Monday, March 7, 2016

A $1.35 million cookie: Verizon settles FCC's "Supercookie" probe

Early Monday morning, the FCC announced it had reached a settlement with Verizon over the wireless giant's practice of injecting a tracking header into websites browsed from a mobile device using Verizon's mobile data network.



On the surface, this seems a huge win for consumer privacy - but the reason why requires a bit of explanation, and the actual implications are a bit more nuanced.


Background


The Federal Communications Commission is the US Federal agency charged with regulating communications by radio, television, wire, satellite, and cable. In late 2014, they began an investigation into complaints that Verizon failed to properly protect its customer's personal information. Specifically, the FCC was interested in a tracking value, unique to the device in use, that Verizon inserted into web pages.

When you browse the web, web servers reply with the content that you see on the screen. The servers also reply with "HTTP headers" - information that helps your browser and the server work together. Headers specify the website name (since more than one site may be hosted at the same IP address - think of how many blogs are hosted by Google's Blogger platform, for example); the preferred language; the type and version of the web browser; the types of content that are acceptable; and various other settings. These headers are typically handled in the background and never seen by the end user.

When browsing across Verizon's wireless data network, Verizon would add an additional header, a Unique Identification Header (or UIDH) containing a value unique to the device.

Advertising trackers are a controversial topic, the merits of which I will not go into here beyond saying that tracking enable websites and advertisers to show you things you might actually be interested in, while simultaneously enabling creepy apparent coincidences and invasions of privacy. The Electronic Frontier Foundation wrote a short summary of the privacy concerns in 2014.

Those strongly against tracking can do a number of things to limit its effectiveness. You can delete cookies. You can use different browsers, or use "Incognito" or "InPrivate" mode. You can even use a "virtual machine." But when the tracker is injected by your Internet provider, nothing you do on your device makes a difference: the unique header is there in the website traffic, available for anyone else to use.

When a unique tracking value is injected by the Internet provider, without the consumer being aware, and with no way to choose not to be tracked, the FCC becomes very interested.


Verizon's Settlement


The settlement consent decree(pdf) published by the FCC states that while Verizon began using UIDH trackers in 2012, it did not disclose the practice until October 2014. It was another 6 months before the company provided a way to opt out of the headers (my selecting to not participate in "Relevant Mobile Advertising"). Even so, unless one intentionally elected not to participate, by default Verizon continued to add the UIDH tracking value.

On Monday the FCC ordered Verizon to pay a fine of $1,350,000 USD, and to "obtain customer opt-in consent prior to sharing a customer's UIDH with a third party to deliver targeted advertising."


The language used here is a bit less forceful than I would have preferred. While I am not a lawyer, the language suggests to me that Verizon can still insert the tracking headers without consumer consent, but must obtain customer opt-in consent before sharing that UIDH with any advertising partner. The kicker is, if the UIDH is inserted into the webpage, then any other code in the same website (including advertising code) could have access to the header and use it for tracking purposes.

Naturally though, there are at least two sides to every question. After tweeting the above, Nate Cardozo - Staff Attorney for the Electronic Frontier Foundation - replied with a different interpretation.



Bottom line? Well, that remains to be seen. With all due respect to Mr. Cardozo, even if Verizon limits the UIDH to Verizon-owned IP blocks, the tracking value can conceivably still be used to uniquely identify the customer. Still, its at least a small win for consumer privacy.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.