Ver­i­zon users might want to start look­ing for anoth­er provider. In an effort to bet­ter serve adver­tis­ers, Ver­i­zon Wire­less has been silent­ly mod­i­fy­ing its users’ web traf­fic on its net­work to inject a cook­ie-like track­er. This track­er, includ­ed in an HTTP head­er called X‑UIDH, is sent to every unen­crypt­ed web­site a Ver­i­zon cus­tomer vis­its from a mobile device. It allows third-par­ty adver­tis­ers and web­sites to assem­ble a deep, per­ma­nent pro­file of vis­i­tors’ web brows­ing habits with­out their consent.

Ver­i­zon appar­ent­ly cre­at­ed this mech­a­nism to expand their adver­tis­ing pro­grams, but it has pri­va­cy impli­ca­tions far beyond those pro­grams. Indeed, while we’re con­cerned about Ver­i­zon’s own use of the head­er, we’re even more wor­ried about what it allows oth­ers to find out about Ver­i­zon users.

The X‑UIDH head­er effec­tive­ly rein­vents the cook­ie, but does so in a way that is shock­ing­ly inse­cure and dan­ger­ous to your pri­va­cy. Worse still, Ver­i­zon does­n’t let users turn off this “fea­ture.” In fact, it func­tions even if you use a pri­vate brows­ing mode or clear your cook­ies. You can test whether the head­er is inject­ed in your traf­fic by vis­it­ing lessonslearned.org/sniff or amibeingtracked.com over a cell data connection.

How X‑UIDH Works, and Why It’s a Problem

Like a cook­ie, this head­er unique­ly iden­ti­fies users to the web­sites they vis­it. Ver­i­zon adds the head­er at the net­work lev­el, between the user’s device and the servers with which the user inter­acts. Unlike a cook­ie, the head­er is tied to a data plan, so any­one who brows­es the web through a hotspot, or shares a com­put­er that uses cel­lu­lar data, gets the same X‑UIDH head­er as every­one else using that hotspot or com­put­er. That means adver­tis­ers may build a pro­file that reveals pri­vate brows­ing activ­i­ty to cowork­ers, friends, or fam­i­ly through tar­get­ed advertising.

Also unlike a cook­ie, Ver­i­zon’s head­er is near­ly invis­i­ble to the user and can’t be seen or changed in the device’s brows­er set­tings. If a user clears their cook­ies, the X‑UIDH head­er remains unchanged. Worse, ad net­works can imme­di­ate­ly assign new cook­ies and link them to the cleared cook­ies using the unchanged X‑UIDH val­ue. We don’t know which data bro­kers and ad net­works are using the head­er to cre­ate behav­ioral pro­files, but Cory Dunne found at least one GitHub repos­i­to­ry con­tained code to extract the head­er val­ue, as of Octo­ber 27. The repos­i­to­ry has since been qui­et­ly delet­ed but can be viewed at the Inter­net Archive. Twit­ter’s mobile adver­tis­ing divi­sion also appears to use the head­er for ad auc­tions.

Besides cook­ie clear­ing, the X‑UIDH head­er bypass­es sev­er­al oth­er built-in brows­er pri­va­cy mech­a­nisms. Cook­ies belong to a sin­gle web­site and aren’t shared with oth­er web­sites. But one unique X‑UIDH head­er val­ue is shared with all unen­crypt­ed web­sites a user vis­its, mak­ing it eas­i­er for ad net­works to track that user across many sites in a way not pos­si­ble with cook­ies alone. Browsers pro­vide Incog­ni­to Mode or Pri­vate Brows­ing Mode in order to defeat some kinds of track­ing, but the X‑UIDH head­er, since it is inject­ed at the net­work lay­er, ignores those modes. Ver­i­zon also choos­es to ignore Do Not Track, a set­ting users enable in their brows­er to indi­cate they do not want to be tracked. Sim­i­lar­ly, dis­abling third-par­ty cook­ies in brows­er set­tings does noth­ing to stop the X‑UIDH header.

To com­pound the prob­lem, the head­er also affects more than just web browsers. Mobile apps that send HTTP requests will also have the head­er insert­ed. This means that users’ behav­ior in apps can be cor­re­lat­ed with their behav­ior on the web, which would be dif­fi­cult or impos­si­ble with­out the head­er. Ver­i­zon describes this as a key ben­e­fit of using their sys­tem. But Ver­i­zon bypass­es the ‘Lim­it Ad Track­ing’ set­tings in iOS and Android that are specif­i­cal­ly intend­ed to lim­it abuse of unique iden­ti­fiers by mobile apps.

Because the head­er is inject­ed at the net­work lev­el, Ver­i­zon can add it to any­one using their tow­ers, even those who aren’t Ver­i­zon cus­tomers. Notably, Ver­i­zon appears to inject the X‑UIDH head­er even for cus­tomers of Straight Talk, a mobile net­work reseller (known as a MVNO) that uses Ver­i­zon’s net­work. Cus­tomers of Straight Talk don’t nec­es­sar­i­ly have a rela­tion­ship with Verizon.

But accord­ing to AdAge, “Cor­po­rate and gov­ern­ment sub­scribers are exclud­ed from the new mar­ket­ing solu­tion.” We haven’t ver­i­fied (and Ver­i­zon refus­es to say) whether the head­er is still sent for those sub­scribers or not. If they are indeed except­ed from the pro­gram, that indi­cates to us that imple­ment­ing an opt-out is fea­si­ble. We’re dis­ap­point­ed that Ver­i­zon takes some of its users’ pri­va­cy more seri­ous­ly than others.

Verizon’s Claimed Protections

Ver­i­zon does pro­vide a sort of lim­it­ed opt-out for indi­vid­ual cus­tomers, but it appears that the opt-out does not actu­al­ly dis­able the head­er. Instead, it mere­ly tells Ver­i­zon not to share detailed demo­graph­ic infor­ma­tion with adver­tis­ers who present a UIDH val­ue. Mean­ing­ful pro­tec­tion from track­ing by third par­ties would require Ver­i­zon to omit the head­er entirely.

Accord­ing to Ver­i­zon, the head­er val­ue is a salt­ed hash, and the hash changes on an undis­closed fre­quen­cy. How­ev­er, it’s easy for third-par­ty ad net­works to cre­ate a con­tin­u­ous pro­file by asso­ci­at­ing old and new X‑UIDH val­ues through their own iden­ti­fi­er cook­ie1. Ver­i­zon has refused to say what iden­ti­fi­er they hash to cre­ate the iden­ti­fi­er, but their recent patent sug­gests hash­ing a phone num­ber. If they are indeed hash­ing phone num­bers, it would be a major cryp­to­graph­ic mis­take. Phone num­bers can eas­i­ly be deduced from hash­es, so send­ing those hash­es to untrust­ed web sites is prac­ti­cal­ly equiv­a­lent to giv­ing them your phone number.

Besides the ad net­works, the unique X‑UIDH head­er is a boon to eaves­drop­pers. We have seen that the NSA uses sim­i­lar iden­ti­fy­ing meta­da­ta as ‘selec­tors’ to col­lect all of a sin­gle per­son­’s Inter­net activ­i­ty. They also have been shown to use selec­tors to choose tar­gets for deliv­er­ing mal­ware via QUANTUMINSERT and sim­i­lar pro­grams. Hav­ing all Ver­i­zon mobile users’ web traf­fic marked with a per­sis­tent, unique iden­ti­fi­er makes it triv­ial for any­one pas­sive­ly eaves­drop­ping on the Inter­net to asso­ciate that traf­fic with the indi­vid­ual user in a way not pos­si­ble with IP address­es alone.

Accord­ing to Ver­i­zon, it began the Pre­ci­sion Mar­ket Insights pro­gram in 2012, but has con­sis­tent­ly refused to pro­vide tech­ni­cal details about how the pro­gram worked. The injec­tion of the X‑UIDH head­er went large­ly unre­marked by the tech­ni­cal com­mu­ni­ty until recent­ly because it is so hard to observe. The head­er is insert­ed in requests after they leave the phone, so cus­tomers can­not detect it using only a phone. In order to detect it, a user needs to run a web serv­er con­fig­ured to log or echo all HTTP head­ers, which is very rare.

How You Can Protect Yourself

Ver­i­zon can only mod­i­fy plain text traf­fic. It can’t mod­i­fy encrypt­ed requests with­out break­ing the whole con­nec­tion. There are four options for encrypt­ing web requests: HTTPS, an encrypt­ed proxy, a VPN, or Tor. Only a VPN or Tor pro­vide full pro­tec­tion in this case.

The best pro­tec­tion against this spe­cif­ic prob­lem is to use a VPN that encrypts all requests made from your phone, regard­less of whether they were made by an app or a brows­er. Most VPNs are paid ser­vices, and when using a VPN you have to trust the VPN oper­a­tors the same way you would nor­mal­ly trust your ISP. Advanced users can also use Tor via Orbot Android app in trans­par­ent proxy mode (requires root). Tor is free, but you have to trust exit node oper­a­tors not to inter­fere with your con­nec­tion. Tor is more appro­pri­ate if you are try­ing to be anonymous.

The sec­ond-best pro­tec­tion is to use an encrypt­ed proxy, which pro­tects brows­er traf­fic but not mobile apps. Mobile Chrome pro­vides the ‘Reduce data usage’ set­ting, which is report­ed to pre­vent the X‑UIDH head­er injec­tion. Unfor­tu­nate­ly, this con­nec­tion is not reli­ably encrypt­ed, because an ISP can dis­able encryp­tion on it at any time.

HTTPS, which is the best pro­tec­tion for many types of harm, is actu­al­ly the least pow­er­ful pro­tec­tion for this one. The head­er can­not be inject­ed into an HTTPS request, but since web­sites choose whether to offer HTTPS, a site that wants to track users can sim­ply avoid HTTPS and get the track­ing head­ers. The web needs to become ful­ly encrypt­ed, and these X‑UIDH head­ers pro­vide a strong dis­in­cen­tive for sites and adver­tis­ers who wish to track their users to adopt HTTPS. In fact, the AT&T patent on sim­i­lar head­ers rec­om­mends down­grad­ing (redi­rect­ing) secure HTTPS requests to HTTP ones in order to receive the track­ing header.

What Verizon Should Do

Ver­i­zon should imme­di­ate­ly stop inject­ing the X‑UIDH track­ing head­er into its users’ traf­fic. It is entire­ly pos­si­ble to re-design their mar­ket­ing pro­grams so that the head­er is only inject­ed for users who explic­it­ly con­sent to hav­ing their Inter­net con­nec­tions mod­i­fied to add track­ing infor­ma­tion, and to do so in a way that does­n’t allow third-par­ty sites to track users across the Inter­net.

We’re also con­cerned that Ver­i­zon’s fail­ure to per­mit its users to opt out of X‑UIDH may be a vio­la­tion of the fed­er­al law that requires phone com­pa­nies to main­tain the con­fi­den­tial­i­ty of their cus­tomers’ data. Only two months ago, the wire­line sec­tor of Ver­i­zon’s busi­ness was hit with a $7.4 mil­lion fine by the Fed­er­al Com­mu­ni­ca­tions Com­mis­sion after it was caught using its “cus­tomers’ per­son­al infor­ma­tion for thou­sands of mar­ket­ing cam­paigns with­out even giv­ing them the choice to opt out.” With this head­er, it looks like Ver­i­zon lets its cus­tomers opt out of the mar­ket­ing side of the pro­gram, but not from the dis­clo­sure of their brows­ing habits.

More gen­er­al­ly, Ver­i­zon should stop tam­per­ing with their cus­tomers’ Inter­net traf­fic with­out their cus­tomers’ con­sent. ISPs like Ver­i­zon act as trust­ed con­nec­tors to the world, and should­n’t be mod­i­fy­ing our com­mu­ni­ca­tions on their way to the Inter­net. Peo­ple should not be required to sub­scribe to a VPN and put their trust in a third par­ty in order to get a mod­icum of pri­va­cy on the Internet.

AT&T has been report­ed to be test­ing a sim­i­lar head­er.

• 1. For instance, sup­pose an ad net­work assigned you a cook­ie with the unique val­ue “cookie1,” and Ver­i­zon assigned you the X‑UIDH head­er “old_uid.” When Ver­i­zon changes your X‑UIDH head­er to a new val­ue, say “new_uid,” the ad net­work can con­nect “new_uid” and “old_uid” to the same cook­ie val­ue “cookie1” and see that they all three val­ues rep­re­sent the same per­son. Sim­i­lar­ly, if you sub­se­quent­ly clear cook­ies, the ad net­work will assign a new cook­ie val­ue “cookie2.” Since your X‑UIDH val­ue is the same (say, “new_uid”) before and after clear­ing cook­ies, the ad net­work can con­nect “cookie1” and “cookie2” to the same X‑UIDH val­ue “new_uid.” The back-and-forth boot­strap­ping of iden­ti­ty makes it impos­si­ble to tru­ly clear your track­ing his­to­ry while the X‑UIDH head­er is enabled.