Over the last week, it has emerged that Verizon Wireless has been silently tracking around 100 million mobile customers using a supercookie that can’t be opted out of. The tracking cookie appears to be part of Verizon’s Precision Market Insights program, which started way back in 2012. AT&T has been testing a similar supercookie, but so far it seems only Verizon has rolled it out network-wide. The tracking cookie, as you can probably guess, allows Verizon to track almost everything that you do on the internet, and then sell that behavioral data to advertisers. While it’s utterly heinous that you can’t opt out, it gets worse: Verizon’s implementation of the supercookie is so sloppy that any third party can also use the cookie to track your behavior. Clearly, privacy is something that only happens on other carriers.

How Verizon’s supercookie works

Usually, a cookie consists of a small file on your computer (PC, smartphone, tablet) that stores some data — your username for a website, your time zone, etc. When you visit a website, the web server can request the contents of that cookie. For the most part, this is a very graceful system that saves you having to log in every time you visit a website — but obviously, the same cookies can be used to track you as you move around the internet.

These conventional cookies are very easy to block or delete — which is great for the consumer, but awful for companies that can make a lot of money by tracking (and then selling) your online behavior. Thus, over the last few years there have been a steady stream of supercookies that are both harder to spot and increasingly difficult to block.

And now we have Verizon’s cookie — which, in the conventional sense, isn’t actually a cookie at all. Instead of putting a small amount of data on your computer, which is fairly easy to delete or block, Verizon’s network hardware automatically injects a new HTTP header every time you visit a website. Not just Verizon websites — any web resource that is accessed via Verizon’s network (i.e. everything). This header, called X-UIDH, contains a unique identifier that’s tied to your Verizon account. Your web browser (or any other app on your phone that uses HTTP) always receives this header with your unique ID — there’s nothing you can do to stop it. Regularly clearing your cookies or using your browser’s private browsing mode won’t help you, either.

Why Verizon’s supercookie is so incredibly despicable

Verizon’s network — only its wireless network, as far as we know — injects your unique ID into every HTTP request. This doesn’t sound that bad, until I tell you that HTTP headers are public. Every website you visit and every advertising network on that website (of which there could be dozens) can also use your X-UIDH. They don’t need permission from Verizon to do this — the header is right there, just waiting to be used. Even if you do run an add-on like Ghostery to block and delete tracking cookies, or enable Do Not Track, advertisers can still use the X-UIDH header to rebuild an accurate tracking cookie every time.

Now remember that the X-UIDH header may have been in place on Verizon Wireless’s network since 2012, and random third parties — that Verizon knows nothing about! — may have been building up a near-perfect history of your online behavior the entire time. The EFF reports that Verizon’s networking hardware even injects the X-UIDH header into the data stream of Verizon MVNOs, such as Straight Talk.

In a word, this scenario is utterly insane. If I wasn’t talking about an American ISP or carrier, I’d say that such behavior is unconscionable.

How to block the Verizon X-UIDH supercookie

The simplest way of mitigating against the X-UIDH tracking cookie is to only use HTTPS. Verizon can’t meddle with HTTPS requests. The EFF’s own HTTPS Everywhere add-on is a good place to start. The problem with this approach is that many websites don’t offer HTTPS — and of course, if sites (or their advertising partners) are using the X-UIDH header, there’s a pretty strong incentive to not enable HTTPS.

Using a VPN, Tor, or encrypted proxy is also a viable option — but obviously, going to such efforts on your smartphone can be a bit painful. Using a VPN or Tor is the only reliable way of avoiding the X-UIDH header — but you’ll have to decide if it’s worth the impact to performance and battery life.

Ultimately, of course, the only real solution is that Verizon Wireless needs to disable X-UIDH header injection immediately. It wouldn’t be quite so bad if customers had the option of opting into the program, but everyone was automatically enrolled in 2012. Technically you can “opt out” of Verizon using the X-UIDH header for tracking purposes, but the header remains in place for third parties and other ne’er-do-wells. AT&T, which is testing a similar system at the moment, will apparently let you opt out completely, so that the header isn’t injected in the first place — presumably all customers will be automatically opted in to begin with, though.

In the meantime, while we wait for a day that may never come, you may be happy to hear that both Sprint and T-Mobile appear to be free of such supercookies.

And thus concludes another update on the sad state of US telcos, ISPs, and wireless carriers.

Now read: FTC sues AT&T over misleading and deceptive use of ‘Unlimited’ data plans