$1.35 million “Supercookie” Slap to Verizon Wireless

Posted on by Ann Choi

Someone is watching your every move on the web and you do not even know it. If you think you are safe simply by deleting browser cookies and history, think again; there are many other sneaky ways your movements continue to be tracked. Generally, cookies are installed to enhance and personalize consumers’ Internet experience. A cookie is defined as “a small file or part of a file stored on a World Wide Web user’s computer, created and subsequently read by a Web site server, and containing personal information (as a user identification code, customized preferences, or a record of pages visited)”.1 Even though cookies store an incredible amount of information about us, including how long we stay on the websites we visit, they can be erased when browsers are cleaned up.

“Supercookies,” however, are not standard browser cookies and cannot be deleted. Also called “zombie cookies” or “permacookies,” supercookies are unique identifier headers (“UIDH”) that smartphone carriers insert into consumers’ hypertext transfer protocol (“HTTP”) requests made on devices over their wireless networks. Instead of being a small file that gets saved by the web browser, a UIDH is a string of code injected into the data that the consumer downloads throughout their online sessions. This code cannot be deleted because it is not a file. Because carriers and their advertising partners can continue tracking even when users enforce cookie blocking in browsers or use the private or “incognito” mode, supercookies are a serious cause for privacy concerns.

The Federal Communications Commission (“FCC”) has taken its first step in confronting this problem. On March 7, 2016, the FCC and Cellco Partnership, doing business as Verizon Wireless (“Verizon”), reached a settlement pursuant to which Verizon must pay $1.35 million and implement a three-year compliance plan in exchange for termination of further FCC investigation.2 Verizon defines its UIDH as “a unique character string of letters, symbols, and numbers that [it] inserts to deliver targeted advertising into address header information that accompanies customers’ HTTP requests transmitted over [its] network.”3  According to the Consent Decree, in December 2012 Verizon began using these UIDH without customers’ knowledge or consent to track their wireless online activities for the purpose of targeted advertisements from itself and third-party advertisers.4 Among the consumer information that Verizon collected were device locations, postal and e-mail addresses, and demographic and interest information, such as gender, age range, and interests (e.g. sports fan, frequent diner, or pet owner).5 It was only in late 2014 that news outlets caught on to the privacy concerns, and in January 2015, there came an exposé about Verizon’s advertising partner, Turn (an online advertising clearinghouse), using Verizon’s UIDH to respawn deleted cookies to profile consumers for Turn’s benefit—a purpose not condoned by Verizon.6 Turn holds auctions where, within milliseconds, advertisers bid for their advertisement to instantly appear on a user’s device screen.7 This is why Turn revived cookies; through matched UHID and revived cookies, de-identified data becomes no longer anonymous and it has ever more complete user profiles.

The buzz about Verizon’s UIDH tracking without proper notice and customer consent led the FCC to launch its investigation in December 2014. The FCC’s Enforcement Bureau began looking into whether Verizon failed to appropriately protect customer proprietary information and whether it failed to disclose accurate and adequate information regarding its insertion of UIDH into consumer Internet traffic, in violation of Section 222 of the Communications Act of 1934 and Section 8.3 of the FCC’s Open Internet Transparency Rule (“OITR”).8 Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes.9 Section 8.3 of OITR requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings.10 The FCC confirmed that Verizon had not at all disclosed its UIDH practice until October 2014 and had neither updated its privacy policy nor provided customers an opt-out opportunity until March 2015. In addition, the FCC found that Verizon inserted UIDH into the web traffic made from mobile device lines, including enterprise, government, and Mobile Virtual Network Operator lines, which were ineligible to participate in Verizon Wireless’s targeted advertising programs.11

Under the terms of the settlement agreement, Verizon will pay a $1.35 million fine and implement a three-year compliance plan. The plan stipulates that Verizon must, among other things:

  • obtain opt-in consent from a customer before sharing UIDH with a third party for targeted advertising;
  • obtain opt-in or opt-out consent before sharing UIDH internally among Verizon entities;
  • generate UIDH using methods that comply with reasonable and accepted security standards;
  • maintain its current practices of (a) removing UIDH from an ineligible line within a reasonable period after activation and not use any such UIDH for any purpose, (b) allowing customers who are opted in to sharing UIDH to opt out subsequently, and (c) disclosing its UIDH practices in its privacy policies and FAQs and updating them as appropriate; and
  • submit regular compliance reports, and appoint a compliance officer.12

Despite the seemingly small penalty imposed on Verizon for its misbehavior, privacy groups are hailing this FCC settlement as a victory. Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, a privacy watchdog that had been critical of supercookies, said the settlement was an “unqualified win” for consumers.13 “Today’s order will mean that other companies contemplating similar involuntary tracking will think twice before proceeding without explicit consumer consent,” he wrote in an email.14 Peter Micek, Global Policy Counsel at Access Now, a non-profit advocacy group for open and free Internet, also said: “The FCC’s decision is a clear win for user rights.”15

So, what can we do as consumers? Most importantly, contact your cellular carrier and opt out of their tracking activities. Another step could be to use “HTTPS” instead of HTTP in the web browser address bar. HTTPS, or HTTP Secure, is HTTP within an encrypted connection. There are other, more complex, ways consumers can protect themselves, such as bouncing your Internet traffic around to various locations or creating multiple accounts under multiple identities.16 However, just as this FCC-Verizon settlement does not really touch Verizon’s tracking of its customers who visit the websites that use AOL’s advertising network (because Verizon owns AOL and is not considered a third party), the plain fact is consumers will continue to be tracked and identified one way or another. The only thing we can do as consumers is opt out of tracking activities on each and every mobile device we own.

  1. Cookie, Merriam-Webster Dictionary, http://www.merriam-webster.com/dictionary/cookie (last visited Mar. 21, 2016 

  2. Order Containing Consent Decree, In the Matter of Cellco Partnership, d/b/a Verizon Wireless, Federal Communications Commission (FCC Rcd.) (2016), http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0307/DA-16-242A1.pdf 

  3. Id. at 2 

  4. Id. at 4 

  5. Id. at 3 

  6. See Jacob Hoffman-Andrews, Verizon Injecting Perma-Cookies to Track Mobile Customers, By-Passing Privacy Controls, Electronic Frontier Foundation (Nov. 3, 2014), https://www.eff.org/deeplinks/2014/11/verizon-x-uidh; Julia Angwin and Mike Tigas, Zombie Cookie: The Tracking Cookie That You Can’t Kill, Propublica (Jan. 14, 2015), https://www.propublica.org/article/zombie-cookie-the-tracking-cookie-that-you-cant-kill; Verizon Wireless’ Use of a Unique Identifier Header (UIDH) FAQs, Verizon Wireless, http://www.verizonwireless.com/support/unique-identifier-header-faqs/ (last visited Mar. 20, 2016 

  7. Angwin and Tigas, supra note 6 

  8. FCC Settles Verizon “Supercookie” Probe, Requires Consumer Opt-in for Third Parties, Fed. Comm. Comm’n (Mar. 7, 2016), http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0307/DOC-338091A1.pdf; See also Federal Communications Act of 1934 § 222, 47 U.S.C. § 222 (2012); FFC Open Internet Transparency Rule 47 C.F.R. § 8.3 (2011 

  9. 47 U.S.C. § 222 

  10. 47 C.F.R. § 8.3 

  11. Order Containing Consent Decree at 2, supra note 2 

  12. Id. at 6-8 

  13. Verizon to Pay $1.4M in ‘Supercookie’ FCC Settlement, N.Y. Times (Mar. 7, 2016), http://www.nytimes.com/aponline/2016/03/07/business/ap-us-verizon-supercookie.html 

  14. Id. 

  15. Verizon Fined $1.35 Million for Its Use of Supercookies, Access Now (Mar. 7, 2016), https://www.accessnow.org/verizon-fined-1-35-million-use-supercookies/ 

  16. Julia Angwin, 6 Tips for Protecting Your Communications From Prying Eyes, Propublica (June 18, 2015), https://www.propublica.org/article/six-tips-for-protecting-your-communications-from-prying-eyes 

Category: Blog Articles