AT&T Hotspots: Now with Advertising Injection

While traveling through Dulles Airport last week, I noticed an Internet oddity. The nearby AT&T hotspot was fairly fast—that was a pleasant surprise.

But the web had sprouted ads. Lots of them, in places they didn’t belong.

Last I checked, Stanford doesn’t hawk fashion accessories or telecom service.1 And it definitely doesn’t run obnoxious ads that compel you to wait.

The Efficacy of Google’s Privacy Extension

Over four years ago, Google launched a Chrome privacy extension. Keep My Opt-Outs arrived with a media splash, and it presently has over 400,000 users worldwide.1

It’s a top result on the Chrome Web Store,2 and it’s even endorsed by a faux celebrity.

Unfortunately, the Keep My Opt-Outs extension isn’t nearly as effective as Google claims. It hasn’t been updated for years, resulting in only half of the promised coverage. Keep My Opt-Outs also doesn’t work in Chrome’s private browsing mode, despite the user’s explicit permission.

If you’re currently running Keep My Opt-Outs, I’d encourage switching to Disconnect or Privacy Badger.3 Adblock, Adblock Plus, and Ghostery are also excellent privacy tools, when configured properly.

In this post, I’ll explain why Google emphasized the Keep My Opt-Outs extension, how the code works, and what went awry.

The Turn-Verizon Zombie Cookie

Verizon Wireless injects a unique header into customer web traffic. When the practice came to light last year, it was widely panned. Numerous security researchers pointed out that this “supercookie” could trivially be used to track mobile subscribers, even if they had opted out, cleared their cookies, or entered private browsing mode.1 But Verizon persisted, emphasizing that its own business model did not use the header for tracking.

Out of curiosity, I went looking for a company that was taking advantage of the Verizon header to track consumers. I found one—Turn, a headline Verizon advertising partner. They’re “bringing sexy back to measurement.”


How Verizon’s Advertising Header Works

Over the past couple of days, there’s been an outpouring of concern about Verizon’s advertising practices. Verizon Wireless is injecting a unique identifier into web requests, as data transits the network. On my phone, for example, here’s the extra HTTP header.1


After poring over Verizon’s related patents and marketing materials, here’s my rough understanding of how the header works.

Mobile Phone Unlocking, Now Less Illegal?

On Friday, President Obama signed a mobile phone unlocking bill into law. Some observers have taken to describing S. 517, the Unlocking Consumer Choice and Wireless Competition Act, as a permission slip for consumers. Here’s a sample:

The New York Times: “you will no longer be breaking the law if you unlock your cellphone”
The Los Angeles Times: “makes it legal once again for consumers to unlock their cellphones”
CNET: “makes unlocking a cell phone legal again”

Those explanations aren’t quite accurate. The new law (temporarily) shields consumers from the Digital Millennium Copyright Act. It is, by design, a narrow fix; it expressly leaves other sources of legal liability untouched. …