Verizon Wireless injecting tracking UIDs into HTTP requests

299 points by pillfill ↗ HN
See @KennWhite: https://twitter.com/kennwhite/status/525110471733817344

Verizon Wireless is injecting a UID into all HTTP requests made on the VZW network, regardless of whether or not you've opted out of their Customer Proprietary Network Information (CNPI) options.

It's injected at the network level- So it tracks across browsers and ignores 'private browsing', do-not-track headers, overriding the UIDH in the client/curl, everything. My confirmation showing the headers only appearing in unprotected HTTP requests (disappearing when VPNed):

https://twitter.com/rammic/status/525360201361530880

If you're on the VZW cell network and not using wifi, you can check your own ID here (via @j4cob):

http://uidh.crud.net/

150 comments

[ 3.2 ms ] story [ 172 ms ] thread
I'm on Verizon and got "did not receive X-UIDH header" message from uidh.crud.net. Possibly because it says "1x" at the top of my phone and that means it's on another network?
(comment deleted)
Hmm, confirmed on Verizon 4G LTE network.

Can anybody recommend a good VPN service that works on android?

Private internet access. Works great.
If you use Chrome and enable Google's Data Compression Proxy, all http traffic is proxied via Google's servers and sent to them via spdy (which is encrypted), so Verizon can't tamper with the requests or see what they are:

https://developer.chrome.com/multidevice/data-compression

So you trade Verizon's tracking for Google's?
At the very least, it would only be Google that could track you, instead of every website you visit being able to read your Verizon-assigned ID.
What about DNS queries?
They're not http so would guess they don't go through the proxy.
Private Internet Access is a favorite by many. You should check them out if you have a chance. They're supposedly very strong on android
PrivateInternetAccess.com is great, they also have a nice android app that will connect on your phones bootup
This as been known for a while and it's used by some advertisers...
The news is that it's ignoring the opt-out selections (including mine that I set a while ago).
I'm on Verizon and got "did not receive X-UIDH header". 4G, droid ultra, FL
This has been going on for ages, not sure why people just now noticed it.

They were testing it last year, you could clearly see these headers on a large percentage of traffic coming from their gateways.

I'm not expressing an opinion one way or another but they clearly felt the UID is not directly identifiable and thus does not become a privacy issue until they share the mapping of the UID to customer data.

My guess is in their minds if you opt-out they just do not provide your UID to 3rd parties for targeting.

In the ever increasing dream of cross device marketing (think your iPad, iPhone and Laptop) many companies are trying to figure out ways to connect these devices to a single individual or family.

IIRC Verizon quietly started rolling out service wide TOS changes to allow this sort of thing a couple years back. That said I'm not sure if their TOS makes it clear how this is implemented and what potential side effects might be caused by the way they've implemented them.

The news is that they are injecting it even when you have opted out of CNPI.

The disturbing part is a unique ID that follows you despite private browsing and across browsers. The worst part is that it goes to every site you visit (not just VZW or selected advertisers). It can be trivially linked to your existing cookies/identity to follow you even after clearing cookies, changing browsers, switching devices, etc.

Yes it's disturbing, again I'm no mind reader, but I guess they assume when you opt-out they just don't map your UID. Meanwhile you're still trackable and just one small data point could be used to reverse everything you visit.

As an example if you sign up for some random blog and they capture UID's they could quickly map your email to your UID and onward into the spiral we go.

IP Addresses are a similar problem for home users, nobody seemed to have noticed that quite some time ago ISP's started making DHCP lease times quite long. Not to put on a tin foil hat, but I assume this was done more strategically then just to reduce load on DHCP servers in their networks.

Private browsing has never been considered to actually protect your privacy, except for people looking at your local history. It clearly states that in browsers.
Are you a shill or just stupid?
This makes me rather unhappy. I'm seeing this on Verizon. Can someone with an alternative mobile provider like Sprint or T-Mobile test this, too?
> This makes me rather unhappy. I'm seeing this on Verizon. Can someone with an alternative mobile provider like Sprint or T-Mobile test this, too?

I would guess that voting with your feet would be the most effective response. While many think consumers don't care (or don't understand), we can see many vendors beginning to emphasize confidentiality features.

I'm not sure if I value my confidentiality more than the unlimited talk/data/text plan on which I'm grandfathered. It's a hard change to make, especially considering I no longer see the tracking data after I disabled it in my settings.
I just tested mine, but the situation is a bit complicated. My service is with T-mobile in the US, but I am currently connecting through Movistar Chile. The response from the website was:

> did not receive X-UIDH header.

So I presume I can say that Movistar Chile is not inserting that into the header. Not sure about T-Mobile (US) though.

If you are roaming and using the T-Mobile APN, then you're still going through the T-Mobile data infrastructure.

When you're in China and roaming on a foreign operator, you're not affected by the Great Firewall since you're data goes through the APN in your home country.

Okay, thanks for the clarification. I did just check and I have an American geolocated IP, consistent with what you said.
At least with that page I "did not receive X-UIDH header" on T-Mobile. Didn't check for headers with other names.
They don't appear to be doing this if you've opted out of "Relevant Mobile Advertising", which is another option [separate from CPNI] on http://verizonwireless.com/myprivacy.

Here's the setting you're looking for:

http://i.imgur.com/QFJJNV5.png

Mods may also want to update the title to include "Wireless" after Verizon; Verizon landline is not doing this anywhere AFAIK.

I have a prepaid account, and I'm not allowed to change privacy settings either online or over the phone. The web tells me I am an account member and not owner, and the phone just says prepaid is not eligible to opt out. I can fix it by using a VPN, but isn't it illegal to not even allow me to opt out? Postpaid is significantly more expensive than prepaid and not available to people with bad credit. How can they discriminate like that?
(comment deleted)
I'm not clear why you think it would be illegal. There may be rules against not allowing people to opt out, I don't know. But when you ask "How can they discriminate like that?", there's nothing illegal about discriminating on the basis of credit or willingness to pay for a more expensive product.
I can understand discriminating on quality or something like that, but we're talking about not being able to opt out of having your personal information sold. It seems like there should be some kind of a law where that has to be made absolutely clear. It doesn't even seem to be buried anywhere in the Terms of Service, which say:

"Verizon Wireline consumers and certain business customers may opt-out by calling 1-866-483-9700. Verizon Wireless consumer and certain business customers may call 1-800-333-9956."

Only after calling that number are you told you are ineligible because you are prepaid.

This is advertised as a prepaid account, not a personal-information-selling subsidized account. It's also not even really competitive with other plans. Verizon gives you up to 1GB/month for $45, only with recurring payments, while Cricket gives you 10GB 4G with unlimited throttled data for $55. Unfortunately, Verizon has a monopoly in most of my area. T-Mobile and Sprint don't operate here, and AT&T is spotty.

I'm attracting a lot of downvotes, and I feel like people think I'm supporting Verizon. I agree with you in that I think they're being scummy, but I guess I was just saying that when you ask "How can they discriminate like that?" the answer is that lots of scummy things aren't illegal. I agree it might be nice to see much stronger privacy laws in this area, but they don't exist yet and that's most of what I was trying to say. I think I thought you were saying that you thought it was illegal ("isn't there a law...") whereas you were really just saying you thought it should be illegal.
I do think it should be illegal, but "isn't it illegal?" was a genuine question. I don't know the specifics, but I'm surprised there isn't some legal requirement. You can't even send e-mail without allowing an opt-out, and every ad network I know of has an opt-out policy, so sending tracking information to every website you visit and selling that information with no option to opt-out just seems over the top and out of step with what everyone else offers.
You want to know how to opt out? You cancel your contract. Verizon is under no obligation to provide you with phone and internet access, ad-free or otherwise. They offer a product on the free market, and if you don't like that product, you should not buy it. While I think their policies and attitude toward privacy is despicable, accusing them of doing anything illegal is simply incorrect.
While what you said may seem logically correct, there are a myriad of privacy protections that corporations are expected to adhere to regarding the information customers entrust to them. One reason for these protections is that the "resolution" you've suggested --- that the customer can simply choose not to use their services --- provides no protections against future-use of information. Say a customer chooses a vendor that sells his information after he ends his service with them. Under your strategy - the customer would have absolutely no recourse since he has no leverage against that vendor. He's already "walked" so to speak - yet they still may have information of value about that customer.

Take another example. A medical facility cannot take customer information about a person with a specific ailment and sell that information to advertisers for the purpose of earning a commission on the sale of those targeted ads. There are laws forbidding how that information is shared.

The following link outlines some of the state and federal laws specific to California, but each state has their own, and the federal laws obviously apply to the entire United States.

http://oag.ca.gov/privacy/privacy-laws

>I'm not clear why you think it would be illegal.

Consent matters. In Europe it would most certainly be illegal.

What's Europe got to do with this?
Because somebody seemed surprised that people expected this to be illegal. The fact that it is illegal in a large number of countries is a useful datapoint, and shows that the initial reaction of "shouldn't this be illegal" isn't completely off the wall.
> Postpaid is significantly more expensive than prepaid and not available to people with bad credit. How can they discriminate like that?

I agree this is terrible, but I should point out that T-mobile's prepaid and postpaid plans are priced the same (and neither requires a contract - only difference is that the latter requires a credit check).

If T-mobile is an option for you, I would recommend their prepaid options.

Also, if your credit is bad, you may be able to pay a ~ $500 deposit (steep, I know) for a postpaid account on Verizon/AT&T. IIRC, the deposit is only needed for the first year, after which you get it back.

Thanks for the suggestions, but I really don't want an expensive postpaid contract. I don't even need service every month. WiFi calling is better than cell calling most of the time, and unfortunately, no carrier other than Verizon operates in most of the places around where I live. I'll stick to a VPN.
They're ignoring it for me. See: https://twitter.com/kennwhite/status/525374343074029568 Can you confirm you connected over cellular when testing?
Yep, over LTE on an iPhone 6, in NYC. The only thing unique is I have Safari configured to send the DNT header. It would be amusing (in a good way) if that made VZ's infrastructure not tag all my traffic.
Edited Title- You're correct, no reason to believe this is happening anywhere else (e.g. FIOS)
as a pageplus user, I don't know if there is a way to op out of this. actually I havenmt found a way to opt out of either.
That setting doesn't exist on my version of the page.. I get a link to "more information" on "Verizon Selects", but none of my lines are listed there.

I'm going to make a few phone calls...

Using and ad blocker? I disabled mine and that section showed up.
I can confirm that disabling adblock allows these settings to show up.
My account has had this disabled for months, the header still shows
Just checked my configurations, those settings are all set 'off' for my lines (I turned them all off months ago, not just this moment), but the uidh.crud.net site is still receiving the header.
Likewise. They were set to off when I visited the page and the header still shows.
This is disabled across all of my lines and is still showing.
My "Relevant Mobile Advertising" was already long-ago opted-out ("No, I don't want to participate in Relevant Mobile Advertising"). Still, last night, my "Verizon 3G" (iPhone 4s) was definitely adding the header to all plain-HTTP traffic, including that from private/incognito-mode tabs, and from another machine sharing the "personal hotspot".

I then changed the other two settings ("Customer Proprietary Network Information" and "Business & Marketing Reports") to opt-out, and it was still sending the header about a half-hour or hour later, and I contacted @VZWSupport on Twitter. This morning, the header was no longer being sent.

So I don't know if:

• one of those other settings eventually took effect; or...

• contacting @VZWSupport caused them to fix something with my account, either based on my support-expressed preference or remedying a bug in respecting prior preferences; or...

• general reporting of this has caused a change at VZW, perhaps in finally respecting previous opt-outs

And... the header is back again. Haven't made any further changes to privacy preferences (all opt-out).
I'm opted out of everything on that page and I'm still seeing the header sent.

Maybe the header isn't being sent for you due to this change possibly being a gradual rollout.

Same. Opted out of everything (since months ago). Still seeing the header. :(
The header is sent if you opt out. It's explicitly stated in the privacy policy, which i've copied into a parent post on this HN thread.
I don't see how the privacy policy wording can be interpreted that way.

The wording you've clipped does not suggest that the "unique, anonymous identifier" will be sent to every website. (It does suggest there's a customer choice in some way, but that's unclear and so far no one has reported a reliable way to have Verizon suppress the X-UIDH header.)

The note that "many opt-outs are cookie-based" may not be relevant to this tampering. In particular, there's no clear way that cookies to Verizon websites could be consulted when doing the tampering on each HTTP request to other websites: they're not part of the connection. (I suspect this section is boilerplate related to some other opt-out.)

I am opted out of everything. The header is sent in mobile Chrome and Firefox, with incognito mode, and with DNT enabled.
In addition to all of the other users reporting that it isn't actually disabled, they publicly claim that it's disabled for enterprise and government customers but I confirmed that it's still being sent there as well.
My phone's VWZ http requests are sending the header, where I have been opted out of "Relevant Mobile Advertising" since they sent me information about it in the mail earlier this year.
Let's say I want to send some TCP. That TCP happens to kind of look like HTTP, but it's not. It's just some protocol I made up which looks HTTPish enough to trigger this injection.

Doesn't that mean that Verizon isn't actually offering TCP/IP (Internet) access, since they corrupt my protocol stream in transit? Shoudln't that mean they should be charged with fraud if they continue to advertise the fact that they provide internet access when what they really provide is a broken version of TCP they made up?

It's a serious question.

No.

Your question may have been serious, but it's also ridiculous, unless you have a much more technically detailed contract with Verizon than I've ever seen.

I wonder if it would be possible to have them sign a contract when you sign up since customer is king.
customer is king? With verizon? not in the US.
Yup in theory. In practice you would call up your legal counsel, and they'd ask you how hard would it be to re-engineer your protocol to not break by Verizon. If the answer is anything less than 1 year and tens to hundreds of thousands of dollars then they'd advise you to just fix your protocol.

On the other hand if your spouse is a lawyer and wants to make a name for themself then you'd consider moving forward on failure to deliver service / false advertising / etc.

"Doesn't that mean that Verizon isn't actually offering TCP/IP (Internet) access, since they corrupt my protocol stream in transit?"

This is a serious answer: Go back and look at what they actually promise to deliver. Bet it doesn't have the word "TCP" in it anywhere. You can't hit them with contract violation when they aren't in violation of their contract. (Well, you can lodge any lawsuit you like. But it won't go well for you.)

If they used the proper noun "Internet" then TCP/IP is implied.
No, it really isn't. Even in our world thinking Internet == TCP/IP is a faux pas, roughly equivalent to thinking Internet == WWW. Legally speaking I suspect the term borders on meaningless. Obviously a company offering "internet access" must do something to discharge their contract but I seriously doubt you could ever nail them on this.

And if you could and did today, in a month the contracts would be rewritten anyhow, making this a completely moot point.

There is no public, global network of networks besides the one known as the Internet, and it exclusively uses the Internet Protocol suite.
Thinking TCP/IP = IP is also a bit of a faux pas. No fair changing the terms I used out from underneath me and then complaining.

Further... again, go check your contract for your home provider. I'm quite confident it doesn't promise to "serve IP packets", let alone making any promise whatsoever to serve them without modification. Don't lose sight of the context here... pedanting about what protocol is in use isn't going to change the fact that none of them are probably mentioned in your contract.

I didn't say Internet Protocol, I said the Internet Protocol Suite.
When most mobile providers get you on the internet, it's through NAT. They're already terminating and re-creating your connections for you, and not providing your "real" tcp/ip packets to the internet, and thus neither the world's "real" internet packets to you. All you get is a translation.

You've never gotten "the real internet" on a mobile device. The idea that they may change one more part of your fake connection seems pretty irrelevant.

The same happens on "real" routers, firewalls, etc when they massage the traffic going through them. Sometimes they barely change anything at all. Sometimes they make minor adjustments. Sometimes major ones. You don't have an agreement with any of them specifically to modify your packets; they just do. So do you have a claim of harassment against your packets? Have they trespassed on your property? Are you trespassing on their routers?

The answer to all these questions is: nobody has ever guaranteed to you what you get from the internet, other than "availability" if you're a business user, and even that's not set in stone.

NAT doesn't terminate and recreate connections. It modifies packet headers and forwards them.

Modifying headers in order to facilitate transit over a network is one thing, modifying the L7 payload is another.

Well you're right in a sense. But it modifies packets to a point where they are indistinguishable from the original connection, and tracks the incoming and outgoing interface sides as if they were discrete connections (there are at least four flows for every NAT connection).

Often carrier-grade routers will replace every aspect of a tcp/ip packet, like sequence numbers, windows, flags, source and dest ports, etc. Routers like these see everything going through them as a form of NAT; it's just some connections are modified more than others. The exception to this would be interfaces in bridge or monitor mode.

To your second point that modifying some layers is OK but modifying other layers is not: what rationale explains this double standard? What about the application layer do you find to be unique in that there's some expectation of purity? Does a proxy not modify layer 7 to cache and pass traffic? Does DNS not do the same?

Verizon LTE devices have a unique, publicly accessible IPv6 address.
I once had extremely odd errors being reported by my clients (phonehomes via window.onerror in the browser), things like syntax errors in my otherwise perfectly fine javascript and randomly corrupted data transfered with ajax. So i started investigating and came to the conclusion that someones ISP was trying to inject iframes with ads into any random text transfered over http, including javascript! Pure craziness, if i myself was affected i would change ISP on the spot.

This case was extreme but imagine as you say, a proprietary client and server that think they have implemented HTTP properly but they haven't. Maybe they assume all headers come in a specific order, the request size may not exceed X bytes, a hash of the request has been transfered over another channel, etc etc. Normally this is fine because they always only communicate with each other and they both always do exactly the same "mistake", but now the data essentially becomes corrupted. Can you really blame these applications for "not following spec", they were only designed to communicate with each other.

This looks like a job for Tunnelbear VPN! https://www.tunnelbear.com/

I am huge fan since I starting using it when traveling Europe. The mobile version works great as well.

Tunnelbear does work great, except for the fact that it drains the battery in my phone like crazy. I use SSHTunnel to route all traffic through my private server.
I assume there are similar opt-outs for AT&T, Sprint, T-Moblie, etc. Anyone maintain a page of links for how to access the opt-outs?
Interesting, I just tested my device over AT&T LTE, but there was no UIDH header.

Edit: There is an x-acr header, which contains a curiously large amount of encoded data, far too much to be any reasonably sized id. Anyone know what it is?

I see this as well. AT&T LTE with iPhone 5 (running 8.1).
also seeing this despite CNPI settings. class-action time?
Bummer, the iPad (LTE version) sends this tracking information and there is no way to turn it off.
setup a vpn with digitalocean like I do, it's about all we can do.
Well to be clear, on WiFi it does not send the tracking data, only when using the LTE network. That said the only SSL tunnel software I saw was Junos Pulse which is sitting on a ton of bad reviews at the moment because apparently it doesn't work with iOS 8. What VPN software do you use with your iPad?
Just confirmed that the UID follows the SIM, so even swapping phones won't save you.
https://www.verizonwireless.com/b2c/support/customer-agreeme...

"We collect personal information about you. We gather some information through our relationship with you, such as information about the quantity, technical configuration, type, destination and amount of your use of our telecommunications services. You can find out how we use, share and protect the information we collect about you in the Verizon Privacy Policy, available at verizon.com/privacy. By entering this Agreement, you consent to our data collection, use and sharing practices described in our Privacy Policy. We provide you with choices to limit, in certain circumstances, our use of the data we have about you. You can review these choices at verizon.com/privacy#limits. If there are additional specific advertising and marketing practices for which your consent is necessary, we will seek your consent (such as through the privacy–related notices you receive when you purchase or use products and services) before engaging in those practices. [..]

DISCLAIMER OF WARRANTIES

We make no representations or warranties, express or implied, including, to the extent permitted by applicable law, any implied warranty of merchantability or fitness for a particular purpose, about your Service, your wireless device, or any applications you access through your wireless device."

https://www.verizon.com/about/privacy/policy/

"We collect information about your use of our products, services and sites. Information such as call records, websites visited, wireless location, application and feature usage, network traffic data, product and device-specific information and identifiers, service options you choose, mobile and device numbers, video streaming and video packages and usage, movie rental and purchase data, FiOS TV viewership, and other similar information may be used for billing purposes, to deliver and maintain products and services, or to help you with service-related issues or questions. In addition, this information may be used for purposes such as providing you with information about product or service enhancements, determining your eligibility for new products and services, and marketing to you. This information may also be used to manage and protect our networks, services and users from fraudulent, abusive, or unlawful uses; and help us improve our services, research and develop new products, and offer promotions and other services.

[..]

When you register on our sites, we may assign an anonymous, unique identifier. This may allow select advertising entities to use information they have about your web browsing on a desktop computer to deliver marketing messages to mobile devices on our network. We do not share any information that identifies you personally outside of Verizon as part of this program. You have a choice about whether to participate, and you can you can visit our relevant mobile advertising page (link to www.vzw.com/myprivacy) to learn more or advise us of your choice.

Customer Proprietary Network Information (CPNI): [..] Verizon Wireline consumers and certain business customers may opt-out by calling 1-866-483-9700. Verizon Wireless consumer and certain business customers may call 1-800-333-9956. Other customers may decline to provide or withdraw CPNI consent by following the instructions in the Verizon notice seeking consent. For additional information, you can read examples of common consumer CPNI notices for Verizon Wireline and Verizon Wireless.

Please note that many opt-outs are cookie-based. If you buy a new computer, change web browsers or delete the cookies on your computer, you will need to opt-out again. Please also note that some wireless devices, portals and websites have li...

Thank you for posting this, so the lawsuit-happy folks of HN will realize they, once again, have no legal leg to stand on.
And good riddance! Lawsuits from HN folks were really beginning to clog up our court system... /s
The identifier seems more pseudonymous than anonymous.

In fact, isn't "anonymous, unique identifier" an oxymoron?

> In fact, isn't "anonymous, unique identifier" a tautology?

I believe the word you are looking for is "oxymoron" which is the opposite of a tautology.

It would be fine it they were really just following the "we collect information about you" part, but what they seem to be really doing here is more like "we send unique identifiers associated with you to every other site you visit."

In fact they even say:

We do not share any information that identifies you personally outside of Verizon as part of this program.

I believe Verizon is violating their customer agreement here. From the looks of it, the tracking header provides a way for websites not affiliated with Verizon to build profiles on users as they travel across the internet. Rogue tracking networks could be built on this.
Excellent news, that means their competitors are safer to use?
It would make sense for Verizon to license the technology to other carriers.

1) The more widespread the technology is, the more advertisers will be aware of it and will seek it. This means more revenue for Verizon (bigger market for this product).

2) If all carriers do it, then people won't have an incentive to switch from Verizon.

3) Licensing fees.

Doesn't examining/modifying data exempt you from the DMCA safe harbor protections?
VZW doesn't use SIMs except in some new 4G tech.
Um, how is this relevant?

IANAL, but the DMCA seems to protect you from liability only if you don't examine and modify traffic. If they're looking at the protocol to see if it's HTTP and therefore modifiable, they could look at the host to see if it's going to the pirate bay and block it. This means that when someone goes to the pirate bay on the Verizon Wireless network, Verizon is liable for their actions under the DMCA.

This is like YouTube reviewing videos before they're uploaded. If they were reviewing videos, they could catch copyright violations from the start and thus should.

There's probably legal trickery they could use to get out of it but it seems like a valid point.

Just checked my Verizon 4G LTE MiFi and the headers are not there, I've not done anything special to my account settings.

On ATT I see the X-Acr thing but not clear if it's UID like or not in nature, would need to see more of them.

I just checked my AT&T phone and I have an X-Acr header too.
Just checked my phone and I have "do not track" turned on and x-acr is tracking. Who/what is it? Why? How do I stop it?
Checked my Wife's Verizon iPad on LTE and no UID header.
How is this UID different to an IP address?
It's stable across devices and sessions – if you have a cell phone and a tablet, the UID is the same and it won't change over time even as you move around their network.
In some sense having one ID instead of two unique IPs is better?
Useful to note that the UIDH changes every 7 days.
Here's a scary thought: How do we know every ISP isn't doing this, it would be undetectable if they only injected these on certain domains e.g. facebook, google. However I don't see how much more tracking ability that would grant over IP tracking.
Note, the ID rotates every week. However they do allow select companies to retrieve a history of IDs