So you are wondering why the Ads you are seeing on your mobile device are starting to show you items that might want for Christmas, but that you haven’t been searching for. Well maybe your wife or someone in your family has been looking for those items on another mobile device on the same plan, how you may ask. Well it gets down into the dirty little secrets of tracking cookies or in this case, Perma-Cookies, or as I like calling them Super-Cookies hidden in the HTTP headers, which can make them even more devious.
Most of us know about cookie being used to track what websites or searches you have been performing in order to give us web based ads on top or off to the side of your web browsers. This has been going on for a long time and has become a norm for most search engines and others that make their living off of advertising. Well these Perma/Super cookies take that to the next level on Verizon Wireless mobile devices, basically creating a cookie that can be used across devices assigned to the same account, so the searches of your kids, wife or anyone on your plan, all of sudden become available to direct ads to everyone.
So how does this happen, you ask, well it’s due to this cookie like tracker, which is included in the HTTP header (X-UIDH). Now this only works for non SSL or unencrypted sites that you visit and allows 3rd Party advertisers to put together a pretty good portfolio of all the sites that your family visits. Now I’m not the type of person to spend the hours or days going through the end-user agreements to see if this is mentioned or if they are just doing it without any informed consent or not. There is a much more detailed write up on this issue on the Electronic Frontier Foundation (EFF) site (https://www.eff.org/deeplinks/2014/11/verizon-x-uidh), if you want to find out more.
Browsers have listened to users and for normal cookies do have some settings that can prevent normal cookies from working, but since this tracking occurs on a value that is part of the HTTP header, these settings have little to no effect at all. And since this is done in the header, it can also track the web activities of Apps installed on the devices. Verizon also chose to disregard the “Do Not Track” setting that is available in most browsers. Additionally, this is not limited to Verizon users and devices, since this tracking happens at the network level, anyone using the Verizon towers are subject to this tracking.
So what can you do? First like I said, this only works on HTTP traffic, so only use sites that are SSL enabled, but who knows when that might change and it still leaves you open to privacy issues on sites that don’t support SSL. Encrypted proxies, VPNs and TOR are options to provide much better protection in this case. In the case of proxies, this won’t protect applications installed on your devices. Lastly, in the world of highly competitive wireless providers, if this works for Verizon, you can imagine that it won’t be long until other providers start doing something similar.