SECURITY DAILY NEWSLETTER GET SECURITY NEWS IN YOUR INBOX EVERY DAY |

SHARE

Wired reports that for the past two years, Verizon Wireless has been inserting a 50-character string called a Unique Identifier Header (UIDH) into its customers' Web traffic to help advertisers identify its users and customize advertising.

According to Advertising Age, Verizon calls the UIDH the PrecisionID, which the magazine describes as "a cookie alternative for a marketing space vexed by the absence of cookies."

Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation (EFF), recently tweeted a link to the Advertising Age article, writing, "I don't know how I missed this: Verizon is rewriting your HTTP requests to insert a permacookie? Terrible."

Noting that the article states, "Corporate and government subscribers are excluded from the new marketing solution," Hoffman-Andrews added, "In other words: we know this is bad."

Later, Hoffman-Andrews noted that Verizon may not be alone in this, tweeting, "Looks like AT&T has a similar header, and I've heard reports about Sprint."

Hoffman-Andrews told Wired the use of the UIDH should be stopped. "ISPs are trusted connectors of users, and they shouldn't be modifying our traffic on its way to the Internet," he said.

Verizon spokeswoman Debra Lewis told Wired there's no way to disable the UIDH, though customers who opt out of Verizon's Relevant Mobile Advertising program won't see the data used to create targeted ads.

But Hoffman-Andrews said that's irrelevant, since the UIDH is still being broadcast to every site Verizon customers visit, whether they opt out or not -- so ad networks could use it to build profiles of their online activity with or without their consent.

Stanford University computer scientist Jonathan Mayer wrote an analysis of the issue in which he called the UIDH a "supercookie," noting, "Much better designs are possible. Verizon doesn't need to supercookie its wireless subscribers to sell their advertising segments."