Soft Cloud Tech – Last year, it was discovered that Verizon and AT&T had been quietly altering their customers’ web traffic to include a permanent, undeletable ‘supercookie’ allowing advertisers to assemble detailed profiles of users’ browsing habits. Amid immense public pressure, AT&T dropped the program altogether—and this month, Verizon finally released a mechanism for ‘opting out.’ But what is a ‘supercookie,’ and how does it work? We’ll break the technology down in simple terms, and try to understand Verizon’s motivations for using it, so you can make an informed decision about how your data is used.
What is a cookie?
“HTTP,” or Hypertext Transfer Protocol, is a standardized set of rules designed to allow web browsers and web servers to communicate with each other. When you type a URL into your address bar, the browser connects to a domain name server, a sort of ‘phone book’ that directs the browser to the appropriate web server. The browser sends the web server a request for the desired page—the server interprets the request, and if the page exists, it returns the page (otherwise, it returns an “HTTP 404 Error,” meaning ‘Page Not Found’). The browser then parses back through the page, looking for other elements it needs to complete the page, like images and plug-ins—for each element, a new HTTP request is made, and a new connection is established between the browser and the server.
Every HTTP request and response contains a series of ‘headers,’ lines of code containing basic information about the browser, the requested page, the server, and so on. They can also contain other kinds of information, like the referring page or ‘cookie‘ data. Cookies are packets of data stored in the browser’s ‘cache,’ so that the browser doesn’t have to make multiple requests to the server for information it will require continuously (e.g., the fact that a user is ‘logged in,’ or the items in a shopping cart). Cookies are set by the HTTP response delivered by the server: a header instructs the browser to save the cookie and send it back each time there is a request to the server in the future. Generally speaking, there are two types of cookies: a ‘session’ cookie is stored temporarily as you’re browsing a site and is deleted when you leave the site, and a ‘persistent’ cookie remains stored in your browser for a fixed period of time and is activated each time you re-visit the website that created it. Most browsers have built-in privacy mechanisms for handling cookies; a cookie belongs to the website that created it, and isn’t shared with other websites. Verizon’s ‘supercookie’ is a small part of a much larger trend in web development: continuously tracking your browsing activity across the entire Internet in order to more effectively deliver advertisements.
The so-called ‘supercookie’ is an HTTP header called “X-UIDH” (for ‘unique identifier header’). Unlike a standard cookie, this header is tied not to a specific website, but to the user’s data plan—every connection made on Verizon’s network is injected with a unique identifier that tracks the specific cellular device, so Verizon can build a profile of that user’s browsing habits. If a Verizon subscriber visits a retailer’s website, the retailer can log the activity and Verizon’s “PrecisionID” technology will allow the retailer to deliver targeted advertisements to the same user based on their browsing behavior. Verizon’s dedicated ad technology branch, “Precision Market Insights,” released this graphic explaining how the system works:
If we strip the graphic of marketing jargon: the device sends an HTTP request, which is injected with an identifying header; the destination website receives the HTTP request, and relays the request to an advertising exchange, a ‘middle man’ platform that allows advertisers to bid on ad space. In Step #4, “Precision is the key,” advertisers on the exchange can pay a small fee to issue an API call to Verizon—then, Verizon returns demographic and geographic marketing information, or, if a user has opted into “Verizon Selects,” a detailed behavioral profile based on browsing and location history. The key issue with this graphic is at step #5: Verizon claims to deliver advertising segments “without sharing the identity of the user,” because its header value is generated as a ‘salted hash.’ Simply put, a hash algorithm is a function that turns some data into an obscure “fingerprint” that cannot be reversed—this way, even if the data itself is stolen, the useful information itself (e.g. a password) is still secure.
The most straightforward way of cracking a hash is to guess the obfuscated information, apply the hashing function to the guess, and check if the guess’s hash equals the hash being cracked. A ‘dictionary attack’ uses a ‘dictionary’ of likely guesses, each of which is hashed and compared to the database being cracked; a ‘brute force’ attack attempts every single possible combination of characters up to a certain length—an inefficient method, but it will always eventually find the correct answer. A ‘lookup table‘ pre-computes the hashes of the guesses in a dictionary and stores them, enabling an attacker to process hundreds of guesses per second—these are effective because each piece of data is typically obscured using the exact same hash function.
‘Salt‘ is a string of random data that is appended to the information, further obscuring it before it is hashed. By ‘salting’ (randomizing) the hashes, an attacker’s lookup tables become less effective—they cannot know in advance what the salt will be, so they cannot pre-compute the hashes of their guesses. In the case of Verizon’s ‘supercookies,’ it is questionable whether this is an effective method for securing users’ personally-identifiable information. The ‘unique identifier’ is hashed and its value is periodically changed, a Verizon spokesperson explained, “to prevent third parties from building profiles against it.” However, Verizon’s patent suggests the header value is generated by hashing each user’s phone number—because phone numbers can be easily deduced from hashes, the EFF noted, “sending those hashes to untrusted web sites is practically equivalent to giving them your phone number.” On top of this, as the Electronic Frontier Foundation observed, Verizon’s advertising clients can very easily use their own cookies to track each time the ‘supercookie’ value changes.
Verizon has more than 100 million subscribers in the U.S., and in 2012 it spent $2.38 billion on advertising—making it the fifth-largest American advertiser. Verizon recently entered the mobile ad market because of its unique ability to overcome ‘technical limitations’ to storing cookies on phones and tablets. The X-UIDH header bypasses nearly all standard, built-in privacy mechanisms in mobile browsers: it’s not a typical ‘cookie,’ so it isn’t blocked by ‘Incognito’ or ‘Private Browsing’ modes, and it doesn’t get picked up by applications like Ghostery; Verizon is part of a group of corporations that actively oppose ‘Do Not Track‘ protocols, so the supercookie is not affected by these settings; and even if you have opted out of targeted advertisements in your Android or iOS system settings, an HTTP request made by any of your mobile apps (Facebook, Instagram, etc.) will still be injected with Verizon’s header.
Even if you’re not a Verizon customer, your wireless carrier may have a leasing agreement that allows it to use Verizon’s cell towers; customers of Straight Talk, for example, also have the X-UIDH header injected into their communications. MoPub, an advertising company owned by Twitter, has already begun using Verizon’s supercookies to auction off targeted mobile ads; soon, they will be used in combination with location data to track attendees at stadiums and music venues. Incidentally, the NSA uses the same type of identifying ‘metadata’ to continuously monitor individuals’ web browsing activity—wrote EFF’s Jacob Hoffman-Andrews, “Having all Verizon mobile users’ web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user.” According to advertising industry site Advertising Age, “corporate and government subscribers are excluded” from the X-UIDH injection—a deeply troubling double standard that shows that the company values some users’ privacy more highly than others.
To test whether the X-UIDH header is being injected into your web traffic, visit lessonslearned.org/sniff or amibeingtracked.com while over your cellular connection. To disable the tracker, sign in to your MyVerizon account and opt-out of the program called “Relevant Mobile Advertising” (note that this option won’t appear if you have ad-blocking software turned on). If the page isn’t working, you can call Verizon to request to opt-out at 1-866-211-0874. While you’re at it, you might consider opting-out of sharing app usage data with advertisers—there’s a quick guide over at Lifehacker. It goes without saying that these kinds of intrusive tracking methods should be fully “opt-in,” but at least users have the option of disabling them for now. Learn more about your data—sign up for the Sherbit beta here. Stay tuned for our upcoming release of PrivacyMe, an audit of your apps’ privacy policies and terms of service, coming soon!