Verizon Wireless Users: Deleting Cookies Won't Stop Ad Tracking

An advertising company called Turn is using Verizon Wireless's  "indestructible cookie" identifiers to "resurrect" deleted browser cookies and track individual Internet users to send them targeted ads.

This means that Turn can track individual Verizon customers on both computer and mobile devices, even if those users have cleared their browser cookies in an attempt to prevent online companies from tracking them, by using Verizon's "unique identifier header" (UIDH) to restore the deleted cookies.

MORE:Malvertising Is Here: How to Protect Yourself

Verizon's UIDHs are unique strings of letters and numbers that correspond to individual Verizon Wireless subscribers. Starting in 2012, Verizon began the practice of attaching these UIDHs to each HTTP request -- including every website visited and every ad hosted on those websites --  that Verizon subscribers send.

This happens even if Verizon customers opt out of Verizon's ad-tracking programs. And despite their nickname of "indestructible cookies," UIDHs are not in fact cookies, so clearing your browser's cookie cache won't make them go away. Verizon claims on its website that "It is unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH" because the UIDH "changes frequently."

Stanford computer scientist and lawyer Jonathan Mayer has been keeping an eye on these Verizon UIDHs. "Out of curiosity, I went looking for a company that was taking advantage of the Verizon header to track consumers," he wrote in a post on his website, Web Policy. "I found one -- Turn, a headline Verizon advertising partner."

Turn is an advertising exchange. When you visit a website with a Turn affiliation, Turn holds an automatic, instantaneous auction where advertisers can bid to place their ads in your browser. Like any advertising company, Turn also uses cookies to build unique profiles of Internet users in order to send them targeted ads.

These profiles do not contain any "generally recognizable personally identifiable information," Turn says on its website. This includes phone numbers, email addresses or credit cards.

But what Turn does that other advertising companies don't is include users' UIDH in the profiles. As Mayer explains, Turn "bolt[s] the [Verizon] header onto existing cookie tracking."

So, if a Verizon user clears his or her cookies in an attempt to stop advertising agencies from tracking them, Turn can still see that user's UIDH, and use that unique identifier to look up and restore the old deleted cookies or "Zombie cookies," as Mayer and other experts call them.

Turn then shares these "zombie cookies" with other ad networks, including Google Facebook, Yahoo, Twitter, Walmart and WebMD, according to Mayer. 

“How those firms use Turn’s ID, I can’t say — it’s entirely possible that some unknowingly tracked users with a zombie value. They certainly possessed sufficient information. It’s especially likely for businesses that dropped their own tracking cookie with Turn’s ID," Mayer wrote.

San Francisco-based digital-rights group the Electronic Frontier Foundation (EFF) called Turn's and Verizon's practices a "spectacular violation of Verizon users' privacy" in a post on its website.

"This contradicts standard browser privacy controls, users' expectations, and Verizon's own claims that the UIDH header won't be used to track users," wrote EFF's Jacob Hoffman-Andrews in the post, arguing that people who delete their cookies are implicitly saying they don't want to be tracked.

Turn insists that its practices are appropriate. "Clearing cookies is not a reliable way for a user to express their desire not to receive tailored advertising, and Turn absolutely respects a consumer’s opt-out preference when expressed in the only way the online ad industry is sure to recognize," wrote Turn's Chief Privacy Officer Max Ochoa, responding to Mayer's research and the ProPublica article that broke the story

The opt-out methods to which Turn is referring are: the Digital Advertising Alliance (DAA) opt-out page, the Network Advertising Initiative (NAI) opt-out page, and Turn's own opt-out page. Verizon customers must must fill out a form at one of these three sites to avoid Turn's ad-targeting practices.

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.