It's one thing for your ISP to be collecting information about you; it's totally another thing for your ISP to be silently modifying your data by adding a tracking header <i>and sending it to all other sites you visit</i>.<p>Modifying application-level data is something an ISP should never do. What if I happened to be using the exact same header name for some other purpose for a web app API? This should be considered illegal tampering with the content of communications.<p>The "encrypt everything" proponents are missing the point: yes, encryption (and steganography) can be used to bypass this easily, but I don't want to have to explicitly defend against my ISP modifying my data.
Notably: the exact same device ID (X-UIDH) is injected into HTTP requests from different browsers/apps, or browser tabs in 'privacy' or 'incognito' mode. Also, if you're using 'personal hotspot', any HTTP traffic from a connected desktop/laptop sharing the mobile data service also gets the header.<p>So VerizonWireless is allowing third-party sites to correlate all HTTP traffic from one device to a single identity, even if you've taken explicit steps (like 'incognito' mode) to try to thwart this, and even if the mobile OS has compartmentalized apps away from seeing each others' identity data/cookies.<p>Only HTTPS and VPN traffic is immune, and as far as I've been able to find out, there is no way to opt-out. (None of the VerizonWireless privacy settings stop the header from being injected.)
They need to be publicly attacked for doing this. Only massive embarrassment will change the behavior. Maybe get some politicians involved if there are any they haven't bought yet.
I haven't seen it mentioned anywhere, but this can't work over HTTPS. The message is fully encrypted end-to-end and Verizon Wireless can't do anything to alter the content without destroying the whole message.<p>Seems like a few people know this, lots of talk about SSL & TLS, but I don't think anybody has mentioned it explicitly.
Oh, oh, I know, this is the moment where smart people on here tell us that more regulation by the FCC would be a <i>bad thing</i>!<p>Because you know, a telecommunications provider that <i>manipulates the content of your telecommunication</i> is just screaming out for being an overregulated area of business.
Anyone know if....<p>A. It is possible to request your "advertising profile" from them.<p>B. Can a customer request that gathered information on them be destroyed?<p>C. If you opted-out today (like me) does that mean that they stop collecting information and continue to sell "your devices" ad profile? Or do they also stop selling your info?<p>(sending these to Verizon. I'll post if I get answers)
Is this even legal? I mean are ISPs, or telecom in general allowed to identify the requester without their permission? But I imagine it will not work on encrypted connections. SSL FTW?!
I haven't had the opportunity to tinker with this, but what if the client sends a X-UIDH: header of it's own? Will VZW overwrite the header, or will it pass it through? If it doesn't clobber it, there's a browser plugin waiting to be written.
So, I suppose this means that ads that Verizon customers see are potentially targeted by their home address, age, gender, and call/texting patterns.<p>Holy shit, if I was a customer that would be ending today, even if I was in a contract, I'd say they pretty clearly are in breach of contract over my privacy expectations, by sharing who I am with every website I visit.
Using the SOPA visibility strategy could be effective. If enough popular sites redirected requests that had a X-UIDH to a Informational page about the privacy intrusion, people might care (if only for the extra click its causing them).
The largest network in the UK, O2 (and therefore Three and Tesco), were sending your mobile number as a HTTP header to every site you visited [1]. Didn't last long.<p>ISP's have also tried this in the past - I remember a few in the UK trying to set up an ad-injection model, but can't seem to find them now, other than NebuAd [2].<p>[1] - <a href="http://www.theregister.co.uk/2012/01/25/o2_hands_out_phone_numbers_to_websites/" rel="nofollow">http://www.theregister.co.uk/2012/01/25/o2_hands_out_phone_n...</a><p>[2] <a href="http://en.wikipedia.org/wiki/NebuAd" rel="nofollow">http://en.wikipedia.org/wiki/NebuAd</a>
Doesn't/didn't AT&T also add a header of their own?<p><a href="http://blog.jgc.org/2012/02/mobile-subscriber-leakage-in-http.html" rel="nofollow">http://blog.jgc.org/2012/02/mobile-subscriber-leakage-in-htt...</a><p><a href="http://developerboards.att.lithium.com/t5/Technical-Questions-Discussion/X-Up-Subno-uniqueness/td-p/23475" rel="nofollow">http://developerboards.att.lithium.com/t5/Technical-Question...</a>
I happen to be in the process of patenting an opt-in system for authenticating and recording requests from users. One of my design goals was to prevent anyone from piggybacking on the scheme to track the users across multiple requests.<p>It occurs to me that if I'd been suffering from a less overdeveloped sense of decency, I could've filed sooner with something like this and hit Verizon with a lawsuit.
I work in mobile advertising (not in the US), and my company is partnered with a mobile carrier that does something similar, although the "header enrichment" as it's called is only enabled on specific domains (i.e. requests to our ad server API). I feel that it's unlikely these headers are being set on <i>all</i> web requests. Has anybody verified this claim?
At work I was trying to set up VPN access on a few busses we have. We tried using a Verizon device but couldn't because Verizon puts you behind their NAT. It costs $500 to get out from behind it. I guess this is why.
This is actually really good, because if advertisers have an Verizon API to query the cookies for demographic information, in theory intelligence agencies could have an API to query a cookie to see if the device belongs to a U.S. person and stop incidental collection of that stream. Which is what they would do, right?<p>Oh wait, a bad guy could steal your phone. Guess we'd better collect it all. Hey, I guess we could use that cookie for something...
Shouldn't Chrome and Safari simply block this behavior? Google, for instance, is now presented with a rare situation: users' privacy and their own business concerns are aligned (since audience segmenting is a core product of the Google Display Network).
Interesting - my cookie, collected the day this broke, has the same prefix as the author: "981596494\x00"<p>I'm now getting a different cookie (same physical location) that starts with: "379689122\x00"
Bandwidth costs money, correct? I wonder if for someone with zillions of small HTTP requests (Google, Twitter, Facebook, etc) these costs might be recoverable somehow.