Hacker News new | past | comments | ask | show | jobs | submit login
Verizon Wireless injecting tracking UIDs into HTTP requests
299 points by pillfill on Oct 23, 2014 | hide | past | favorite | 146 comments
See @KennWhite: https://twitter.com/kennwhite/status/525110471733817344

Verizon Wireless is injecting a UID into all HTTP requests made on the VZW network, regardless of whether or not you've opted out of their Customer Proprietary Network Information (CNPI) options.

It's injected at the network level- So it tracks across browsers and ignores 'private browsing', do-not-track headers, overriding the UIDH in the client/curl, everything. My confirmation showing the headers only appearing in unprotected HTTP requests (disappearing when VPNed):

https://twitter.com/rammic/status/525360201361530880

If you're on the VZW cell network and not using wifi, you can check your own ID here (via @j4cob):

http://uidh.crud.net/




Let's say I want to send some TCP. That TCP happens to kind of look like HTTP, but it's not. It's just some protocol I made up which looks HTTPish enough to trigger this injection.

Doesn't that mean that Verizon isn't actually offering TCP/IP (Internet) access, since they corrupt my protocol stream in transit? Shoudln't that mean they should be charged with fraud if they continue to advertise the fact that they provide internet access when what they really provide is a broken version of TCP they made up?

It's a serious question.


"Doesn't that mean that Verizon isn't actually offering TCP/IP (Internet) access, since they corrupt my protocol stream in transit?"

This is a serious answer: Go back and look at what they actually promise to deliver. Bet it doesn't have the word "TCP" in it anywhere. You can't hit them with contract violation when they aren't in violation of their contract. (Well, you can lodge any lawsuit you like. But it won't go well for you.)


If they used the proper noun "Internet" then TCP/IP is implied.


No, it really isn't. Even in our world thinking Internet == TCP/IP is a faux pas, roughly equivalent to thinking Internet == WWW. Legally speaking I suspect the term borders on meaningless. Obviously a company offering "internet access" must do something to discharge their contract but I seriously doubt you could ever nail them on this.

And if you could and did today, in a month the contracts would be rewritten anyhow, making this a completely moot point.


There is no public, global network of networks besides the one known as the Internet, and it exclusively uses the Internet Protocol suite.


Thinking TCP/IP = IP is also a bit of a faux pas. No fair changing the terms I used out from underneath me and then complaining.

Further... again, go check your contract for your home provider. I'm quite confident it doesn't promise to "serve IP packets", let alone making any promise whatsoever to serve them without modification. Don't lose sight of the context here... pedanting about what protocol is in use isn't going to change the fact that none of them are probably mentioned in your contract.


I didn't say Internet Protocol, I said the Internet Protocol Suite.


Yup in theory. In practice you would call up your legal counsel, and they'd ask you how hard would it be to re-engineer your protocol to not break by Verizon. If the answer is anything less than 1 year and tens to hundreds of thousands of dollars then they'd advise you to just fix your protocol.

On the other hand if your spouse is a lawyer and wants to make a name for themself then you'd consider moving forward on failure to deliver service / false advertising / etc.


When most mobile providers get you on the internet, it's through NAT. They're already terminating and re-creating your connections for you, and not providing your "real" tcp/ip packets to the internet, and thus neither the world's "real" internet packets to you. All you get is a translation.

You've never gotten "the real internet" on a mobile device. The idea that they may change one more part of your fake connection seems pretty irrelevant.

The same happens on "real" routers, firewalls, etc when they massage the traffic going through them. Sometimes they barely change anything at all. Sometimes they make minor adjustments. Sometimes major ones. You don't have an agreement with any of them specifically to modify your packets; they just do. So do you have a claim of harassment against your packets? Have they trespassed on your property? Are you trespassing on their routers?

The answer to all these questions is: nobody has ever guaranteed to you what you get from the internet, other than "availability" if you're a business user, and even that's not set in stone.


NAT doesn't terminate and recreate connections. It modifies packet headers and forwards them.

Modifying headers in order to facilitate transit over a network is one thing, modifying the L7 payload is another.


Well you're right in a sense. But it modifies packets to a point where they are indistinguishable from the original connection, and tracks the incoming and outgoing interface sides as if they were discrete connections (there are at least four flows for every NAT connection).

Often carrier-grade routers will replace every aspect of a tcp/ip packet, like sequence numbers, windows, flags, source and dest ports, etc. Routers like these see everything going through them as a form of NAT; it's just some connections are modified more than others. The exception to this would be interfaces in bridge or monitor mode.

To your second point that modifying some layers is OK but modifying other layers is not: what rationale explains this double standard? What about the application layer do you find to be unique in that there's some expectation of purity? Does a proxy not modify layer 7 to cache and pass traffic? Does DNS not do the same?


Verizon LTE devices have a unique, publicly accessible IPv6 address.


No.

Your question may have been serious, but it's also ridiculous, unless you have a much more technically detailed contract with Verizon than I've ever seen.


I wonder if it would be possible to have them sign a contract when you sign up since customer is king.


customer is king? With verizon? not in the US.


I once had extremely odd errors being reported by my clients (phonehomes via window.onerror in the browser), things like syntax errors in my otherwise perfectly fine javascript and randomly corrupted data transfered with ajax. So i started investigating and came to the conclusion that someones ISP was trying to inject iframes with ads into any random text transfered over http, including javascript! Pure craziness, if i myself was affected i would change ISP on the spot.

This case was extreme but imagine as you say, a proprietary client and server that think they have implemented HTTP properly but they haven't. Maybe they assume all headers come in a specific order, the request size may not exceed X bytes, a hash of the request has been transfered over another channel, etc etc. Normally this is fine because they always only communicate with each other and they both always do exactly the same "mistake", but now the data essentially becomes corrupted. Can you really blame these applications for "not following spec", they were only designed to communicate with each other.


They don't appear to be doing this if you've opted out of "Relevant Mobile Advertising", which is another option [separate from CPNI] on http://verizonwireless.com/myprivacy.

Here's the setting you're looking for:

http://i.imgur.com/QFJJNV5.png

Mods may also want to update the title to include "Wireless" after Verizon; Verizon landline is not doing this anywhere AFAIK.


I have a prepaid account, and I'm not allowed to change privacy settings either online or over the phone. The web tells me I am an account member and not owner, and the phone just says prepaid is not eligible to opt out. I can fix it by using a VPN, but isn't it illegal to not even allow me to opt out? Postpaid is significantly more expensive than prepaid and not available to people with bad credit. How can they discriminate like that?


> Postpaid is significantly more expensive than prepaid and not available to people with bad credit. How can they discriminate like that?

I agree this is terrible, but I should point out that T-mobile's prepaid and postpaid plans are priced the same (and neither requires a contract - only difference is that the latter requires a credit check).

If T-mobile is an option for you, I would recommend their prepaid options.

Also, if your credit is bad, you may be able to pay a ~ $500 deposit (steep, I know) for a postpaid account on Verizon/AT&T. IIRC, the deposit is only needed for the first year, after which you get it back.


Thanks for the suggestions, but I really don't want an expensive postpaid contract. I don't even need service every month. WiFi calling is better than cell calling most of the time, and unfortunately, no carrier other than Verizon operates in most of the places around where I live. I'll stick to a VPN.


I'm not clear why you think it would be illegal. There may be rules against not allowing people to opt out, I don't know. But when you ask "How can they discriminate like that?", there's nothing illegal about discriminating on the basis of credit or willingness to pay for a more expensive product.


I can understand discriminating on quality or something like that, but we're talking about not being able to opt out of having your personal information sold. It seems like there should be some kind of a law where that has to be made absolutely clear. It doesn't even seem to be buried anywhere in the Terms of Service, which say:

"Verizon Wireline consumers and certain business customers may opt-out by calling 1-866-483-9700. Verizon Wireless consumer and certain business customers may call 1-800-333-9956."

Only after calling that number are you told you are ineligible because you are prepaid.

This is advertised as a prepaid account, not a personal-information-selling subsidized account. It's also not even really competitive with other plans. Verizon gives you up to 1GB/month for $45, only with recurring payments, while Cricket gives you 10GB 4G with unlimited throttled data for $55. Unfortunately, Verizon has a monopoly in most of my area. T-Mobile and Sprint don't operate here, and AT&T is spotty.


I'm attracting a lot of downvotes, and I feel like people think I'm supporting Verizon. I agree with you in that I think they're being scummy, but I guess I was just saying that when you ask "How can they discriminate like that?" the answer is that lots of scummy things aren't illegal. I agree it might be nice to see much stronger privacy laws in this area, but they don't exist yet and that's most of what I was trying to say. I think I thought you were saying that you thought it was illegal ("isn't there a law...") whereas you were really just saying you thought it should be illegal.


I do think it should be illegal, but "isn't it illegal?" was a genuine question. I don't know the specifics, but I'm surprised there isn't some legal requirement. You can't even send e-mail without allowing an opt-out, and every ad network I know of has an opt-out policy, so sending tracking information to every website you visit and selling that information with no option to opt-out just seems over the top and out of step with what everyone else offers.


You want to know how to opt out? You cancel your contract. Verizon is under no obligation to provide you with phone and internet access, ad-free or otherwise. They offer a product on the free market, and if you don't like that product, you should not buy it. While I think their policies and attitude toward privacy is despicable, accusing them of doing anything illegal is simply incorrect.


While what you said may seem logically correct, there are a myriad of privacy protections that corporations are expected to adhere to regarding the information customers entrust to them. One reason for these protections is that the "resolution" you've suggested --- that the customer can simply choose not to use their services --- provides no protections against future-use of information. Say a customer chooses a vendor that sells his information after he ends his service with them. Under your strategy - the customer would have absolutely no recourse since he has no leverage against that vendor. He's already "walked" so to speak - yet they still may have information of value about that customer.

Take another example. A medical facility cannot take customer information about a person with a specific ailment and sell that information to advertisers for the purpose of earning a commission on the sale of those targeted ads. There are laws forbidding how that information is shared.

The following link outlines some of the state and federal laws specific to California, but each state has their own, and the federal laws obviously apply to the entire United States.

http://oag.ca.gov/privacy/privacy-laws


>I'm not clear why you think it would be illegal.

Consent matters. In Europe it would most certainly be illegal.


What's Europe got to do with this?


Because somebody seemed surprised that people expected this to be illegal. The fact that it is illegal in a large number of countries is a useful datapoint, and shows that the initial reaction of "shouldn't this be illegal" isn't completely off the wall.


My "Relevant Mobile Advertising" was already long-ago opted-out ("No, I don't want to participate in Relevant Mobile Advertising"). Still, last night, my "Verizon 3G" (iPhone 4s) was definitely adding the header to all plain-HTTP traffic, including that from private/incognito-mode tabs, and from another machine sharing the "personal hotspot".

I then changed the other two settings ("Customer Proprietary Network Information" and "Business & Marketing Reports") to opt-out, and it was still sending the header about a half-hour or hour later, and I contacted @VZWSupport on Twitter. This morning, the header was no longer being sent.

So I don't know if:

• one of those other settings eventually took effect; or...

• contacting @VZWSupport caused them to fix something with my account, either based on my support-expressed preference or remedying a bug in respecting prior preferences; or...

• general reporting of this has caused a change at VZW, perhaps in finally respecting previous opt-outs


And... the header is back again. Haven't made any further changes to privacy preferences (all opt-out).


I'm opted out of everything on that page and I'm still seeing the header sent.

Maybe the header isn't being sent for you due to this change possibly being a gradual rollout.


Same. Opted out of everything (since months ago). Still seeing the header. :(


I am opted out of everything. The header is sent in mobile Chrome and Firefox, with incognito mode, and with DNT enabled.


The header is sent if you opt out. It's explicitly stated in the privacy policy, which i've copied into a parent post on this HN thread.


I don't see how the privacy policy wording can be interpreted that way.

The wording you've clipped does not suggest that the "unique, anonymous identifier" will be sent to every website. (It does suggest there's a customer choice in some way, but that's unclear and so far no one has reported a reliable way to have Verizon suppress the X-UIDH header.)

The note that "many opt-outs are cookie-based" may not be relevant to this tampering. In particular, there's no clear way that cookies to Verizon websites could be consulted when doing the tampering on each HTTP request to other websites: they're not part of the connection. (I suspect this section is boilerplate related to some other opt-out.)


My account has had this disabled for months, the header still shows


In addition to all of the other users reporting that it isn't actually disabled, they publicly claim that it's disabled for enterprise and government customers but I confirmed that it's still being sent there as well.


Just checked my configurations, those settings are all set 'off' for my lines (I turned them all off months ago, not just this moment), but the uidh.crud.net site is still receiving the header.


Likewise. They were set to off when I visited the page and the header still shows.


They're ignoring it for me. See: https://twitter.com/kennwhite/status/525374343074029568 Can you confirm you connected over cellular when testing?


Yep, over LTE on an iPhone 6, in NYC. The only thing unique is I have Safari configured to send the DNT header. It would be amusing (in a good way) if that made VZ's infrastructure not tag all my traffic.


Interesting. They're definitely ignoring it my case: https://twitter.com/kennwhite/status/525369304456658944


Yeah, I've got nothing. Maybe it's only specific IP blocks that have the 'feature' enabled yet?

http://imgur.com/mLxVTrL


That setting doesn't exist on my version of the page.. I get a link to "more information" on "Verizon Selects", but none of my lines are listed there.

I'm going to make a few phone calls...


Using and ad blocker? I disabled mine and that section showed up.


I can confirm that disabling adblock allows these settings to show up.


Even with ad blockers disabled, I only see CPNI settings (which I'd already set to "Don't Share") at https://wbillpay.verizonwireless.com/vzw/accountholder/profi...

http://uidh.crud.net/ also says "did not receive X-UIDH header."

California, Verizon Wireless, Business Account, not on contract.

EDIT: Now an hour later, the headers DO appear. No setting to disable on the VZW site though.


That did it! Thanks!


My phone's VWZ http requests are sending the header, where I have been opted out of "Relevant Mobile Advertising" since they sent me information about it in the mail earlier this year.


This is disabled across all of my lines and is still showing.


as a pageplus user, I don't know if there is a way to op out of this. actually I havenmt found a way to opt out of either.


Edited Title- You're correct, no reason to believe this is happening anywhere else (e.g. FIOS)


This has been going on for ages, not sure why people just now noticed it.

They were testing it last year, you could clearly see these headers on a large percentage of traffic coming from their gateways.

I'm not expressing an opinion one way or another but they clearly felt the UID is not directly identifiable and thus does not become a privacy issue until they share the mapping of the UID to customer data.

My guess is in their minds if you opt-out they just do not provide your UID to 3rd parties for targeting.

In the ever increasing dream of cross device marketing (think your iPad, iPhone and Laptop) many companies are trying to figure out ways to connect these devices to a single individual or family.

IIRC Verizon quietly started rolling out service wide TOS changes to allow this sort of thing a couple years back. That said I'm not sure if their TOS makes it clear how this is implemented and what potential side effects might be caused by the way they've implemented them.


The news is that they are injecting it even when you have opted out of CNPI.

The disturbing part is a unique ID that follows you despite private browsing and across browsers. The worst part is that it goes to every site you visit (not just VZW or selected advertisers). It can be trivially linked to your existing cookies/identity to follow you even after clearing cookies, changing browsers, switching devices, etc.


Yes it's disturbing, again I'm no mind reader, but I guess they assume when you opt-out they just don't map your UID. Meanwhile you're still trackable and just one small data point could be used to reverse everything you visit.

As an example if you sign up for some random blog and they capture UID's they could quickly map your email to your UID and onward into the spiral we go.

IP Addresses are a similar problem for home users, nobody seemed to have noticed that quite some time ago ISP's started making DHCP lease times quite long. Not to put on a tin foil hat, but I assume this was done more strategically then just to reduce load on DHCP servers in their networks.


Private browsing has never been considered to actually protect your privacy, except for people looking at your local history. It clearly states that in browsers.


This makes me rather unhappy. I'm seeing this on Verizon. Can someone with an alternative mobile provider like Sprint or T-Mobile test this, too?


> This makes me rather unhappy. I'm seeing this on Verizon. Can someone with an alternative mobile provider like Sprint or T-Mobile test this, too?

I would guess that voting with your feet would be the most effective response. While many think consumers don't care (or don't understand), we can see many vendors beginning to emphasize confidentiality features.


I'm not sure if I value my confidentiality more than the unlimited talk/data/text plan on which I'm grandfathered. It's a hard change to make, especially considering I no longer see the tracking data after I disabled it in my settings.


At least with that page I "did not receive X-UIDH header" on T-Mobile. Didn't check for headers with other names.


I'm on T-Mobile and using http://httpbin.org/headers I did not get any headers I would not expect from Chrome.


I just tested mine, but the situation is a bit complicated. My service is with T-mobile in the US, but I am currently connecting through Movistar Chile. The response from the website was:

> did not receive X-UIDH header.

So I presume I can say that Movistar Chile is not inserting that into the header. Not sure about T-Mobile (US) though.


If you are roaming and using the T-Mobile APN, then you're still going through the T-Mobile data infrastructure.

When you're in China and roaming on a foreign operator, you're not affected by the Great Firewall since you're data goes through the APN in your home country.


Okay, thanks for the clarification. I did just check and I have an American geolocated IP, consistent with what you said.


On my Verizon Moto X (Android), the header is not visible if I use the Chrome feature "Reduce data usage", but it is visible if I disable that feature or, ironically, use Incognito mode. This feature causes non-SSL, non-Incognito traffic to be proxied through Google's servers, using the SPDY protocol. Some info on how this works: https://developer.chrome.com/multidevice/data-compression


It seems that http://uidh.crud.net/ is not working right now (gives a 502). However the UIDH header can be seen here:

http://lessonslearned.org/sniff

Also http://verizon-uidh.tk/ gives a yes/no if you have the UIDH header (and shows you the header if you do)


Bummer, the iPad (LTE version) sends this tracking information and there is no way to turn it off.


setup a vpn with digitalocean like I do, it's about all we can do.


Well to be clear, on WiFi it does not send the tracking data, only when using the LTE network. That said the only SSL tunnel software I saw was Junos Pulse which is sitting on a ton of bad reviews at the moment because apparently it doesn't work with iOS 8. What VPN software do you use with your iPad?


I use OpenVPN Connect, it's a bit of a pain to set up, but it works well. https://itunes.apple.com/us/app/openvpn-connect/id590379981?...


iOS has support for some common VPN protocols built-in: http://support.apple.com/kb/HT1288


Seems similar to Apple's Spotlight phone-home thing: unsolicited extra data being sent, a somewhat buried disclosure that it's happening, people having difficulty getting their opt-out preference honored (possibly caused by several confusingly-similar options to disable.)

It does sound like Verizon's is more a case of simply not honoring the option, though, unless some commenters here have just not found the magic checkbox yet.


Hmm, confirmed on Verizon 4G LTE network.

Can anybody recommend a good VPN service that works on android?


If you use Chrome and enable Google's Data Compression Proxy, all http traffic is proxied via Google's servers and sent to them via spdy (which is encrypted), so Verizon can't tamper with the requests or see what they are:

https://developer.chrome.com/multidevice/data-compression


So you trade Verizon's tracking for Google's?


At the very least, it would only be Google that could track you, instead of every website you visit being able to read your Verizon-assigned ID.


What about DNS queries?


They're not http so would guess they don't go through the proxy.


Private internet access. Works great.


Private Internet Access is a favorite by many. You should check them out if you have a chance. They're supposedly very strong on android


PrivateInternetAccess.com is great, they also have a nice android app that will connect on your phones bootup


Bitmask: https://play.google.com/store/apps/details?id=se.leap.bitmas...

Zenmate: https://play.google.com/store/apps/details?id=com.zenmate.an...


I quite enjoy proxy.sh


zenmate


Apparently Verizon has two patents on the process:

http://www.faqs.org/patents/app/20130318346

http://www.google.com/patents/US20130318581


Excellent news, that means their competitors are safer to use?


It would make sense for Verizon to license the technology to other carriers.

1) The more widespread the technology is, the more advertisers will be aware of it and will seek it. This means more revenue for Verizon (bigger market for this product).

2) If all carriers do it, then people won't have an incentive to switch from Verizon.

3) Licensing fees.


Here's a scary thought: How do we know every ISP isn't doing this, it would be undetectable if they only injected these on certain domains e.g. facebook, google. However I don't see how much more tracking ability that would grant over IP tracking.


Doesn't examining/modifying data exempt you from the DMCA safe harbor protections?


VZW doesn't use SIMs except in some new 4G tech.


Um, how is this relevant?

IANAL, but the DMCA seems to protect you from liability only if you don't examine and modify traffic. If they're looking at the protocol to see if it's HTTP and therefore modifiable, they could look at the host to see if it's going to the pirate bay and block it. This means that when someone goes to the pirate bay on the Verizon Wireless network, Verizon is liable for their actions under the DMCA.

This is like YouTube reviewing videos before they're uploaded. If they were reviewing videos, they could catch copyright violations from the start and thus should.

There's probably legal trickery they could use to get out of it but it seems like a valid point.


Just confirmed that the UID follows the SIM, so even swapping phones won't save you.


Just checked my Verizon 4G LTE MiFi and the headers are not there, I've not done anything special to my account settings.

On ATT I see the X-Acr thing but not clear if it's UID like or not in nature, would need to see more of them.


I just checked my AT&T phone and I have an X-Acr header too.


Same, I've opted out here and I still get it:

http://www.att.com/gen/privacy-policy?pid=24339


Just checked my phone and I have "do not track" turned on and x-acr is tracking. Who/what is it? Why? How do I stop it?


Checked over data not WiFi


How're you checking?


Go to this page over a cellular connection. (Turn off your wifi) http://checkyourinfo.com/request Then look for a long number.


Checked my Wife's Verizon iPad on LTE and no UID header.


When I try to 'withdraw consent' for 'Verizon Selects Participation Status', I get this prompt http://imgur.com/sbVpMhR


That's because that program gives you rewards points specifically for sharing your private information [1].

[1] http://time.com/money/3025429/verizon-smart-rewards-loyalty-...


You can view all of your device's request headers at http://checkyourinfo.com/request


I just checked my AT&T iPhone and it includes a "X-Acr" HTTP header that has a long GUID? Is this a similar tracking ID?


Curious, I don't see this but if that's the same acronym used here it's a tracking ID:

http://www.gsma.com/oneapi/anonymous-customer-reference-beta...


As a prepaid account I don't have access to the privacy settings. I spent an 1:15 on the phone with Verizon with no luck (no one had any idea what I was talking about). This has huge potential to be abused. It won't take long for companies to link your real name to web traffic and know exactly everything you look at on your phone. Wait until the cable/DSL companies realize the untapped revenue potential.


VZW does all sorts of weird traffic management. They proxy everything and will throttle applications deemed to chatty as well.


This looks like a job for Tunnelbear VPN! https://www.tunnelbear.com/

I am huge fan since I starting using it when traveling Europe. The mobile version works great as well.


Whatever you do, do not uninstall TunnelBear!

http://i.imgur.com/1YQfGRN.png


TunnelBear probably has the best branding I've seen in the while, very well executed.


Tunnelbear VPN - Blowfish with HMAC-SHA1

https://www.tunnelbear.com/development/encryption/

Seems like a bit of an odd choice for a ciphersuite. I sure hope it's implemented well.


Tunnelbear does work great, except for the fact that it drains the battery in my phone like crazy. I use SSHTunnel to route all traffic through my private server.


I'm on Verizon and got "did not receive X-UIDH header" message from uidh.crud.net. Possibly because it says "1x" at the top of my phone and that means it's on another network?


Could be 4G only? Just did it from a 4G LTE tablet, got a big ol' X-UIDH string of what appears to be Base64.

Edit: Also, on a positive match, the page displays a link to an NBC News article on Verizon's CPNI (Customer Proprietary Network Information).

http://www.nbcnews.com/tech/security/why-you-should-check-yo...


I get the header injected on 3g.


As this requires reassembling the HTTP request to add the additional header, this probably introduces extra latency too.

Fortunately https is becoming more pervasive which bypasses this and any other transparent proxies.


The carriers are working to subvert this -- see the IETF draft for "HTTP/2.0 Explicit Trusted Proxy" or read this article: http://www.theregister.co.uk/2014/02/25/evil_or_benign_trust...


Kinda makes you wish the IETF had adopted all-TLS-all-the-time in HTTP/2.0.

We need HTTP/3.0 to be SSL all the time and nix the CAs so we can avoid MITM from VZ.


What about LTE modems on Verizon? I am testing them and was planning a fairly big rollout to replace some services that previously relied on Sat internet.


Yes, modems, access points, LTE tablets included. Consumer and Enterprise users (including me) are seeing it. Eg: https://twitter.com/innismir/status/525279100907560961


I assume there are similar opt-outs for AT&T, Sprint, T-Moblie, etc. Anyone maintain a page of links for how to access the opt-outs?


Interesting, I just tested my device over AT&T LTE, but there was no UIDH header.

Edit: There is an x-acr header, which contains a curiously large amount of encoded data, far too much to be any reasonably sized id. Anyone know what it is?


I see this as well. AT&T LTE with iPhone 5 (running 8.1).


Well, I found the AT&T page. Wow, they make this very difficult to opt-out. http://www.att.com/gen/privacy-policy?pid=24339


This is bullshit. You shouldn't have to "opt out" of tracking in the first fucking place.


https://www.verizonwireless.com/b2c/support/customer-agreeme...

"We collect personal information about you. We gather some information through our relationship with you, such as information about the quantity, technical configuration, type, destination and amount of your use of our telecommunications services. You can find out how we use, share and protect the information we collect about you in the Verizon Privacy Policy, available at verizon.com/privacy. By entering this Agreement, you consent to our data collection, use and sharing practices described in our Privacy Policy. We provide you with choices to limit, in certain circumstances, our use of the data we have about you. You can review these choices at verizon.com/privacy#limits. If there are additional specific advertising and marketing practices for which your consent is necessary, we will seek your consent (such as through the privacy–related notices you receive when you purchase or use products and services) before engaging in those practices. [..]

DISCLAIMER OF WARRANTIES

We make no representations or warranties, express or implied, including, to the extent permitted by applicable law, any implied warranty of merchantability or fitness for a particular purpose, about your Service, your wireless device, or any applications you access through your wireless device."

https://www.verizon.com/about/privacy/policy/

"We collect information about your use of our products, services and sites. Information such as call records, websites visited, wireless location, application and feature usage, network traffic data, product and device-specific information and identifiers, service options you choose, mobile and device numbers, video streaming and video packages and usage, movie rental and purchase data, FiOS TV viewership, and other similar information may be used for billing purposes, to deliver and maintain products and services, or to help you with service-related issues or questions. In addition, this information may be used for purposes such as providing you with information about product or service enhancements, determining your eligibility for new products and services, and marketing to you. This information may also be used to manage and protect our networks, services and users from fraudulent, abusive, or unlawful uses; and help us improve our services, research and develop new products, and offer promotions and other services.

[..]

When you register on our sites, we may assign an anonymous, unique identifier. This may allow select advertising entities to use information they have about your web browsing on a desktop computer to deliver marketing messages to mobile devices on our network. We do not share any information that identifies you personally outside of Verizon as part of this program. You have a choice about whether to participate, and you can you can visit our relevant mobile advertising page (link to www.vzw.com/myprivacy) to learn more or advise us of your choice.

Customer Proprietary Network Information (CPNI): [..] Verizon Wireline consumers and certain business customers may opt-out by calling 1-866-483-9700. Verizon Wireless consumer and certain business customers may call 1-800-333-9956. Other customers may decline to provide or withdraw CPNI consent by following the instructions in the Verizon notice seeking consent. For additional information, you can read examples of common consumer CPNI notices for Verizon Wireline and Verizon Wireless.

Please note that many opt-outs are cookie-based. If you buy a new computer, change web browsers or delete the cookies on your computer, you will need to opt-out again. Please also note that some wireless devices, portals and websites have limited ability to use and store cookies. As a result, advertising entities may have a limited ability to use cookies in the manner described above or to respect cookie-based opt out preferences. However, ads may still be tailored using other techniques such as publisher, device or browser-enabled targeting. You should check the privacy policies of the products, sites and services you use to learn more about any such techniques and your options. If you do not want information to be collected for marketing purposes from services such as the Verizon Wireless Mobile Internet services, you should not use those particular services."


It would be fine it they were really just following the "we collect information about you" part, but what they seem to be really doing here is more like "we send unique identifiers associated with you to every other site you visit."

In fact they even say:

We do not share any information that identifies you personally outside of Verizon as part of this program.


I believe Verizon is violating their customer agreement here. From the looks of it, the tracking header provides a way for websites not affiliated with Verizon to build profiles on users as they travel across the internet. Rogue tracking networks could be built on this.


Thank you for posting this, so the lawsuit-happy folks of HN will realize they, once again, have no legal leg to stand on.


And good riddance! Lawsuits from HN folks were really beginning to clog up our court system... /s


The identifier seems more pseudonymous than anonymous.

In fact, isn't "anonymous, unique identifier" an oxymoron?


> In fact, isn't "anonymous, unique identifier" a tautology?

I believe the word you are looking for is "oxymoron" which is the opposite of a tautology.


Where's the class-action lawsuit?


I'm on Verizon and got "did not receive X-UIDH header". 4G, droid ultra, FL


Useful to note that the UIDH changes every 7 days.


How is this UID different to an IP address?


It's stable across devices and sessions – if you have a cell phone and a tablet, the UID is the same and it won't change over time even as you move around their network.


In some sense having one ID instead of two unique IPs is better?


How do you opt out of CPNI?


The linked NBC News article explains you can do it through Verizon's customer account web interface, but the parent says that won't work.

..."regardless of whether or not you've opted out of their Customer Proprietary Network Information (CNPI) options."


Older article, but still works: http://www.nbcnews.com/tech/security/why-you-should-check-yo...


also seeing this despite CNPI settings. class-action time?


This as been known for a while and it's used by some advertisers...


The news is that it's ignoring the opt-out selections (including mine that I set a while ago).


Verizon Wireless tracking on its customers browsing habits, but why? http://www.techworm.net/2014/10/verizon-wireless-tracking-on...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: