Verizon Wireless is under fire from privacy and security advocates for tampering with user web activity and injecting user identification codes.
These identifiers allow advertisers, hackers and virtually anyone with access to the code to track users connected to the Internet via Verizon's network.
These codes, which act like permanent cookies that cannot be deleted, were first pointed out by Jacob Hoffman-Andrews, a researcher at the Electronic Frontier Foundation (EFF).
In an interview with Wired, Hoffman-Andrews explains that every time a user visits a website using data on his mobile phone, Verizon tags on an HTTP header containing an identification code specific to that device, which goes out with all web traffic passing through Verizon's network.
The header doesn't necessarily contain sensitive information about the user, but anyone can use it to figure out whether requests for websites, images and other information have been made through the device. All this is part of Verizon's tracking program called Precision ID, which allows third-party advertisers to post targeted advertisements by tracking what Verizon calls each device's Unique Identifier Header (UIDH). Verizon provides more details about its program here (pdf).
Hoffman-Andrews believes Verizon should stop using UIDHs. At the very least, Verizon should have disclosed the practice to customers instead of waiting two years for security researchers to dig it out.
"ISPs are trusted connectors of users, and they shouldn't be modifying our traffic on its way to the Internet," Hoffman-Andrews says.
However, Verizon defends its practice by saying it does not use UIDHs to monitor customer activities on the web or create specific user profiles. Moreover, the wireless carrier also says users can opt out of its Relevant Mobile Advertising (RMA) program, so that Verizon's advertising partners do not receive demographic and interest-based information about these customers.
"It's important to note that information about web browsing is not part of the RMA program, which customers can choose to opt out of by changing their privacy options at any time," Verizon spokesperson Debra Lewis says. "We do not provide any data related to the UIDH without customer consent and we change the UIDH on a regular basis to prevent third parties from building profiles against it."
Hoffman-Andrews, however, argues that even if Verizon does not track users' activities online, advertisers still can. The identifying headers, as Lewis confirms, cannot be deleted. This means other privacy protection tools and methods, such as deleting cookies, clearing cache, enabling Do Not Track and AdBlock extensions, are rendered useless because of Verizon's identifiers.
For now, the only way for users to block Verizon from using identifying headers is to visit websites encrypted with SSL or to access the Internet through their own Wi-Fi network or Virtual Private Network.