Cellular communications provider Verizon Wireless is adding cookie-like tokens to Web requests traveling over its network. These tokens are being used to build a detailed picture of users’ interests and to help clients tailor advertisements, according to researchers and Verizon’s own documentation.

The profiling, part of Verizon’s Precision Market Insights division, kicked off more than two years ago and expanded to cover all Verizon Wireless subscribers as part of the company’s Relevant Mobile Advertising service. It appends a per-device token known as the Unique Identifier Header (UIDH) to each Web request sent through its cellular network from a particular mobile device, allowing Verizon to link a website visitor to its own internal profiles. The service aims to allow client websites to target advertising at specific segments of the consumer market.

While the company started piloting the service two years ago, privacy experts only began warning of the issue this week, arguing that the service is essentially tracking users and that companies paid for a fundamental service that should not be using the data for secondary purposes.

A history of snooping

“There is this mentality of 'if there is a way we can acquire more data on our users, that data is a legitimate target,'” said Jacob Hoffman-Andrews, senior staff technologist with the Electronic Frontier Foundation, who tweeted about the issue on Wednesday. “Users should have control in how they are being tracked.”

For the past decade, Verizon, Comcast, and other Internet service providers have sought ways to turn their access to their customers' traffic into additional revenue. In 2008, "deep-packet inspection" became a much-maligned term after a handful of Internet service providers were found tracking their users' activities on the Web by peering into network packets. Internet service providers learned to quietly deploy the technology for other applications.

The issue stepped into the national spotlight in June 2013, when Edward Snowden, a former contractor for the National Security Agency, leaked classified documents outlining the close cooperation between private companies and the agency. The access given to the NSA underscored the privacy dangers of overreaching data collection. Google, Microsoft, Facebook and other companies that gather data on users often receive subpoenas, search warrants, and national security letters directing them to give up the information.

Because of the risk of similar legal actions targeting Internet service providers, the companies' push to gather information on their users has made privacy advocates nervous.

“This is even at a more serious level than throttling traffic because ISPs are going in and modifying traffic in transit and that’s something that they should not be doing,” Hoffman-Andrews said. “They are paid by their customers to be trusted conduit for data, and they should be sending that data through faithfully rather than trying to insert or remove things.”

Verizon's tracking

The service allows websites to request advertisements along with the UIDH from a participating on-demand advertising network. The network can then request market-segment and geolocation information from Verizon to deliver the most appropriate advertisement. For its part, Verizon claims that it keeps its users anonymous. Verizon's Precision Market Insights changes the UIDH after a set period of time, reportedly every week, and does not provide any of its internal profile information back to its third-party clients, the company said in an e-mail interview with Ars.

“We do not use the UIDH to create customer profiles,” the company said. “Verizon Wireless does not use the UIDH to track where customers go on the Web. And information about Web browsing is not part of the relevant mobile advertising program.”

Verizon Wireless calls the data “private,” but it defines privacy as not sharing the information outside of the company. It adds that the database is not currently subject to any legal court orders. Consistent with this, Verizon has listed in its transparency report what data is turned over in response to a legal request, and the company’s marketing data appears to be excluded. “We would not provide additional personal, browsing, or location information because of the Precision programs or the UIDH,” Verizon told Ars.

But the mere existence of a database worries privacy advocates. In addition, the Electronic Frontier Foundation noticed that Verizon uses the UIDH in all search queries, even after a user opts out of the service. It also uses two other services that track users to some extent. This behavior could allow a third party to link a user to their use of other sites, says Ryan Singel, founder and CEO of content-recommendation firm Contextly.

“Sending a UID (universal identifier) in the clear to all sites will let any site de-anonymize you,” he told Ars. “All that’s needed is for one site that has your e-mail address or name to match that to the identifier. They can then sell this to anyone.”

Verizon responded that while the UIDH is still in the queries, consumers who have opted out of the program will no longer have information associated with the identifier. The company did not, however, pledge to stop updating the user’s profile.

Verizon is not the only Internet service provider to test new ways to generate revenue. Last month, Comcast was caught injecting JavaScript ads into the browsers of devices connected to any of its 3.5 million Wi-Fi hotspots. Internet service providers’ expansion into using data collected as part of its service for secondary purposes is a threat to everyone’s privacy, Contextly’s Singel said.

“People pay Verizon and Comcast and AT&T to simply get them online and keep them connected,” he said. “These ‘gatekeeper’ service providers have no business tracking their users, blocking what they do online, or preventing users from using the services of their choice.”