The Electronic Frontier Foundation (EFF) is surfacing again Verizon Wireless's UIDH tracking program, an undeletable perma-cookie that makes it impossible for Verizon's customers to control their online privacy. Verizon advertising partner Turn is using Verizon Wireless's UIDH tracking header to resurrect deleted tracking cookies and share them with major websites and ad networks, forming a vast web of non-consensual online tracking. Research from Stanford security expert Jonathan Mayer shows that Verizon's UIDH header is being used as an undeletable perma-cookie that makes it impossible for customers to meaningfully control their online privacy.

Mayer's research, described in ProPublica, shows that advertising network and Verizon partner Turn is using the UIDH header value to re-identify and re-cookie users who have taken steps to clear their cookies for privacy purposes. And as EFF says, that contradicts standard browser privacy controls, users' expectations, and Verizon's own claims that the UIDH header won't be used to track users because it changes periodically.

Verizon is also failing to allow even an opt. Through Turn's cookie syncing program the re-identification affects dozens of other sites and ad networks. According to Mayer's research, many ad networks and high profile sites, including Facebook, Twitter, Yahoo, BlueKai, AppNexus, Walmart and WebMD, receive copies of the respawned cookie. Mayer identified a spectrum of blatancy by which the information was transmitted, from Referrer headers, through URL parameters, to literal replication of the Turn cookie by the other third party tracker.

The EFF observed Facebook and Twitter getting the Turn cookie through explicit cookie-syncing APIs. At this point, Mayer has observed Google receiving the respawned cookie via Referrer headers and is therefore very likely to have logged it, but EFF has not yet observed it being sent to DoubleClick's Cookie Matching API. If these sites follow what we understand to be typical cookie syncing practices, they would also be circumventing cookie deletion.

Previously, EFF analyzed Verizon's PrecisionID program and had found that Verizon reaches into their mobile customers' web browsing requests as they pass through the Verizon network and tampers with them to insert a header that uniquely identifies each Verizon subscriber. Ad networks can use the header to access extended targeting data on all Verizon customers, such as address, age, sex, and interests. Verizon claims to offer an opt-out, but opting out does not actually remove the header. Instead, Verizon claims it will not share a customer's demographic data after opt-out. But that means that third parties can-and indeed are-still using the Verizon header value as a unique tracking identifier that Verizon customers are powerless to change or delete, even after the user has "opted out" of the Verizon program. Nor does enabling the Do Not Track browser setting have any effect. In fact, Turn has told EFF that they do not believe that either Do Not Track or a user deleting their cookies is a signal that the user wishes to opt out from tracking. Turn ignores and circumvents these mechanisms, and uses the DAA's pretend opt-out instead.

Like most ad networks, Turn assigns their own unique cookie (called 'uid') to everyone who visits any site that includes Turn's tracking URLs. For other networks, deleting cookies from your browser effectively dissociates you with the reading history they have collected on you. However, Turn is more invasive: If you delete cookies, Turn will re-assign you the exact same 'uid' cookie you just deleted. Turn can only do this because Verizon sends the same unique UIDH header, so Turn can simply look up the UIDH value in an internal database. Because Verizon does not honor their customers' opt-out by removing the UIDH header, Turn performs this cookie resurrection even for people who have opted out on Verizon's site.

Turn also engages in cookie syncing. Normally, your browser only sends Turn's 'uid' cookie back to Turn's own servers. But when your browser visits a web page with Turn's embedded tracking URLs, those URLs can load an additional tracker from another network, for instance Facebook. Facebook would then receive a request that includes both Turn's uid and Facebook's own cookies identifying an individual. Facebook records the relationship between identities, perhaps so they can accumulate data about individuals with help from with Turn. As Mayer's research demonstrates, Turn's resurrected cookie rapidly infects other ad networks, informing those networks about Internet reading or browsing history the individual asked them to forget.

The only way for Verizon customers to protect themselves against their ISP's tampering is to install a VPN, an expensive and difficult option, especially on a mobile phone.

EFF demands that Verizon immediately cease this flagrant violation of its customers' consent and privacy.

AT&T, who was also beginning a tracking header program, chose to abandon it some months ago.