Verizon supercookie uses http header injection to track users

[Aquinus]

Yeah, no denying that. But it's only paranoia if they're NOT really out to get you.

I think you're over exaggerating how much "people" (namely companies and the government,) are tracking you. They don't need a little unique ID to learn everything about you. If some organization really wanted to "get you" they wouldn't need a stupid HTTP header like this to do it. But statements like that prove you have an attribution bias on the subject at hand. Fear is a powerful tool and succumbing to it doesn't make you right.

 

[ZenZimZaliben]

Here is the basic code used to extract your carrier from the header...This is all it does.

if headers['MSISDN'] then -- TMO
provider = 'TMO'
acr = crypt.hash(headers['MSISDN']);
elseif headers['X-UIDH'] then -- VZN
provider = 'VZW'
acr = headers['X-UIDH'];
elseif headers['x-up-subno'] then -- ATT
provider = 'ATT'
acr = headers['x-up-subno']
elseif testmode then
if not etag and headers['FAIL'] == 'true' then
ngx.exit(ngx.HTTP_NOT_FOUND)
end
end

So other then detecting the device you are on it doesn't do much else, just looking at that code it is almost not worth discussing. It is basically the same as Browser or Device detection such as Mobile/PC/Tablet. This just extracts what carrier the device uses.

 

[twilyth]

I think you're over exaggerating how much "people" (namely companies and the government,) are tracking you. They don't need a little unique ID to learn everything about you. If some organization really wanted to "get you" they wouldn't need a stupid HTTP header like this to do it. But statements like that prove you have an attribution bias on the subject at hand. Fear is a powerful tool and succumbing to it doesn't make you right.

You need to work on your sense of humor.

 

[Mindweaver]

I'm for data collection... Please, hurry up and figure me out, and only show me what I like to buy, and what stores have it close to me...

 

[twilyth]

For those that didn't believe this is an important issue, read this article - http://www.extremetech.com/mobile/1...ies-refuses-to-honor-its-own-opt-out-requests

Let’s say you visit a website that employs this method without the Verizon header. As detailed at Webpolicy.org, the system simply installs a standard tracking cookie. If you visit it with a Verizon header, the system sets a cookie ID that corresponds to the Verizon header. Remove the tracking cookie, and the system promptly reinstates it with the Verizon header. That’s why it’s being called a “zombie” cookie — it comes back once deleted.

No, the advertiser doesn’t know that UID=123456789 is John Doe from Maryland, but the advertising network can track everywhere that John Doe goes, every website he visits, and every page he touches. If you delete the tracking cookie it’s promptly reconstituted and reassociated with your profile. Full details are available at Mayer’s website, but the collateral damage is significant. Laptops tethered to cell phones on Verizon’s network, for example, can be infected by this process.

 

[qubit]

This reminds me of Intel's processor serial number scandal with the P3 all those years ago. Somehow it doesn't surprise me that these big companies will find any and all ways to track what you do.

People shouldn't be so blase about it.