I've Been Mugged Blog

Yesterday, the Federal Communications Commission (FCC) announced a settlement agreement with Verizon Wireless regarding the company's use of "Supercookies" to track mobile users. The FCC alleged that that Verizon Wireless inserted:

"... unique identifier headers or so-called “supercookies” into its customers’ mobile Internet traffic without their knowledge or consent. These unique, undeletable identifiers – referred to as UIDH – are inserted into web traffic and used to identify customers in order to deliver targeted ads from Verizon and other third parties."

Terms of the settlement agreement require Verizon Wireless to notify consumers about its targeted advertising programs, obtain customers’ opt-in consent before sharing UIDH with third-party companies and affiliates, and obtain customers’ opt-in (or opt-out) consent before sharing UIDH internally among Verizon's companies and business units. The settlement terms also require the company to pay a $1.35 million fine and adopt a three-year compliance plan.

The FCC's announcement also noted that the company was slow to update its privacy policy (bold added):

"It was not until late March 2015, over two years after Verizon Wireless first began inserting UIDH, that the company updated its privacy policy to disclose its use of UIDH and began to offer consumers the opportunity to opt-out of the insertion of unique identifier headers into their Internet traffic... Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose. Section 8.3 of the Commission’s rules, known as the Open Internet Transparency Rule, requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings."

The FCC began its investigation in December, 2014. At that time, the concern was:

"... whether Verizon Wireless failed to appropriately protect customer proprietary information and whether the company failed to disclose accurate and adequate information regarding its insertion of UIDH into consumer Internet traffic over its wireless network, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act."

Verizon Wireless began inserting UIDH into consumer Internet traffic in December 2012, and didn't disclose this practice until October 2014. After acknowledging this practice, the company claimed that third-party advertising companies were unlikely to use their supercookies to build consumer profiles or other purposes. The Washington Post reported in November 2014:

"Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers with what critics have dubbed “supercookies”... The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.

Also in November 2014, the Electronic Frontier foundation (EFF) discovered the tracking, and asked Verizon to both notify users and get their consent before using supercookies:

"Verizon users might want to start looking for another provider. In an effort to better serve advertisers, Verizon Wireless has been silently modifying its users' web traffic on its network to inject a cookie-like tracker. This tracker, included in an HTTP header called X-UIDH, is sent to every unencrypted website a Verizon customer visits from a mobile device. It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent. Verizon apparently created this mechanism to expand their advertising programs, but it has privacy implications far beyond those programs."

The EFF said that the Verizon Wireless settlement agreement:

"... is a huge win for Internet privacy. ISPs are trusted carriers of our communications. They should be supporting individuals' privacy rights, not undermining them."

The EFF tempered its comments with a warning how ISPs can still secretly track consumers:

"... They can send tracking data only to selected web sites, hindering detection by third parties. ISPs can (and some very likely do) hide tracking data in a lower protocol layer, like TCP or IP, setting fields that are normally random based on an agreed-upon code. Or they could log all user browsing activity themselves and share it upon request. Detecting these more pernicious methods will require ongoing skilled technical work by the FCC and other watchdog organizations.."

This is why both a skilled oversight agency and watchdog groups are necessary. The average consumer cannot perform this technical analysis. FCC Enforcement Bureau Chief Travis LeBlanc said:

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online... Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate...”

Yes! Innovation and privacy are compatible. Yes, we consumers care... care greatly about privacy. Relevant advertising is not an excuse to do anything without notification and without consent. Kudos to the FCC. View the Verizon Wireless Order and Consent Decree (Adobe PDF).