Verizon Wireless injecting tracking UIDs into HTTP requests
See @KennWhite: https://twitter.com/kennwhite/status/525110471733817344
Verizon Wireless is injecting a UID into all HTTP requests made on the VZW network, regardless of whether or not you've opted out of their Customer Proprietary Network Information (CNPI) options.
It's injected at the network level- So it tracks across browsers and ignores 'private browsing', do-not-track headers, overriding the UIDH in the client/curl, everything. My confirmation showing the headers only appearing in unprotected HTTP requests (disappearing when VPNed):
https://twitter.com/rammic/status/525360201361530880
If you're on the VZW cell network and not using wifi, you can check your own ID here (via @j4cob):
http://uidh.crud.net/
150 comments
[ 3.2 ms ] story [ 172 ms ] threadEdit: Also, on a positive match, the page displays a link to an NBC News article on Verizon's CPNI (Customer Proprietary Network Information).
http://www.nbcnews.com/tech/security/why-you-should-check-yo...
..."regardless of whether or not you've opted out of their Customer Proprietary Network Information (CNPI) options."
Can anybody recommend a good VPN service that works on android?
https://developer.chrome.com/multidevice/data-compression
Zenmate: https://play.google.com/store/apps/details?id=com.zenmate.an...
They were testing it last year, you could clearly see these headers on a large percentage of traffic coming from their gateways.
I'm not expressing an opinion one way or another but they clearly felt the UID is not directly identifiable and thus does not become a privacy issue until they share the mapping of the UID to customer data.
My guess is in their minds if you opt-out they just do not provide your UID to 3rd parties for targeting.
In the ever increasing dream of cross device marketing (think your iPad, iPhone and Laptop) many companies are trying to figure out ways to connect these devices to a single individual or family.
IIRC Verizon quietly started rolling out service wide TOS changes to allow this sort of thing a couple years back. That said I'm not sure if their TOS makes it clear how this is implemented and what potential side effects might be caused by the way they've implemented them.
The disturbing part is a unique ID that follows you despite private browsing and across browsers. The worst part is that it goes to every site you visit (not just VZW or selected advertisers). It can be trivially linked to your existing cookies/identity to follow you even after clearing cookies, changing browsers, switching devices, etc.
As an example if you sign up for some random blog and they capture UID's they could quickly map your email to your UID and onward into the spiral we go.
IP Addresses are a similar problem for home users, nobody seemed to have noticed that quite some time ago ISP's started making DHCP lease times quite long. Not to put on a tin foil hat, but I assume this was done more strategically then just to reduce load on DHCP servers in their networks.
I would guess that voting with your feet would be the most effective response. While many think consumers don't care (or don't understand), we can see many vendors beginning to emphasize confidentiality features.
> did not receive X-UIDH header.
So I presume I can say that Movistar Chile is not inserting that into the header. Not sure about T-Mobile (US) though.
When you're in China and roaming on a foreign operator, you're not affected by the Great Firewall since you're data goes through the APN in your home country.
Here's the setting you're looking for:
http://i.imgur.com/QFJJNV5.png
Mods may also want to update the title to include "Wireless" after Verizon; Verizon landline is not doing this anywhere AFAIK.
"Verizon Wireline consumers and certain business customers may opt-out by calling 1-866-483-9700. Verizon Wireless consumer and certain business customers may call 1-800-333-9956."
Only after calling that number are you told you are ineligible because you are prepaid.
This is advertised as a prepaid account, not a personal-information-selling subsidized account. It's also not even really competitive with other plans. Verizon gives you up to 1GB/month for $45, only with recurring payments, while Cricket gives you 10GB 4G with unlimited throttled data for $55. Unfortunately, Verizon has a monopoly in most of my area. T-Mobile and Sprint don't operate here, and AT&T is spotty.
Take another example. A medical facility cannot take customer information about a person with a specific ailment and sell that information to advertisers for the purpose of earning a commission on the sale of those targeted ads. There are laws forbidding how that information is shared.
The following link outlines some of the state and federal laws specific to California, but each state has their own, and the federal laws obviously apply to the entire United States.
http://oag.ca.gov/privacy/privacy-laws
Consent matters. In Europe it would most certainly be illegal.
I agree this is terrible, but I should point out that T-mobile's prepaid and postpaid plans are priced the same (and neither requires a contract - only difference is that the latter requires a credit check).
If T-mobile is an option for you, I would recommend their prepaid options.
Also, if your credit is bad, you may be able to pay a ~ $500 deposit (steep, I know) for a postpaid account on Verizon/AT&T. IIRC, the deposit is only needed for the first year, after which you get it back.
http://imgur.com/mLxVTrL
I'm going to make a few phone calls...
http://uidh.crud.net/ also says "did not receive X-UIDH header."
California, Verizon Wireless, Business Account, not on contract.
EDIT: Now an hour later, the headers DO appear. No setting to disable on the VZW site though.
I then changed the other two settings ("Customer Proprietary Network Information" and "Business & Marketing Reports") to opt-out, and it was still sending the header about a half-hour or hour later, and I contacted @VZWSupport on Twitter. This morning, the header was no longer being sent.
So I don't know if:
• one of those other settings eventually took effect; or...
• contacting @VZWSupport caused them to fix something with my account, either based on my support-expressed preference or remedying a bug in respecting prior preferences; or...
• general reporting of this has caused a change at VZW, perhaps in finally respecting previous opt-outs
Maybe the header isn't being sent for you due to this change possibly being a gradual rollout.
The wording you've clipped does not suggest that the "unique, anonymous identifier" will be sent to every website. (It does suggest there's a customer choice in some way, but that's unclear and so far no one has reported a reliable way to have Verizon suppress the X-UIDH header.)
The note that "many opt-outs are cookie-based" may not be relevant to this tampering. In particular, there's no clear way that cookies to Verizon websites could be consulted when doing the tampering on each HTTP request to other websites: they're not part of the connection. (I suspect this section is boilerplate related to some other opt-out.)
Doesn't that mean that Verizon isn't actually offering TCP/IP (Internet) access, since they corrupt my protocol stream in transit? Shoudln't that mean they should be charged with fraud if they continue to advertise the fact that they provide internet access when what they really provide is a broken version of TCP they made up?
It's a serious question.
Your question may have been serious, but it's also ridiculous, unless you have a much more technically detailed contract with Verizon than I've ever seen.
On the other hand if your spouse is a lawyer and wants to make a name for themself then you'd consider moving forward on failure to deliver service / false advertising / etc.
This is a serious answer: Go back and look at what they actually promise to deliver. Bet it doesn't have the word "TCP" in it anywhere. You can't hit them with contract violation when they aren't in violation of their contract. (Well, you can lodge any lawsuit you like. But it won't go well for you.)
And if you could and did today, in a month the contracts would be rewritten anyhow, making this a completely moot point.
Further... again, go check your contract for your home provider. I'm quite confident it doesn't promise to "serve IP packets", let alone making any promise whatsoever to serve them without modification. Don't lose sight of the context here... pedanting about what protocol is in use isn't going to change the fact that none of them are probably mentioned in your contract.
You've never gotten "the real internet" on a mobile device. The idea that they may change one more part of your fake connection seems pretty irrelevant.
The same happens on "real" routers, firewalls, etc when they massage the traffic going through them. Sometimes they barely change anything at all. Sometimes they make minor adjustments. Sometimes major ones. You don't have an agreement with any of them specifically to modify your packets; they just do. So do you have a claim of harassment against your packets? Have they trespassed on your property? Are you trespassing on their routers?
The answer to all these questions is: nobody has ever guaranteed to you what you get from the internet, other than "availability" if you're a business user, and even that's not set in stone.
Modifying headers in order to facilitate transit over a network is one thing, modifying the L7 payload is another.
Often carrier-grade routers will replace every aspect of a tcp/ip packet, like sequence numbers, windows, flags, source and dest ports, etc. Routers like these see everything going through them as a form of NAT; it's just some connections are modified more than others. The exception to this would be interfaces in bridge or monitor mode.
To your second point that modifying some layers is OK but modifying other layers is not: what rationale explains this double standard? What about the application layer do you find to be unique in that there's some expectation of purity? Does a proxy not modify layer 7 to cache and pass traffic? Does DNS not do the same?
This case was extreme but imagine as you say, a proprietary client and server that think they have implemented HTTP properly but they haven't. Maybe they assume all headers come in a specific order, the request size may not exceed X bytes, a hash of the request has been transfered over another channel, etc etc. Normally this is fine because they always only communicate with each other and they both always do exactly the same "mistake", but now the data essentially becomes corrupted. Can you really blame these applications for "not following spec", they were only designed to communicate with each other.
I am huge fan since I starting using it when traveling Europe. The mobile version works great as well.
http://i.imgur.com/1YQfGRN.png
https://www.tunnelbear.com/development/encryption/
Seems like a bit of an odd choice for a ciphersuite. I sure hope it's implemented well.
Edit: There is an x-acr header, which contains a curiously large amount of encoded data, far too much to be any reasonably sized id. Anyone know what it is?
[1] http://time.com/money/3025429/verizon-smart-rewards-loyalty-...
http://www.gsma.com/oneapi/anonymous-customer-reference-beta...
"We collect personal information about you. We gather some information through our relationship with you, such as information about the quantity, technical configuration, type, destination and amount of your use of our telecommunications services. You can find out how we use, share and protect the information we collect about you in the Verizon Privacy Policy, available at verizon.com/privacy. By entering this Agreement, you consent to our data collection, use and sharing practices described in our Privacy Policy. We provide you with choices to limit, in certain circumstances, our use of the data we have about you. You can review these choices at verizon.com/privacy#limits. If there are additional specific advertising and marketing practices for which your consent is necessary, we will seek your consent (such as through the privacy–related notices you receive when you purchase or use products and services) before engaging in those practices. [..]
DISCLAIMER OF WARRANTIES
We make no representations or warranties, express or implied, including, to the extent permitted by applicable law, any implied warranty of merchantability or fitness for a particular purpose, about your Service, your wireless device, or any applications you access through your wireless device."
https://www.verizon.com/about/privacy/policy/
"We collect information about your use of our products, services and sites. Information such as call records, websites visited, wireless location, application and feature usage, network traffic data, product and device-specific information and identifiers, service options you choose, mobile and device numbers, video streaming and video packages and usage, movie rental and purchase data, FiOS TV viewership, and other similar information may be used for billing purposes, to deliver and maintain products and services, or to help you with service-related issues or questions. In addition, this information may be used for purposes such as providing you with information about product or service enhancements, determining your eligibility for new products and services, and marketing to you. This information may also be used to manage and protect our networks, services and users from fraudulent, abusive, or unlawful uses; and help us improve our services, research and develop new products, and offer promotions and other services.
[..]
When you register on our sites, we may assign an anonymous, unique identifier. This may allow select advertising entities to use information they have about your web browsing on a desktop computer to deliver marketing messages to mobile devices on our network. We do not share any information that identifies you personally outside of Verizon as part of this program. You have a choice about whether to participate, and you can you can visit our relevant mobile advertising page (link to www.vzw.com/myprivacy) to learn more or advise us of your choice.
Customer Proprietary Network Information (CPNI): [..] Verizon Wireline consumers and certain business customers may opt-out by calling 1-866-483-9700. Verizon Wireless consumer and certain business customers may call 1-800-333-9956. Other customers may decline to provide or withdraw CPNI consent by following the instructions in the Verizon notice seeking consent. For additional information, you can read examples of common consumer CPNI notices for Verizon Wireline and Verizon Wireless.
Please note that many opt-outs are cookie-based. If you buy a new computer, change web browsers or delete the cookies on your computer, you will need to opt-out again. Please also note that some wireless devices, portals and websites have li...
In fact, isn't "anonymous, unique identifier" an oxymoron?
I believe the word you are looking for is "oxymoron" which is the opposite of a tautology.
In fact they even say:
We do not share any information that identifies you personally outside of Verizon as part of this program.
http://www.faqs.org/patents/app/20130318346
http://www.google.com/patents/US20130318581
1) The more widespread the technology is, the more advertisers will be aware of it and will seek it. This means more revenue for Verizon (bigger market for this product).
2) If all carriers do it, then people won't have an incentive to switch from Verizon.
3) Licensing fees.
IANAL, but the DMCA seems to protect you from liability only if you don't examine and modify traffic. If they're looking at the protocol to see if it's HTTP and therefore modifiable, they could look at the host to see if it's going to the pirate bay and block it. This means that when someone goes to the pirate bay on the Verizon Wireless network, Verizon is liable for their actions under the DMCA.
This is like YouTube reviewing videos before they're uploaded. If they were reviewing videos, they could catch copyright violations from the start and thus should.
There's probably legal trickery they could use to get out of it but it seems like a valid point.
On ATT I see the X-Acr thing but not clear if it's UID like or not in nature, would need to see more of them.
http://www.att.com/gen/privacy-policy?pid=24339