Verizon Wireless, the United State’s largest telecom operator, has moved into the mobile ad business. They have been serving ads since May 2014. Whatever Verizon does to earn revenues is nobody’s business but it seems that Verizon is tracking the customer habits to publish their ads.
As per a research published by, Jonathan Mayer, a computer scientist and lawyer at Stanford, who takes consumer privacy very strongly, Verizon is using the headers in the HTTP section to track its customers and gauge their spending habits.
Verizon Wireless is injecting a unique identifier (UID) into web requests, as data transits the network in each and every customer of Verizon Wireless Network (VZW). Apparently Verizon is doing this in complete disregard to the federal laws as Verizon Wireless is injecting a UID into all HTTP requests made on the VZW network, regardless of whether or not the customer has opted out of their Customer Proprietary Network Information (CPNI) options.
As per the law only those who have opted for CPNI can be monitored through such methods. Mayer himself checked out the method of injecting the UID in the header :
On my phone, for example, here’s the extra HTTP header.
X-UIDH: OTgxNTk2NDk0ADJVquRu5NS5+rSbBANlrp+13QL7CXLGsFHpMi4LsUHw
Mayer has made a brief infographic of how he feels the header is working :
In short, Verizon is packaging and selling subscriber information, acting as a data broker on real-time advertising exchanges which is questionable and against the law. By default, the information appears to consist of demographic and geographic segments. If a user has opted into “Verizon Selects,” then Verizon also shares behavioral profiles built by deep packet inspection.
Whatever the merits of Verizon’s new business model, the technical design substantial shortcomings.
- First, the X-UIDH header functions as a temporary supercookie.
- Any website can easily track a user, regardless of cookie blocking and other privacy protections.
- No relationship with Verizon is required.
Second, while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header. If you have enabled the privacy settings all it does is prevent Verizon from selling information about a user.
Much better designs are possible. Verizon doesn’t need to supercookie its wireless subscribers to sell their advertising segments.6 And it certainly doesn’t need to send a supercookie if a user isn’t participating.
The customers of Verizon are not happy with this illegal monitoring and have been venting their disgust on Twitter
I don't know how I missed this: Verizon is rewriting your HTTP requests to insert a permacookie? Terrible. https://t.co/MBDGZaLKNs
— Jacob H-A (@j4cob) October 22, 2014
Disturbing @kennwhite VZW finding: 1) My CPNI setting. 2) Normal browsing. 3) Using a VPN. #VZWCookieGate pic.twitter.com/s9IIDYzbW6
— Michael Ramirez (@rammic) October 23, 2014
An user on YCombinator has said that Verizon Wireless don’t appear to be doing this if you’ve opted out of “Relevant Mobile Advertising”, which is another option [separate from CPNI] on https://verizonwireless.com/myprivacy.
Here’s the setting you’re looking for:
However how far it will got disable the Verizon Wireless UID in headers and help protect Verizon customers privacy can only be answered at later time. In the meanwhile you can check you UID in the Headers delivered by Verizon Wireless at this site https://uidh.crud.net/ courtexy @j4cob
