Verizon Under Fire Over Zombie Cookies

Wireless carrier Verizon is getting called on the carpet for its privacy practices. It seems one of its advertising partners has been caught with its hand in the cookie jar. Turn is using Verizon’s UIDH tracking header to tap into deleted tracking cookies and share them with dozens of major Web sites and ad networks to form a Web of non-consensual online tracking, according to the Electronic Frontier Foundation (EFF).
Jonathan Mayer, a computer scientist and lawyer at Stanford, is calling it the “Turn-Verizon Zombie Cookie.” Last year, people called it the supercookie because it continued to track users even after they cleared their caches or turned on private browsing. Mayer has launched a full-blown investigation into these zombie cookies.
“The privacy impact also goes beyond individual mobile browsers. If a Verizon customer tethered with their phone, their notebook could get stuck with the zombie value (the ultimate in cross-device advertising),” Mayer wrote in a blog post. “And the zombie value could spread between cookie stores on a device, including between the Web browser and individual apps (the ultimate in inter-app advertising).”
So Much for Privacy Policies
Jacob Hoffman-Andrews, a senior staff technologist at EFF, called it a “spectacular violation of Verizon users' privacy” that’s made worse by Verizon’s failure to enable users to opt-out. And he said it’s already having far-reaching consequences.
“Through Turn's cookie syncing program the re-identification affects dozens of other sites and ad networks. According to Mayer's research, many ad networks and high profile sites, including Facebook, Twitter, Yahoo, BlueKai, AppNexus, Walmart and WebMD, receive copies of the respawned cookie,” Hoffman-Andrews said.
“If these sites follow what we understand to be typical cookie syncing practices, they would also be circumventing cookie deletion. It is possible that some of these companies are unknowingly in violation of their own privacy policies and regulatory settlements as a result of Verizon and Turn's practices,” he added.
How Harmful Is This?
We caught up with Jeff Kagan, an independent technology analyst in Atlanta, to get his thoughts on Verizon’s fiasco. He told us this is going to “bite Verizon right in the keister.”
“Privacy and security are two hot buttons that users are concerned about. That's the marketplace we live in today,” Kagan said. “Unfortunately, there is little users can do to protect themselves. When a company crosses over the invisible line in customers' minds the way it sounds like Verizon is doing, this can be harmful to the company.”
The questions Kagan is asking himself is “how harmful and for how long?” Verizon generally has a good reputation. Over the years, the company has stepped in a “pile of dog doo” now and then, but generally customers give them a pass, he said.
“This is a biggie in many customers’ minds. It will be interesting to see what happens next,” Kagan added. “However, it's important for every one to recognize that the days of privacy have been over for a long time. Now it's just a question of degree.”