Verizon is Tracking Mobile Users Online, Researcher Says

Verizon Wireless, the largest wireless carrier in the United States, has been quietly adding little bits of code, or “tokens,” to data requests made via mobile devices on its network for at least two years. The tokens let advertisers build profiles of users’ Web activities and deliver targeted ads. The ads, in turn, generate revenue that Verizon shares via partnerships.

The tactics savvy consumers use with their desktop browsers to control cookies — cookie blockers, cache clearing and incognito modes — do not disable the Verizon tokens, according to Jacob Hoffman-Andrews, a researcher with the Electronic Frontier Foundation (EFF).

Verizon says the data doesn’t contain personal information so advertisers don’t know customers’ identities. The company also says customers can opt out of the “Relevant Mobile Advertising” program.

However, the tokens, known as a Unique Identifier Headers (UIDH) cannot be turned off, and they broadcast themselves to every website the user visits, Hoffman-Andrews says. “All the opt-out means is that if a Verizon partner requests demographic data about a given header value, Verizon will not provide it. Third parties can continue to do whatever tracking they like,” he says.

Verizon spokeswoman Debra Lewis says Hoffman-Andrews is incorrect. “If/when a customer opts out of Relevant Mobile Advertising via their privacy choices, while they may still see the dynamic identifier, there is NO information associated with the ID and therefore, no ability to use it for advertising purposes. Customers can choose not to participate in the program by going to their privacy choices page on MyVerizon or by calling 866-211-0874,” Lewis wrote in an email.

Even if Verizon does not itself use the UIDHs to track its customers, advertisers do, according to Hoffman-Andrews. “Third parties, unrelated to Verizon, can use it for their own tracking,” he says. “It’s as if Verizon implemented a new cookie mechanism for all of their customers, but one that is shockingly insecure.”

Verizon uses the term ‘Precision ID” to describe the tracking to advertisers, and the company explains it in this PDF. (Hat tip to Robert Lemos at ArsTechnica for finding the document.)

Do other carriers use the same technology? It’s not clear. Hoffman-Andrews says researchers have seen similar code on phones from AT&T and Sprint, but not from T-Mobile. I reached out to all three companies but have not received answers. I’ll update this post if I do.

Given the focus on privacy today, it’s surprising that Verizon’s user tracking went unnoticed for so long. “This type of network interference is extremely hard to notice. Because the modification happens after requests leave your phone, nothing on your phone can detect it,” Hoffman-Andrews says. Verizon’s UIDH use was initially discovered by other EFF technologists.

It’s worth noting that Verizon is not just tracking users, but actually modifying the website requests the users’ phones make, a tactic that merits the term chutzpah, in my opinion. As Hoffman-Andrews put it: “Verizon is paid by its customers to serve as a trusted connection to the Internet. They should not violate that trust by modifying their customers’ traffic without explicit consent.”

At the very least, and I’m being generous here, Verizon should have disclosed this practice a long time ago. Instead, it waited for whistleblowers to ferret it out.