Verizon pays $1.35M FCC settlement for using "supercookies"

[Read the post]

1 Like

This is basically the relationship my wife has with Verizon, it’s pretty fucked up, but she won’t let Verizon screw us on that phone bill!


The company says customers don’t need to worry about future privacy
invasions because it “made several changes to our advertising programs
that have provided consumers with even more options.”

Translation: “We got caught this time, but that just means that we have incentive to come up with a slightly different method for tracking every little move that our captive markets make. We have to do this–our advertisers depend on it.”


I think that comes to about 5.26 minutes of revenue (from 2015 numbers).


If I am not mistaken, this was a deep packet insertion of a user ID field “X-UIDH” into the HTTP header. Nothing happened on the user’s computer itself, everything was done on the network provider’s side of the cable. While this procedure had the effect of a cookie (tracking the user), and was popularly called so, it technically wasn’t one, but something rather sneakier (using technical terms).

Edit: I think with 1.35 M $ they got off cheap. They have been tampering with the content of people’s communications. In some jurisdictions, that might be regarded as a felony.


Pretty much my thoughts. This happens in every market, a company will toe the line of what they can get away with and when they get caught they apologize… and start all over again with a new method.

1 Like

She might have had a similar experience as me. I work for a company that sells industrial equipment, some of which has to make automated phone connections through Verizon Wireless for maintenance and monitoring. Shit was not working, so I emailed support. The answers were polite and vacuous. I badly needed an answer to that technical question and kept pressing on. It took me unreasonably long (like, 5 or six mails in both directions) to realize that the replies came from a fucking chat bot. :robot:

Edit: I ended up telling our marketing guy to tell the customers that Verizon was unreliable and if they want their equipment to work they need to go through another operator.


1.35m seems hardly punitive to a company this size. Maybe 1.35b. Like enough that the shareholders are pissed there’s no profit for two quarters. C’mon FCC, lets be real.


That’s what I was thinking. Make the fine hurt the company and they will change. If it’s just a minor annoyance for them, they won’t care and will try again.


The…wonderful people…who provide the means to implement this ‘feature’ prefer the term “HTTP Header Enrichment”. A search for that term will bring up documentation from various carrier-switching-widget vendors extolling its virtues(This, from Cisco, is particularly blatant about exactly who is being ‘enriched’ here.).

As you note; absolutely nothing needs to happen on the client, the modifications are made by the carrier to traffic between the cellular device and the remote host. Only viable defense is to force all traffic from the phone through a VPN so that the telco never actually gets to see anything except the tunnel.


“Lets all just agree that mistakes were made, and, rather than playing the blame game, let’s move on…”, says any politician or corporation caught with its body parts where they shouldn’t be.

Or “Look forward, not backward” as our now-outgoing Change Candidate said RE: any minor little ‘torture’ hijinks that may have occurred in moments of patriotic excess.

1 Like

Came to say the first part, and to scoff at the second. We’re in 'Merica, bub, and if you’re a corporation or U.S. Gov’t entity, then that’s exactly what you do.

It greatly pisses me off that this is the new norm.

EDIT: [quote=“fuzzyfungus, post:10, topic:74712”]
Only viable defense is to force all traffic from the phone through a VPN so that the telco never actually gets to see anything except the tunnel.

Related: <a href=>DuckDuckGo search for “VPN client Android”. Iphone users need to contact Cory so he can best formulate the correct search terms–I’m not sure how to correctly capitalize the name.

1 Like

The other advantage of the ‘tunnel everything’ approach is that you can, if you control the VPN host, run more robust tools for monitoring and filtering what goes in and out.

The situation is a little better than it used to be; but mobile devices are still fairly poor for control of potentially malicious ads and scripts; and (barring certain suitably hacked over Android ROMs) pretty much useless at observing what various ‘apps’ are up to. And, even to the degree the tools are available, running an entire paranoid-network-edge-device on your phone isn’t exactly easy on RAM or battery life. The VPN host, on the other hand, is perfectly suited to running whatever filtering, logging, and rewrite tools you want running border security.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.