Research from Stanford's Jonathan Mayer and ProPublica has shown that Verizon's undeleteable UIDH mobile tracking header is being used by advertising and tracking company Turn.com to respawn deleted cookies. The only complete protection from being tracked by Verizon's injected headers is to follow the advice in Verizon's privacy policy, and not use their product at all:

If you do not want information to be collected for marketing purposes from services such as the Verizon Wireless Mobile Internet services, you should not use those particular services.

But if you're trapped in a contract with Verizon Wireless, you may not be able to switch to another carrier. If that's the case, here's a review of which mobile apps (and desktop software, if you tether) will and won't protect you against UIDH and Turn.com's zombie cookies.

Which mobile apps protect you against Verizon and Turn?

We tested the following common mobile browsers and privacy apps:

Methodology: we installed each tool in its default configuration, and tested whether Turn was able to respawn its uid cookies after deletion in most situations.

Which desktop software protects you against Verizon and Turn?

If you tether your laptop to a Verizon device, or use a Verizon WiFi or USB mobile Internet connection, your laptop will be subject to non-consensual UIDH injection and tracking. Most of the mobile apps above are also available in desktop versions, but there are a few additional options:

Software/browser Platform Protects against Verizon? Protects against Turn? Internet Explorer Windows, OS X No No Privacy Badger Firefox, Chrome No Yes Tor Browser Bundle Windows, Linux, OS X Yes Yes

If you use Internet Explorer, you might consider a Tracking Protection List. Some of these help, others make the problem worse:

Tracking Protection List Platform Protects against Verizon? Protects against Turn? Abine TPL IE 9+ No Yes EasyList TPL IE 9+ No Yes EasyPrivacy TPL IE 9+ No No Privacy Choice -- all companies IE 9+ No Yes Privacy Choice -- companies without NAI oversight IE 9+ No No TRUSTe TPL IE 9+ No No (makes the problem worse! )

Who needs to do better?

Some major take-aways about the software that does, and doesn't protect you:

Of the major browsers, only Safari offers even partial protection by default. Firefox, which has talked about offering better protection for its users, hasn't delivered anything practical yet.

Amongst the ad- and tracker-blocking software, the results were surprising. Disconnect Pro, which includes both VPNs and tracker blocking, is a strong option, though it requires a subscription fee after a free trial period. Software like AdBlock, AdAway and AdBlock Plus, which don't claim to be privacy tools, or which require manual reconfiguration to block trackers, nonetheless protected their users against Turn. Ghostery, which claims to be a privacy tool, doesn't offer any protection by default! EFF's own Privacy Badger works as expected, but isn't available on mobile yet (you can help out here!).

The Google Play Store on Android has censored the apps that offer the most effective protection. Google needs to reverse this disastrous anti-user and anti-privacy decision, or be held accountable for Verizon and Turn's predation on their users.

Defeating Turn's tracking is comparatively easy: users can (and are advised to) block all requests to Turn's domains. Verizon's practices are both more a more profound violation of trust — we need to trust our ISPs as much as we trust our priests — and harder to protect against. If for some reason you need to use the Verizon Wireless network, encrypting your requests so Verizon can't tamper with them is the only answer, and currently Tor, VPNs, and (for partial but continuous protection) HTTPS Everywhere are the only answers.

Update: 2015-01-15: tl;dr this post was updated to shorten the introduction.