Which Apps Protect Against Verizon and Turn's Invasive User Tracking?
If you do not want information to be collected for marketing purposes from services such as the Verizon Wireless Mobile Internet services, you should not use those particular services.
But if you're trapped in a contract with Verizon Wireless, you may not be able to switch to another carrier. If that's the case, here's a review of which mobile apps (and desktop software, if you tether) will and won't protect you against UIDH and Turn.com's zombie cookies.
Which mobile apps protect you against Verizon and Turn?
We tested the following common mobile browsers and privacy apps:
|App/browser||Platform||Protects against Verizon?||Protects against Turn?|
|AdBlock||Firefox for Android||No||Yes|
|AdBlock Plus||Android (rooted) or Firefox for Android||No||Yes|
|Chrome||Android or iOS||No||No|
|Disconnect Pro||Android or iOS||Yes||Yes|
|Ghostery Privacy Browser||Android (iOS not tested)||No||No (yes if you press the "block" switch)|
|HTTPS Everywhere||Firefox for Android||Partial||Partial (blocks cookie respawning)1|
|Orbot + Orweb||Android (root recommended)||Yes||Yes|
|Safari||iOS||No||Yes (if you're careful)2|
|VPNs (eg Bitmask or any other privacy-friendly VPN)||Any||Yes||Yes|
Methodology: we installed each tool in its default configuration, and tested whether Turn was able to respawn its uid cookies after deletion in most situations.
Which desktop software protects you against Verizon and Turn?
If you tether your laptop to a Verizon device, or use a Verizon WiFi or USB mobile Internet connection, your laptop will be subject to non-consensual UIDH injection and tracking. Most of the mobile apps above are also available in desktop versions, but there are a few additional options:
|Software/browser||Platform||Protects against Verizon?||Protects against Turn?|
|Internet Explorer||Windows, OS X||No||No|
|Privacy Badger||Firefox, Chrome||No||Yes|
|Tor Browser Bundle||Windows, Linux, OS X||Yes||Yes|
If you use Internet Explorer, you might consider a Tracking Protection List. Some of these help, others make the problem worse:
|Tracking Protection List||Platform||Protects against Verizon?||Protects against Turn?|
|Abine TPL||IE 9+||No||Yes|
|EasyList TPL||IE 9+||No||Yes|
|EasyPrivacy TPL||IE 9+||No||No3|
|Privacy Choice -- all companies||IE 9+||No||Yes|
|Privacy Choice -- companies without NAI oversight||IE 9+||No||No|
|TRUSTe TPL||IE 9+||No||No (makes the problem worse!4)|
Who needs to do better?
Some major take-aways about the software that does, and doesn't protect you:
- Of the major browsers, only Safari offers even partial protection by default. Firefox, which has talked about offering better protection for its users, hasn't delivered anything practical yet.
- Amongst the ad- and tracker-blocking software, the results were surprising. Disconnect Pro, which includes both VPNs and tracker blocking, is a strong option, though it requires a subscription fee after a free trial period. Software like AdBlock, AdAway and AdBlock Plus, which don't claim to be privacy tools, or which require manual reconfiguration to block trackers, nonetheless protected their users against Turn. Ghostery, which claims to be a privacy tool, doesn't offer any protection by default! 5 EFF's own Privacy Badger works as expected, but isn't available on mobile yet (you can help out here!).
- The Google Play Store on Android has censored the apps that offer the most effective protection. Google needs to reverse this disastrous anti-user and anti-privacy decision, or be held accountable for Verizon and Turn's predation on their users.
- Defeating Turn's tracking is comparatively easy: users can (and are advised to) block all requests to Turn's domains. Verizon's practices are both more a more profound violation of trust — we need to trust our ISPs as much as we trust our priests — and harder to protect against. If for some reason you need to use the Verizon Wireless network, encrypting your requests so Verizon can't tamper with them is the only answer, and currently Tor, VPNs, and (for partial but continuous protection) HTTPS Everywhere are the only answers.
Update: 2015-01-15: tl;dr this post was updated to shorten the introduction.
- 1. HTTPS Everywhere prevents Verizon from injecting tracking headers, but only for sites that it upgrades to HTTPS. Because it covers Turn.com, it should prevent Turn from ever receiving UIDH headers.
- 2. If you ever click on a link to Turn.com, even accidentally, Safari will allow third party cookies from that site.
- 3. The EasyPrivacy blocklist appears to have been designed to work in addition to EasyList, but this is likely to confuse many users. This is true both for the ABP and TPL versions of these lists.
- 4. The TRUSTe TPL whitelists some trackers that receive Turn's respawned cookies via a sync API. It is therefore appears dangerous to install the TRUSTe TPL
- 5. The Ghostery mobile app is somewhat better, in that it at least makes tracker blocking a prominent option. But we fear that most Ghostery desktop users think they're being protected when they are not.
Recent DeepLinks Posts
Aug 26, 2016
Aug 25, 2016
Aug 24, 2016
Aug 23, 2016
Aug 22, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games