If I am not mistaken, this was a deep packet insertion of a user ID field “X-UIDH” into the HTTP header. Nothing happened on the user’s computer itself, everything was done on the network provider’s side of the cable. While this procedure had the effect of a cookie (tracking the user), and was popularly called so, it technically wasn’t one, but something rather sneakier (using technical terms).
Edit: I think with 1.35 M $ they got off cheap. They have been tampering with the content of people’s communications. In some jurisdictions, that might be regarded as a felony.
