Security

There's no opting out of Verizon's PrecisionID

Verizon's PrecisionID allows Verizon and advertisers to profile those who use Verizon data networks, and there's no opting out. But here's how to block it.

PrecisionID is the controversial ingredient of Precision Market Insights, a stealthy, recently discovered Verizon advertising program. PrecisionID is also known as X-UIDH by IT-types or perma-cookie; the term preferred by advocacy groups like the Electronic Frontier Foundation (EFF). Below is what a PrecisonID/X-UIDH/perma-cookie looks like:

X-UIDH: PKgxNTk2NDm0ADLVquRu5NS5+rSbBANlrp+13QL7CXLGsFHpMi4LsUHw

The Verizon webpage describing Precision Market Insights said, "The PrecisionID is a deterministic identifier matched to devices on Verizon's wireless network powering data-driven marketing and addressable advertising solutions that offer audience scale and increase ROI."

The following Verizon slide deciphers what that means.

verizon-slide.jpg
Image: Verizon

1. A consumer visits a web page or uses an application

2. Which sends a request through the Verizon network.

3. In the request, a unique device identifier is transmitted.

4. Precision is the key that can unlock the ability to associate data with this identifier

5. Without sharing the identity of the user.

6. Enabling our partners to serve ads

7. That are more relevant to their consumers.

X-UIDH is the unique device identifier

X-UIDH is the name given to the unique device identifier or "HTTP header" added by Verizon to HTTP requests sent to remote web server via the Verizon network. Webopedia defines HTTP header: "The information, in the form of a text record, that a user's browser sends to a web server containing the details of what the browser wants and will accept back from the server. The request header also contains the type, version, and capabilities of the browser that is making the request so that server returns compatible data,"

Perma-cookie identifies users

Next perma-cookie. In the post Verizon Injecting Perma-Cookies to Track Mobile Customers, Bypassing Privacy Controls, EFF technologist Jacob Hoffman-Andrews points out, "This header uniquely identifies users to the websites they visit. Verizon adds the header at the network level, between the user's device and the servers with which the user interacts."

Hoffman-Andrews also said that Verizon ties the perma-cookie header to the data plan making it invisible to most digital cookie crunchers. Adding more fuel, Hoffman-Andrews notes, "If a user clears their cookies, the X-UIDH header remains unchanged. Worse, ad networks can immediately assign new cookies and link them to the cleared cookies using the unchanged X-UIDH value."

Besides permanency, the EFF has other misgivings:

● The same X-UIDH header value is shared with all unencrypted websites Verizon members visit.

● Incognito Mode or Private Browsing are ineffective.

● The web browser setting "Do Not Track" is ignored.

● Mobile applications that send HTTP Requests get the X-UIDH header added.

● Not just Verizon members are affected, any mobile device attached to a Verizon cell tower sending HTTP Requests will get an X-UIDH header.

EFF's contention is that Verizon's PrecisionID is a permanent (no choice to opt-out) cookie-like snippet of code that allows Verizon and third-party advertisers to track the whereabouts of those who use Verizon's data network.

Jonathan Mayer, a computer scientist, attorney at Stanford University, and a trusted source of mine provides his interpretation of Verizon's advertising header and said, "In short, Verizon is packaging and selling subscriber information, acting as a data broker on real-time advertising exchanges. By default, the information appears to consist of demographic and geographic segments. If a user has opted into "Verizon Selects," then Verizon also shares behavioral profiles built by deep-packet inspection."

Mayer said he studied the Verizon patent and the following slide is his version of how PrecisionID works:

verizon-slide-2.jpg
Image: Jonathan Mayer

● The X-UIDH header functions as a temporary super-cookie. Any website can track a user, regardless of cookie blocking and other privacy protections. No relationship with Verizon is required, Mayer said.

● While Verizon offers privacy settings, they don't prevent sending the X-UIDH header. All they do is prevent Verizon from selling information about a user, Mayer said.

Blocking the PrecisonID

Experts are mentioning the only for-sure way to thwart the perma-cookie is to use a VPN, the Tor Network, or an encrypted proxy. The same experts suggest that any of the choices are a real pain when using mobile devices. Mayer said, "HTTP blocking, like AdBlock Plus or Privacy Badger, would still be effective."

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox