Monday, March 7, 2016

A $1.35 million cookie: Verizon settles FCC's "Supercookie" probe

Early Monday morning, the FCC announced it had reached a settlement with Verizon over the wireless giant's practice of injecting a tracking header into websites browsed from a mobile device using Verizon's mobile data network.



On the surface, this seems a huge win for consumer privacy - but the reason why requires a bit of explanation, and the actual implications are a bit more nuanced.


Background


The Federal Communications Commission is the US Federal agency charged with regulating communications by radio, television, wire, satellite, and cable. In late 2014, they began an investigation into complaints that Verizon failed to properly protect its customer's personal information. Specifically, the FCC was interested in a tracking value, unique to the device in use, that Verizon inserted into web pages.

When you browse the web, web servers reply with the content that you see on the screen. The servers also reply with "HTTP headers" - information that helps your browser and the server work together. Headers specify the website name (since more than one site may be hosted at the same IP address - think of how many blogs are hosted by Google's Blogger platform, for example); the preferred language; the type and version of the web browser; the types of content that are acceptable; and various other settings. These headers are typically handled in the background and never seen by the end user.

When browsing across Verizon's wireless data network, Verizon would add an additional header, a Unique Identification Header (or UIDH) containing a value unique to the device.

Advertising trackers are a controversial topic, the merits of which I will not go into here beyond saying that tracking enable websites and advertisers to show you things you might actually be interested in, while simultaneously enabling creepy apparent coincidences and invasions of privacy. The Electronic Frontier Foundation wrote a short summary of the privacy concerns in 2014.

Those strongly against tracking can do a number of things to limit its effectiveness. You can delete cookies. You can use different browsers, or use "Incognito" or "InPrivate" mode. You can even use a "virtual machine." But when the tracker is injected by your Internet provider, nothing you do on your device makes a difference: the unique header is there in the website traffic, available for anyone else to use.

When a unique tracking value is injected by the Internet provider, without the consumer being aware, and with no way to choose not to be tracked, the FCC becomes very interested.


Verizon's Settlement


The settlement consent decree(pdf) published by the FCC states that while Verizon began using UIDH trackers in 2012, it did not disclose the practice until October 2014. It was another 6 months before the company provided a way to opt out of the headers (my selecting to not participate in "Relevant Mobile Advertising"). Even so, unless one intentionally elected not to participate, by default Verizon continued to add the UIDH tracking value.

On Monday the FCC ordered Verizon to pay a fine of $1,350,000 USD, and to "obtain customer opt-in consent prior to sharing a customer's UIDH with a third party to deliver targeted advertising."


The language used here is a bit less forceful than I would have preferred. While I am not a lawyer, the language suggests to me that Verizon can still insert the tracking headers without consumer consent, but must obtain customer opt-in consent before sharing that UIDH with any advertising partner. The kicker is, if the UIDH is inserted into the webpage, then any other code in the same website (including advertising code) could have access to the header and use it for tracking purposes.

Naturally though, there are at least two sides to every question. After tweeting the above, Nate Cardozo - Staff Attorney for the Electronic Frontier Foundation - replied with a different interpretation.



Bottom line? Well, that remains to be seen. With all due respect to Mr. Cardozo, even if Verizon limits the UIDH to Verizon-owned IP blocks, the tracking value can conceivably still be used to uniquely identify the customer. Still, its at least a small win for consumer privacy.