Verizon and Turn Defeat Browser Privacy Protection Through Zombie Cookies
January 26, 2015
Before, people who wanted to keep their browsing history and data private often opted to use private browsing mode or deleted their cookies. Unfortunately, for Verizon users, that method doesn’t work. With Verizon’s UIDH tracking header, all users are now assigned with a hidden, unchangeable, and un-deletable number that they can use to customer browsing habits and other data like address, age, sex, interests.
Verizon has an opt-out, but opting out does not actually remove the header. Instead, Verizon says will not share a customer’s demographic data after opt-out. However, that means that third parties can—and they are—still using the Verizon header value as a unique tracking identifier that Verizon customers are powerless to change or delete, even after the user has “opted out” of the Verizon program.
Turn, Verizon’s advertising partner, in fact, found a way to use this tracking header to generate or “resurrect” cookies that have been deleted, earning them the name Zombie Cookie. Jonathan Mayer’s, a Stanford security expert, research, double-checked by ProPublica, proved and tested how they use this method.
How Zombie Cookies come to life
When a user comes across sites that have Turn tracking URLs, it assigns to the user a unique number called uid. For other networks, deleting cookies will remove the reading history they have on you but it’s different wit Turn. Once you delete your cookies, it simply re-assigns you the same uid cookies you deleted. They can do this because they have access to Verizon’s UIDH header database -which has the users’ information even if you choose to opt-out- and get their information there. In this way, they resurrect the cookies you just deleted.
In addition, Turn has a cookie syncing feature where if a user comes across a Turn URL tracker, Turn tracker loads additional trackers which have the result of increasing their information about you and your habits.
Fortunately, though, the EFF has tried and tested ways that you can use to defend yourself from their tracking, aside from the potentially expensive way of using VPN networks.
You can read more on this issue here.