Verizon told the New York Times on Friday that it plans to begin allowing its customers to opt out of its privacy-invasive header injection program. For customers that are aware of the Verizon program and visit the opt-out page, this means they will soon be able to protect themselves against privacy circumvention like Turn's zombie cookie.
Verizon's move to begin allowing opt-out comes after more than 2,600 of you signed our petition urging the FCC to investigate Verizon's practices. It also comes just one day after Senators on the the Commerce Committee sent a strongly-worded letter to Verizon Wireless [pdf] expressing "deep concern" over Verizon's continued practice of injecting UIDH headers into all Web traffic. This letter follows recent news that the header, which acts as a supercookie, was being abused by Verizon's own advertising partner Turn to resurrect cookies that people had deleted from their browsers. These "zombie cookies" are similar to Quantcast's 2009 Flash-based zombie cookie program, which ended with a settlement that included an agreement not to "counteract any computer user's decision to either prevent or delete HTTP cookies" using the technology.
The Commerce Committee said in their letter to Verizon, "While we understand that Turn has suspended its utilization of Verizon's supercookies, such a practice, if true, would seemingly constitute a deliberate circumvention of customer choice and a violation of consumer privacy." They went on to say, "Because of the threats to consumer privacy, AT&T wisely discontinued the use of similar mobile trackers, while Verizon has chosen to carry on," and ask, "Does Verizon intend to continue the use of its mobile tracker?" Unfortunately, Verizon's answer is yes, but with an opt out.
The new opt out plan is an improvement, and we congratulate Verizon on working to undo some of the privacy harm its header program has caused. However, the current plan doesn't go nearly far enough to fix the problem. The millions of Verizon customers who are unaware of the tracking header and their new ability to opt-out are still exposed to the risk of zombie cookies from firms less visible than Turn. Customers who assume their mobile OS' tracking opt-out or their browser's privacy modes will be respected by Verizon are also still vulnerable.
Verizon's program is part of a trend among network providers: header injection (called "header enrichment" by industry) and content injection. With modern processing speeds, it has become practical and affordable for ISPs to inspect and modify every byte of traffic that flows across their routers. This has led to a burgeoning industry of commercial interception gear. ISPs use these "middleboxes" to achieve greater control of what their customers read and see. In mobile industry parlance, such "Value Added Services" include tracking header injection like Verizon's, advertisement injection like Comcast's, and fine-grained blocking of specific web pages. Verizon and other ISPs need to recognize the extreme intrusiveness of these network tampering measures and treat all header injection, advertising injection, and content filtering as requiring explicit customer choice.
Tell Verizon to follow AT&T's lead and discontinue its header injection program—or at a minimum, make it opt-in.