Over the past couple of days, there’s been an outpouring of concern about Verizon’s advertising practices. Verizon Wireless is injecting a unique identifier into web requests, as data transits the network. On my phone, for example, here’s the extra HTTP header.1
After poring over Verizon’s related patents and marketing materials, here’s my rough understanding of how the header works.
In short, Verizon is packaging and selling subscriber information, acting as a data broker on real-time advertising exchanges. Questionable. By default, the information appears to consist of demographic and geographic segments.2 If a user has opted into “Verizon Selects,” then Verizon also shares behavioral profiles built by deep packet inspection.
Whatever the merits of Verizon’s new business model, the technical design has two substantial shortcomings. First, the X-UIDH header functions as a temporary supercookie.3 Any website can easily track a user, regardless of cookie blocking and other privacy protections.4 No relationship with Verizon is required.
Second, while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header.5 All they do, seemingly, is prevent Verizon from selling information about a user.
Much better designs are possible. Verizon doesn’t need to supercookie its wireless subscribers to sell their advertising segments.6 And it certainly doesn’t need to send a supercookie if a user isn’t participating.
The diagram above includes phone, server, cloud, and cash assets from The Noun Project. Thanks to the participants in Princeton’s Web Tracking and Transparency Workshop, who provided valuable feedback.
1. In my (very limited) testing, the header was injected into every HTTP request from my iPhone 6 Plus. Some subscribers have reported not seeing the header, or only seeing the header with certain requests.
2. Verizon’s case studies also suggest the system can be used for advertising attribution.
3. According to a comment on Hacker News, the X-UIDH value changes each week. I can’t (yet) confirm that. Over the past two days, anyway, the X-UIDH value for my phone has been static.
4. HTTP blocking, like Adblock Plus or Privacy Badger, would still be effective.
5. If I understand correctly, the demographic and geographic advertising segments are opt out, associated with Verizon’s CPNI privacy preference. Behavioral segments are opt in, associated with the “Verizon Selects” preference (formerly “Relevant Mobile Advertising”).
6. For example, Verizon could send an encrypted ID and nonce with each request. A recipient website would not be able to use the values to track a user.