Privacy: It’s Time for the Library Community To Speak Up About Verizon and AT&T Use of X-UIDH Header to Track Wireless Web Users

UPDATE November 14: AT&T Stops Using Undeletable Phone Tracking IDs But Verizon Continues Usage
About a week ago we learned from a report by Wired’s Robert McMillan that Verizon was adding a Unique Identifier Header (UIDH) that’s often referred to as a permacookie to web traffic that moves across their network.
Since this report broke it has been reported that AT&T is also doing the same thing. As an AT&T customer I can confirm I can see the header being added to my web traffic. Links for you to check your traffic are found below.
Each permacookie is unique to the device being used and clearing cookies makes little difference. It is not possible to turn the UIDH off.
From the Wired Article:

Verizon Wireless has been subtly altering the web traffic of its wireless customers for the past two years, inserting a string of about 50 letters, numbers, and characters into data flowing between these customers and the websites they visit.

In the past few days, the Electronic Frontier Foundation (EFF) has also published a blog post on the use of this header.
From the Post:

It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors’ web browsing habits without their consent.
[Clip]
The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy. Worse still, Verizon doesn’t let users turn off this “feature.” In fact, it functions even if you use a private browsing mode or clear your cookies.

The 1660 word post goes on to provide details about this header works including:

Unlike a cookie, the header is tied to a data plan, so anyone who browses the web through a hotspot, or shares a computer that uses cellular data, gets the same X-UIDH header as everyone else using that hotspot or computer. That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising.

What About Your Smartphone or Wireless Device

We encourage you to read the complete blog post and also utilize one or both of the following web sites to see if your wireless traffic has the header assigned to it.
With wi-fi turned off on a device utilizing the Verizon or AT&T networks visit LessonsLearned.org/sniff and/or AmIBeingTracked.com and make sure to read the caveats and info provided.

Solutions?

1. Have the wireless providers stop using them.
2. If that doesn’t happen and as the articles point out the use of a VPN (Virtual Private Network, from provider you trust) will stop the header from appearing in your web traffic that flows through Verizon and AT&T. There are thousands of VPN providers to try. I have used several VPN services and currently use AirVPN. I have also been impressed with what Zenmate.io is up to. Again, there are many services to select from. Using a VPN that you can control adds more encryption to all of your web traffic (independent of source) and can offer other benefits.

Now What?

1. Individually, let the FCC and FTC now that these headers are a bad idea.
2. As a Professional Community:
Professional organizations should speak up and force Verizon, AT&T and likely others to explain what’s going on.
As we’ve written many times on infoDOCKET user privacy is consistent with what we are taught and what we do. It’s something the library community has spent many years working very hard towards and earning the trust of library users along the way. It’s not the time to give up as we continue to move into the digital age.
Additionally, even if tracking and other digital privacy issues are NOT a cause of concern for you as an Internet user don’t forget that others may feel differently. Everyone has a different comfort level when it comes to privacy and as a community we need to work towards supporting those who have concerns. The library should play a role as the “go to” resource in a community for those interested in learning about online privacy and security.
Bottom Line: Awareness of issue(s), educating ourselves and our users, discussion, and if needed, working together to make changes.

Additional Reading

• ProPublica: Somebody’s Already Using Verizon’s ID to Track Users
• Forbes: The Privacy Lowdown On Verizon and AT&T’s Smartphone ‘Permacookies’

Filed under: Associations and Organizations, Data Files, Libraries, News, Patrons and Users