The saga of last year’s privacy controversy over Verizon’s user-tracking behavior continues on. The latest chapter involves the wireless carrier magnanimously deciding Friday to let subscribers opt out of the program, the New York Times reported.

Not that the idea came purely from the goodness of its heart. As the NYT noted, the decision came less than a day after the Senate Committee on Commerce, Science and Transportation wrote to Verizon’s chief executive, Lowell C. McAdam, to question his company’s behavior.

Next thing you know, Verizon agreed to let people jump off the good ship “Privacy Fail.”

Shhhh! We’re Tracking You

The fiasco started last year, when a tweet by the Electronic Frontier Foundation’s Jacob Hoffman-Andrews pointed out Verizon’s user-tracking tactics—primarily because few, if any, people realized what the wireless operator was doing.

I don't know how I missed this: Verizon is rewriting your HTTP requests to insert a permacookie? Terrible. http://t.co/MBDGZaLKNs — Jacob H-A (@j4cob) October 22, 2014

Hoffman-Andrews cited an Ad Age article about Verizon’s advertising business that mentioned the company’s use of PrecisionID, a tool developed by Verizon’s data marketer, Precision Market Insights. Its website describes PrecisionID as “a deterministic identifier matched to devices on Verizon’s wireless network powering data-driven marketing and addressable advertising solutions…”

The system works by tacking on snippets of code—sometimes called “perma-cookies” or “supercookies”—to mobile traffic headers moving through Verizon’s cellular network. This “UIDH” identifier allows the carrier to track its subscribers’ mobile browsing activity for advertising purposes. Ad Age’s Mark Bergen wrote, “Precision packages the request as a hashed, aggregated and anonymous unique identifier, and turns it into a lucrative chunk of data for advertisers.”

See also: Why Verizon Is Tracking All Your Mobile Web Traffic

In a Google AdSense world, user-tracking may not seem that outrageous. The difference: Google makes no secret of its ad-targeting behavior, and people knowingly accept those terms in order to use the search giant’s free services. Verizon Wireless subscribers pay (sometimes hefty) subscription fees, but they apparently didn’t know they were being tracked.

Instead, they became unwitting participants in a program whose security remains in question. As the NYT points out, Verizon must secure those unique identifiers or supercookies, to ensure external attackers can’t get their hands on them.

Verizon “Takes Privacy Seriously” (Kinda)

Even if people knew about the program, they would have had no way out until now. The company offered no mechanism to decline participation, like it does with other advertising initiatives. It makes sense, in some ways. If no one knows they’re being tracked, where’s the need? Another possibility: Putting something out there might trigger unwanted attention, and Verizon only puts it out there because it’s forced to now.

That is, of course, not the way the carrier positions its decision. According to its latest press statement:

Verizon takes customer privacy seriously and it is a central consideration as we develop new products and services. As the mobile advertising ecosystem evolves, and our advertising business grows, delivering solutions with best-in-class privacy protections remains our focus. We listen to our customers and provide them the ability to opt out of our advertising programs. We have begun working to expand the opt-out to include the identifier referred to as the UIDH, and expect that to be available soon. As a reminder, Verizon never shares customer information with third parties as part of our advertising programs.

The announcement looks like a concession, and a minor one at that. Because if it was serious about privacy, then Verizon would have made user-tracking opt-in, i.e. turned off by default and only activated with consent. Instead, the program is opt-out, indicating it may be turned on by default. That would put the onus on users to be aware and proactive enough shut it down.

Earlier in January, the Electronic Frontier Foundation began a petition against Verizon and Turn, a partner that makes digital marketing software. The digital rights group seeks punitive federal action for the lack of consumer disclosures over the tracking activity. The petition received more than 2,000 signatures as of Friday.

Lead photo by Kangrex