How Verizon and Turn Defeat Browser Privacy Protections
Update 2014-01-16: Turn announced today they will suspend their zombie cookie program by early February, but left open the possibility to resume in the future. We ask that they end the program permanently.
Verizon advertising partner Turn has been caught using Verizon Wireless's UIDH tracking header to resurrect deleted tracking cookies and share them with dozens of major websites and ad networks, forming a vast web of non-consensual online tracking. Explosive research from Stanford security expert Jonathan Mayer shows that, as we warned in November, Verizon's UIDH header is being used as an undeletable perma-cookie that makes it impossible for customers to meaningfully control their online privacy.
Mayer's research, described in ProPublica, shows that advertising network and Verizon partner Turn is using the UIDH header value to re-identify and re-cookie users who have taken careful steps to clear their cookies for privacy purposes. This contradicts standard browser privacy controls, users' expectations, and Verizon's own claims that the UIDH header won't be used to track users because it changes periodically.
This spectacular violation of Verizon users' privacy—made all the worse because of Verizon's failure to allow even an opt-out—has already had far-reaching consequences. Through Turn's cookie syncing program (described below) the re-identification affects dozens of other sites and ad networks. According to Mayer's research, many ad networks and high profile sites, including Facebook, Twitter, Yahoo, BlueKai, AppNexus, Walmart and WebMD, receive copies of the respawned cookie.Mayer identified a spectrum of blatancy by which the information was transmitted, from Referrer headers, through URL parameters, to literal replication of the Turn cookie by the other third party tracker. All of the companies we list do more than receive a Referrer, though a Referrer is enough to defeat the user's attempt to delete cookies. We have replicated and expanded on some of Mayer's results; in particular we observed Facebook and Twitter getting the Turn cookie through explicit cookie-syncing APIs. At this point, Mayer has observed Google receiving the respawned cookie via Referrer headers and is therefore very likely to have logged it, but we have not yet observed it being sent to DoubleClick's Cookie Matching API. If these sites follow what we understand to be typical cookie syncing practices, they would also be circumventing cookie deletion. It is possible that some of these companies are unknowingly in violation of their own privacy policies and regulatory settlements as a result of Verizon and Turn's practices.
This ongoing privacy fiasco reinforces how dangerous it is for ISPs to use their network control to impose non-standard new tracking methods on their customers.
Previously, EFF analyzed Verizon's PrecisionID program, thanks to a suggestion from a concerned member. We found that Verizon reaches into their mobile customers' web browsing requests as they pass through the Verizon network and tampers with them to insert a header that uniquely identifies each Verizon subscriber. Ad networks can use the header to access extended targeting data on all Verizon customers, such as address, age, sex, and interests. Verizon claims to offer an opt-out, but opting out does not actually remove the header. Instead, Verizon claims it will not share a customer's demographic data after opt-out. But that means that third parties can—and indeed are—still using the Verizon header value as a unique tracking identifier that Verizon customers are powerless to change or delete, even after the user has "opted out" of the Verizon program. Nor does enabling the Do Not Track browser setting have any effect. In fact, Turn has told EFF that they do not believe that either Do Not Track or a user deleting their cookies is a signal that the user wishes to opt out from tracking. Turn ignores and circumvents these mechanisms, and uses the DAA's pretend opt-out instead.
[Verizon's] ongoing privacy fiasco reinforces how dangerous it is for ISPs to use their network control to impose non-standard new tracking methods on their customers.
EFF warned that third parties would use this undeletable header to circumvent browser privacy protections like cookie deletion and private browsing mode in a way not possible without the header. The Turn network is doing exactly that. Like most ad networks, Turn assigns their own unique cookie (called 'uid') to everyone who visits any site that includes Turn's tracking URLs. For other networks, deleting cookies from your browser effectively dissociates you with the reading history they have collected on you. However, Turn is more invasive: If you delete cookies, Turn will re-assign you the exact same 'uid' cookie you just deleted. Turn can only do this because Verizon sends the same unique UIDH header, so Turn can simply look up the UIDH value in an internal database. Because Verizon does not honor their customers' opt-out by removing the UIDH header, Turn performs this cookie resurrection even for people who have opted out on Verizon's site.
Turn also engages in cookie syncing, a widespread but sneaky workaround to the Web's cookie security policies. Normally, your browser only sends Turn's 'uid' cookie back to Turn's own servers. But when your browser visits a web page with Turn's embedded tracking URLs, those URLs can load an additional tracker from another network, for instance Facebook. Facebook would then receive a request that includes both Turn's uid and Facebook's own cookies identifying an individual. Facebook records the relationship between identities, perhaps so they can accumulate data about individuals with help from with Turn. Cookie syncing becomes even more of a problem when one network uses illegitimate re-identification techniques on an individual, because, as Mayer's research demonstrates, Turn's resurrected cookie rapidly infects other ad networks, informing those networks about Internet reading or browsing history the individual asked them to forget. We call on all ad networks to suspend cookie syncing with Turn until they have fixed this issue, and to delete existing Turn cookie syncing data collected in violation of users' privacy.
Turn's activities are simply the easiest to observe, and the most egregious, since they are a Verizon partner. There are almost certainly other advertisers using the same technique, both within Verizon's partner network and without. We've observed that Twitter and at least one other ad network have used UIDH. Mayer provides details on how he spotted Turn's obvious re-identification, but ad networks can abuse UIDH in less obvious ways. For instance, they can assign cookies that are not identical to deleted ones, but are connected to the deleted cookies through a private database.
As we noted when we first wrote about this issue, the only way for Verizon customers to protect themselves against their ISP's tampering is to install a VPN, an expensive and difficult option, especially on a mobile phone. Some people may also want to install a privacy-protecting browser extension, like Privacy Badger, Disconnect, or AdBlock Plus with the EasyPrivacy list. These extensions cannot protect against the UIDH header, but they may prevent ad network cookies from being sent, which can inhibit re-identification and cookie syncing. Update: we have posted a deeper review of defensive technologies here.
Amidst the outrage following our November article, AT&T, who was also beginning a tracking header program, chose to abandon it. We call on Verizon to do the same. It is clear that Verizon does not understand the privacy risks it is imposing on its customers. They ignored their customers' Do Not Track opt out requests. The UIDH program should be shut down today. Going forward, the company should undertake to obtain genuine prior, informed consent for any future tracking activities.