The Washington PostDemocracy Dies in Darkness

Zombie cookies: How Verizon Wireless’s ‘supercookies’ make it even harder to avoid being tracked online

(Deb Lindsey/For The Washington Post)

Back in November, privacy experts warned that a new kind of tracking technology called "supercookies" could allow Verizon Wireless customers to be monitored wherever they went on the Internet -- even if they took steps to protect their anonymity. Verizon downplayed those concerns.

But now privacy researchers say they've uncovered an advertising company that is using the supercookie to help track the online activities of Verizon Wireless customers.

Turn, an online advertising company that works with Google and Facebook, uses a unique identifier Verizon Wireless injects into its customers' Web traffic to collect data that makes it easier for advertisers to place targeted online ads, according to the researchers.

Verizon, which developed that supercookie, a string of characters known as "Unique Identifier Header" or UIDH, to use for its own online advertising program, said it was looking into the issue. "We are evaluating how third parties are using the UIDH in this evolving ecosystem and considering any appropriate response," Verizon Wireless spokesperson Adria Tomaszewski told The Post in a statement.

Turn says it is "reevaluating" its methods and will suspend the respawning cookie.

Verizon began tracking its retail customers -- those not on government or business contracts -- with this supercookie in November 2012. Customers can opt out of having their demographic data shared with Verizon's advertising partners, but they cannot opt out of having the supercookie attached to their Web traffic. Turn's use of the identifier highlights how data about someone's online tracking practices can sometimes be deployed beyond its original intent -- making it harder than ever for consumers to control who has knowledge about their online activities.

According to research by Jonathan Mayer, a Stanford graduate student and privacy expert, Turn uses Verizon's identifier as a signal to "re-spawn" or bring back traditional cookies that customers have taken steps to remove. That conclusion was confirmed by ProPublica.

Turn's general counsel and chief privacy officer, Max Ochoa, confirmed Mayer's analysis of how its program worked in an interview with The Post.  In a blog post, Ochoa defended the company's practices, arguing that clearing cookies does not necessarily indicate that users did not want to be tracked.

But privacy advocates disagree. "Deleting cookies is one of the few ways those concerned with tracking know to avoid having their behavior logged," said Laura Moy, senior policy counsel at New America Foundation's Open Technology Institute.

Last fall, privacy advocates warned Verizon's "supercookie" left users potentially vulnerable to having other entities -- including advertisers or even government agencies -- piggyback on the technology to track their online activities. AT&T was also experimenting with such a program, but canceled it last November after public backlash over the practice.

But Verizon defended the supercookie in the face of criticism, posting a message on its Web site saying "it is unlikely that sites and ad entities will attempt to build customer profiles for online advertising" and noting that the identifier "changes frequently."

Researchers and privacy advocates weren't convinced. Unique codes that are associated with consumers online activity often get shared in the larger advertising ecosystem in a process known as "de-anonymizing" which allows Web sites, advertisers and data brokers to piece together more complete portraits of the users they hope to target, experts say.

"A tracking technology like this could be used to build a comprehensive list of everywhere an individual is going online," said Moy. That could reveal information about a person's health, religion, family status, sexual preferences, and other highly intimate aspects of your life, Moy said.

With Turn, Mayer said he has found the smoking gun showing the risks to consumers posed by the Verizon Wireless supercookie are more than theoretical.

"While you have a Turn tracking cookie and are on the Verizon network, it kept track of the linkage between your Turn cookie and that Verizon Wireless tracking header," he explained. "But if you get rid of the Turn cookie, the back end of that system would notice and reinstate that cookie based on the header."

Consumers can opt out of having targeted ads served to them through Turn's technology by clicking a button on the company's Web site. It also honors opt-out requests managed by two online advertising associations. But Ochoa, Turn's general counsel, says that those opt-outs do not stop the company from tracking users online activities.

"There is not anyway for a user to opt-out of tracking -- and that is not unique to Turn," he said, it represents the norms of the online advertising industry that underlies many of the "free" services many consumers rely on.

"Turn is really just a small piece of a very large ecosystem that is trying very hard to tailor advertising," Ochoa said. The company does not collect or share personally identifiable information, such as names, phone numbers or e-mail addresses, but it can build profiles of users based on the Web sites they visit that are then associated with the company's cookies.

Verizon Wireless should have foreseen how others might take advantage of the code they were injecting into their customer's traffic, critics say.

This situation should make consumers more aware of just how difficult it is to protect the privacy of their online activities. "This is a clear example of the type of advance tracking technology that we desperately need some consumer protections to prevent happening in the first place," said Moy of the Open Technology Institute.