Verizon users might want to start looking for another provider. In an effort to better serve advertisers, Verizon Wireless has been silently modifying its users' web traffic on its network to inject a cookie-like tracker. This tracker, included in an HTTP header called X-UIDH, is sent to every unencrypted website a Verizon customer visits from a mobile device. It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent.

Verizon apparently created this mechanism to expand their advertising programs, but it has privacy implications far beyond those programs. Indeed, while we're concerned about Verizon's own use of the header, we're even more worried about what it allows others to find out about Verizon users. The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy. Worse still, Verizon doesn't let users turn off this "feature." In fact, it functions even if you use a private browsing mode or clear your cookies. You can test whether the header is injected in your traffic by visiting lessonslearned.org/sniff or amibeingtracked.com over a cell data connection.

How X-UIDH Works, and Why It's a Problem

Like a cookie, this header uniquely identifies users to the websites they visit. Verizon adds the header at the network level, between the user's device and the servers with which the user interacts. Unlike a cookie, the header is tied to a data plan, so anyone who browses the web through a hotspot, or shares a computer that uses cellular data, gets the same X-UIDH header as everyone else using that hotspot or computer. That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising.

Also unlike a cookie, Verizon's header is nearly invisible to the user and can't be seen or changed in the device's browser settings. If a user clears their cookies, the X-UIDH header remains unchanged. Worse, ad networks can immediately assign new cookies and link them to the cleared cookies using the unchanged X-UIDH value. We don't know which data brokers and ad networks are using the header to create behavioral profiles, but Cory Dunne found at least one GitHub repository contained code to extract the header value, as of October 27. The repository has since been quietly deleted but can be viewed at the Internet Archive. Twitter's mobile advertising division also appears to use the header for ad auctions.

Besides cookie clearing, the X-UIDH header bypasses several other built-in browser privacy mechanisms. Cookies belong to a single website and aren't shared with other websites. But one unique X-UIDH header value is shared with all unencrypted websites a user visits, making it easier for ad networks to track that user across many sites in a way not possible with cookies alone. Browsers provide Incognito Mode or Private Browsing Mode in order to defeat some kinds of tracking, but the X-UIDH header, since it is injected at the network layer, ignores those modes. Verizon also chooses to ignore Do Not Track, a setting users enable in their browser to indicate they do not want to be tracked. Similarly, disabling third-party cookies in browser settings does nothing to stop the X-UIDH header.

To compound the problem, the header also affects more than just web browsers. Mobile apps that send HTTP requests will also have the header inserted. This means that users' behavior in apps can be correlated with their behavior on the web, which would be difficult or impossible without the header. Verizon describes this as a key benefit of using their system. But Verizon bypasses the 'Limit Ad Tracking' settings in iOS and Android that are specifically intended to limit abuse of unique identifiers by mobile apps.

Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers. Notably, Verizon appears to inject the X-UIDH header even for customers of Straight Talk, a mobile network reseller (known as a MVNO) that uses Verizon's network. Customers of Straight Talk don't necessarily have a relationship with Verizon.

But according to AdAge, "Corporate and government subscribers are excluded from the new marketing solution." We haven't verified (and Verizon refuses to say) whether the header is still sent for those subscribers or not. If they are indeed excepted from the program, that indicates to us that implementing an opt-out is feasible. We're disappointed that Verizon takes some of its users' privacy more seriously than others.

Verizon's Claimed Protections

Verizon does provide a sort of limited opt-out for individual customers, but it appears that the opt-out does not actually disable the header. Instead, it merely tells Verizon not to share detailed demographic information with advertisers who present a UIDH value. Meaningful protection from tracking by third parties would require Verizon to omit the header entirely.

According to Verizon, the header value is a salted hash, and the hash changes on an undisclosed frequency. However, it's easy for third-party ad networks to create a continuous profile by associating old and new X-UIDH values through their own identifier cookie . Verizon has refused to say what identifier they hash to create the identifier, but their recent patent suggests hashing a phone number. If they are indeed hashing phone numbers, it would be a major cryptographic mistake. Phone numbers can easily be deduced from hashes, so sending those hashes to untrusted web sites is practically equivalent to giving them your phone number.

Besides the ad networks, the unique X-UIDH header is a boon to eavesdroppers. We have seen that the NSA uses similar identifying metadata as 'selectors' to collect all of a single person's Internet activity. They also have been shown to use selectors to choose targets for delivering malware via QUANTUMINSERT and similar programs. Having all Verizon mobile users' web traffic marked with a persistent, unique identifier makes it trivial for anyone passively eavesdropping on the Internet to associate that traffic with the individual user in a way not possible with IP addresses alone.

According to Verizon, it began the Precision Market Insights program in 2012, but has consistently refused to provide technical details about how the program worked. The injection of the X-UIDH header went largely unremarked by the technical community until recently because it is so hard to observe. The header is inserted in requests after they leave the phone, so customers cannot detect it using only a phone. In order to detect it, a user needs to run a web server configured to log or echo all HTTP headers, which is very rare.

How You Can Protect Yourself

Verizon can only modify plaintext traffic. It can't modify encrypted requests without breaking the whole connection. There are four options for encrypting web requests: HTTPS, an encrypted proxy, a VPN, or Tor. Only a VPN or Tor provide full protection in this case.

The best protection against this specific problem is to use a VPN that encrypts all requests made from your phone, regardless of whether they were made by an app or a browser. Most VPNs are paid services, and when using a VPN you have to trust the VPN operators the same way you would normally trust your ISP. Advanced users can also use Tor via Orbot Android app in transparent proxy mode (requires root). Tor is free, but you have to trust exit node operators not to interfere with your connection. Tor is more appropriate if you are trying to be anonymous.

The second-best protection is to use an encrypted proxy, which protects browser traffic but not mobile apps. Mobile Chrome provides the 'Reduce data usage' setting, which is reported to prevent the X-UIDH header injection. Unfortunately, this connection is not reliably encrypted, because an ISP can disable encryption on it at any time.

HTTPS, which is the best protection for many types of harm, is actually the least powerful protection for this one. The header cannot be injected into an HTTPS request, but since websites choose whether to offer HTTPS, a site that wants to track users can simply avoid HTTPS and get the tracking headers. The web needs to become fully encrypted, and these X-UIDH headers provide a strong disincentive for sites and advertisers who wish to track their users to adopt HTTPS. In fact, the AT&T patent on similar headers recommends downgrading (redirecting) secure HTTPS requests to HTTP ones in order to receive the tracking header.

What Verizon Should Do

Verizon should immediately stop injecting the X-UIDH tracking header into its users' traffic. It is entirely possible to re-design their marketing programs so that the header is only injected for users who explicitly consent to having their Internet connections modified to add tracking information, and to do so in a way that doesn't allow third-party sites to track users across the Internet.

We're also concerned that Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data. Only two months ago, the wireline sector of Verizon's business was hit with a $7.4 million fine by the Federal Communications Commission after it was caught using its "customers' personal information for thousands of marketing campaigns without even giving them the choice to opt out." With this header, it looks like Verizon lets its customers opt out of the marketing side of the program, but not from the disclosure of their browsing habits.

More generally, Verizon should stop tampering with their customers' Internet traffic without their customers' consent. ISPs like Verizon act as trusted connectors to the world, and shouldn't be modifying our communications on their way to the Internet. People should not be required to subscribe to a VPN and put their trust in a third party in order to get a modicum of privacy on the Internet.

AT&T has been reported to be testing a similar header.