Is Verizon Burying Its Header In The Sand? Privacy Concerns About The ‘Zombie Cookie’ Abound

TrackAttackA tracking mechanism that won’t die, even when a user actively opts out? That’s one tough cookie.

Privacy advocates are turning up the heat on Verizon Wireless again with a flurry of reports decrying what’s become popularly known as the “zombie cookie,” a unique ID header developed by Precision Market Insights, the carrier’s data-driven and addressable advertising arm, to deal with the issue of mobile tracking and mobile data collection.

General awareness of the super-cookie first hit critical mass last fall when security experts raised the alarm that something was up with Verizon’s unique identifier header (UIDH), which enables advertisers and other third parties to track users on their mobile devices by injecting code into web traffic. The cookie persists even if a user clears their cache, enters private browsing mode or opts out of the program.

Verizon downplayed the issue, noting at the time that although there was no way for subscribers to turn off the tracking completely, users could take steps to opt out of seeing targeted ads. End of story.

But Stanford University researcher and computer scientist Jonathan Mayer suspected that it wasn’t the end of the story – and he was quite right.

“Verizon made a number of statements suggesting that there was no privacy risk here and that the header couldn’t be used for tracking users – or, at least, wouldn’t be,” Mayer told AdExchanger. “But this is a new way of tracking people. It’s more permanent than the others, it’s less detectable – oh, and by the way, you can’t turn it off.”

In December, Mayer, a Ph.D. candidate focused on government surveillance issues, went “Verizon zombie hunting.” He decided to try and spot companies that were obviously and actively engaged in using Verizon’s header for tracking purposes by resetting his cookies and examining the requests for specific behaviors.

Turning Up The Heat

In short order, he found what he was looking for: Turn. The DMP-DSP hybrid seemed to be using Verizon’s header to resurrect deleted tracking cookies.

[Note: Turn is one of Verizon’s marquee partners through Precision Market Insights, along with BrightRoll (acquired by Yahoo in November) and RUN (acquired By Publicis Groupe in late October). Verizon’s relationship with BrightRoll and RUN predates both acquisitions.]

According to an industry source with knowledge of the matter, RUN uses the Verizon header “the way it was meant to be used” – as a device identifier – and has never tied the UIDH to cookies for targeting purposes.

In terms of what BrightRoll’s up to, the company declined to offer more than this prepared statement: “BrightRoll and Yahoo are committed to our users’ privacy and offer users transparency and controls built in. We do not employ any method to resurrect previously deleted cookies.”

Mayer’s discovery flies in the face of Verizon’s previously stated claims – that third parties wouldn’t use its UIDH to collect data and establish user identity. On the FAQ page about its UIDH, Verizon claims that it is:

“...unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH for two reasons. First, the UIDH changes frequently. Second, other permanent and longer-term identifiers are already widely available in the wireless area and could be used to build customer profiles. For ad tech entities that have a presence on many websites, the UIDH does not provide any information beyond what those entities have by virtue of these and other already existing IDs.”

In other words, everything will probably be OK – but it doesn’t matter because others out there are doing the same or more.

Precision Market Insights VP Colson Hillier put it like this to AdExchanger during a previous interview: “Our PrecisionID changes every seven days – and it can change if a customer calls us and opts out of a particular program. Then bam, it’s gone. Even if one of our strategic partners is running a campaign and tries to say, ‘The next time I see this PrecisionID, I’ll remember that it was in a certain segment’ – it doesn’t exist anymore. It’s vanished. It’s not a persistent cookie that raises privacy concerns.”

But Mayer isn’t buying it.

ZombieCookie“That’s a great example, from a technical perspective, of a boneheaded way to handle privacy,” he said. “Rotating the header every week doesn’t do much to mitigate the privacy risk. You could simply combine it with other tracking technology to bridge the gaps that occur every week. They say it’s anonymous, but it’s really pseudonymous, and pseudonymous methods are used to track people all over the web.”

AdExchanger’s industry source isn’t buying it either.

“Tying the Verizon ID to stored cookies without taking opt-outs or cleared cookies into account is something that shouldn’t be done,” the source said. “In this case, it appears Turn was doing something on their own, outside of the scope of what Verizon permissions via their partnerships and approved use cases of their ID.”

In reaction to the negative press, Turn reacted quickly, first with one blog post defending its practices and then a second two days later in which the company’s chief privacy officer and general counsel, Max Ochoa, said that Turn “will suspend the reassociation of a cleared Turn browser cookie with a Verizon UIDH pending a re-evaluation.”

“Turn’s initial reaction was, ‘Yes, we’re doing this, but it’s entirely legitimate and we do give users sufficient choices,’ and then they flip-flopped,” Mayer said. “My secondhand understanding is that Verizon didn’t intend to have its header used this way and Turn was implying that it did. There was seemingly some dissent between the two companies.”

In a conversation with AdExchanger, Ochoa took issue with one of the basic assertions in Mayer’s piece and other media reports – namely, he disagreed that clearing cookies is a proxy for opting out of being tracked or served targeted ads.

“There is the implication that clearing cookies is an accepted form of signaling to the industry that a person doesn’t want behavioral advertising,” Ochoa said. “The only way for an individual to express that they want to opt out is to go to the NAI [National Advertising Initiative] or the DAA [Digital Advertising Alliance] – or to Turn.com.”

While it’s possible that cookie clearing doesn’t necessarily signify an opt-out – perhaps a user clears out cookies because he doesn’t want others to see his browsing habits – it’s important to note that it’s possible to clear browsing history without touching cookies.

So, what exactly was happening with the so-called zombie cookies in Turn’s system? According to Ochoa, everything was always kosher on Turn’s back end – even though technically savvy users might have noticed what looked like a perma-cookie haunting the Verizon header even after clearing their cookie cache. Ochoa went so far as to thank Mayer for pointing out what he referred to as a simple coding problem.

“The way our system was codified, it looked like Turn wasn’t remembering the opt-out, so to Mr. Mayer, it looked like we were doing two things wrong: that we weren’t respecting his cleared cookie and that we weren’t preserving his choice not to receive tailored advertising,” Ochoa said. “In fact, we were preserving that choice, but on our server. We were not delivering ads against those cookies, but [outside sources] couldn’t confirm it.”

As a short-term fix, Turn has corrected its code so that outside users are now able to independently verify that their cleared cookies were not being resurrected. Ochoa said Turn’s engineering and product people are also in the process of combing through the code to figure out what needs to be changed so that the “‘zombie’ cookies are quite dead.” That process should be completed by the beginning of February.

In an interesting twist, Ochoa has scheduled lunch meetings with Mayer and with other privacy advocates for early February in an effort to “start a dialogue and make more informed decisions about practices.”

What’s On The Horizon For Verizon?

Verizon itself didn’t have much to offer in the way of response other than this canned quote: “The intent of the UIDH is to be used as part of our advertising programs, which have robust privacy protections, not as described in recent media reports. We are evaluating how third parties are using the UIDH in this evolving ecosystem and considering any appropriate response.”

JonathanMayerIt’s a disappointing reaction, Mayer said.

“The million-dollar question – or however much it’s worth to Verizon – is whether Verizon is going to back down. They’re in a position to end the whole header debacle. AT&T was doing something similar last year to what Verizon is doing, but AT&T walked away. Actually, I can’t think of another company that ran away from a privacy problem quite as quickly,” Mayer said. “But Verizon stuck to its guns. They’re in a defensive crouch on this issue and that’s a shame.”

A shame for consumers, who want more control over their privacy – and a potential shame for Verizon on the regulatory front.

“If Verizon doesn’t get rid of the header, I could see some regulatory agencies start to take an interest and it would be entirely warranted,” Mayer said. “And even all of Verizon’s lobbying [power] couldn’t buy them out of an investigation or enforcement if the FTC or the FCC was determined.”

However, not everyone thinks that Verizon is at fault – or at least, Verizon shouldn’t be the only one whose proverbial feet are being held to the fire.

"As an industry, we must take our positions seriously and default to a privacy conscious/sensitive position with respect to how consumer actions should be interpreted [and] we must embrace our responsibility as innovators and ask ourselves the questions that aren’t ‘regulated,’” said AdExchanger’s industry source. “That is not a Verizon-only responsibility, but an industrywide one. If we do not, the real consequence will be our ability to innovate and develop solutions that truly benefit consumers and our ecosystem at large."

We Still See You

But as it stands now, the crux of the issue remains: Even when consumers opt out of receiving targeted ads, it doesn’t stop them from being tracked. Today, most opt-out policies are a bit like “privacy theater,” Mayer said. Opt-out pages are often difficult to navigate – or to even locate in the first place.

“Regrettably, it’s very common for opt-out policies to not actually curtail tracking, which is where I think Turn was coming from, and it’s the way the entire industry has evolved,” he said. “We know, based on the technical evidence, that almost no one uses the opt-out pages and they’re not even designed to be easy to use.”

But although Turn is the ad tech scapegoat, it didn’t singlehandedly create the digital ad ecosystem.

“One of the reasons why the zombie cookie issue continues to look really bad for the industry is that it emphasizes a fundamental error in not letting people control tracking,” Mayer said.

It’s a sentiment that Avi Spivack, senior director of product commercialization at data co-op Adroit Digital – a business that relies on the smooth flow of consumer data – can get behind.

“We owe it to the industry to maintain the evolution towards a more open environment in terms of a dialogue with consumers and Internet users so they don’t feel like something nefarious is going on,” Spivack said. “If somebody wants to opt out, we need to honor that. The minute we start to make the consumer suspicious, there’s going to be a backlash. So, let’s be above board about it as much as we can, because the end goal is the same: a digital marketing ecosystem with an open exchange of information where consumers are more willing to share.”

But that ecosystem won’t be achieved without a more “honest debate” around defaults, said Mayer, noting that most consumers are automatically opted in for tracking. Such is the case with Verizon’s PrecisionID.

“There’s been an uptick in cookie-blocking features, but if they’re not turned on by default, they’re not used,” he said. “What we should be thinking about is giving consumers privacy by default instead of having the advertising industry and the self-regulatory bodies focus on opt-outs that people never use.”

Rather than pushing things like consumer education or AdChoices, which haven’t proven to be all that effective yet – a study conducted by Parks Associates last January found that, three years after its release, only 6% of consumers were aware of what the DAA’s little blue opt-out icon even meant – Mayer called on the industry to stop kidding itself.

“Those are just a distraction from the real issue,” Mayer said. “When self-reg insists on focusing on policies that we know have failed, it suggests that self-reg has also failed.”

But now it's Ochoa's turn to be a bit skeptical – especially on the privacy by default front.

“There are people who feel that privacy should be the default, but why should they feel like that about the Internet as opposed to every other medium that has ever been developed by society to communicate messages, all of which are not opt out – everything from magazines and newspapers to television, radio or the town crier," he said. "The only way to opt out of a TV ad is to turn off the TV, but for some reason that’s not clear to me, people want the Internet to somehow be different.”

One response to that could be that the Internet is different. The Internet isn't any one thing – it's a combination of intent, purchase data, browsing behavior and PII all rolled into one. Ochoa wouldn't bite.

“That might be true to some extent, but if you’re a magazine subscriber, we know where you are and we target you," he said. "If you use a loyalty card in any grocery store, we know exactly what you buy and that information is shared with credit card companies and marketers.”

 

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>