verizon is offering me.

No comments:

Post a Comment