Turn, an advertising technology company, is using a tracking number employed by Verizon to resurrect users’ dead cookies and share them with ad companies, which is undermining users’ privacy.
Verizon’s tracking number is better known as a Unique Identity Header (UIDH), which transmits user information, such as device make and screen size, whenever the user makes Internet web requests across Verizon’s wireless network.
“It’s important to note that the UIDH is a temporary, anonymous identifier included with unencrypted web traffic,” Verizon comments on its use of the tracking numbers. “We change the UIDH on a regular basis to protect the privacy of our customers. We do not use the UIDH to collect web-browsing information, and it does not broadcast individuals’ web browsing activity out to advertisers or others.”
Verizon does not allow users to opt-out of the use of the UIDH. As it is injected in web requests at the network layer, it ignores things like Private Browsing, Incognito Mode, and Do Not Track. Disabling third-party cookies also does nothing to prevent the transmission of the UIDH.
This has many privacy advocates concerned.
Jacob Hoffman-Andrews, a technologist with the Electronic Frontier Foundation, notes that by sending each user’s UIDH to every website they visit, Verizon is helping companies to track people’s online activities with or without their consent.
Indeed, according to the research of Jonathan Mayer, a computer scientist and lawyer at Stanford, Turn has been exploiting Verizon’s use of the UIDH in order to respawn tracking cookies previously deleted by users. The company has since sent these “perma-cookies” to over 30 companies, including Google, Yahoo, and Walmart, all of which can track users’ online activities and create targeted ads.
Verizon has been using its UIDH since 2014. Last year, Verizon and AT&T users began noticing that their respective carriers were inserting a tracking number into all of the traffic that was sent from their phones. AT&T has since stopped using the tracking numbers, but Verizon has not.