Ad Tech Firm, Turn, Found Harnessing Verizon’s Supercookie To Track Users

The fear that our cell phones can be used to continuously follow us for persistent, permanent ad targeting purposes is proving to be a rational one.

As Verizon Wireless has tried to assuage consumers and the media that its unique advertising headers–AKA “supercookies” because users can’t just delete them as they can with regular cookies–couldn’t be used by third parties for tracking and ad targeting if users opt-out of Verizon’s mobile advertising programs, an ad tech firm has been found doing just that. Jonathan Mayer, a lawyer and computer science PhD candidate at Stanford, found ad tech firm Turn taking advantage of Verizon’s unique ID header to track and target ads to Verizon Wireless users.

“In effect, Turn found a way to keep tracking visitors even after they tried to delete their digital footprints,” reported the New York Times in an article on Mayer’s research over the weekend.

With the tracking enabled, Turn can compile audiences based on geographic and demographic markers to sell ads against across a wide swath of the internet in real-time via its demand-side-platform (DSP).

In his blog post detailing his research, Mayer underscores the far-reaching consequences of this type of tracking.

“In my crawl, Turn’s zombie cookie was sent to or from over thirty other businesses. They included Google, Facebook, Yahoo, Twitter, Walmart, and WebMD. How those firms use Turn’s ID, I can’t say—it’s entirely possible that some unknowingly tracked users with a zombie value. They certainly possessed sufficient information. It’s especially likely for businesses that dropped their own tracking cookie with Turn’s ID”.

Mayer goes on to explain that the persistent unique IDs can cross over to other devices and from the mobile web to apps:

“The privacy impact also goes beyond individual mobile browsers. If a Verizon customer tethered with their phone, their notebook could get stuck with the zombie value. (The ultimate in cross-device advertising!) And the zombie value could spread between cookie stores on a device, including between the web browser and individual apps. (The ultimate in inter-app advertising!)”

The unique IDs (or cookies) persisted even though the accounts Mayer tested were opted-out of Verizon’s ad targeting programs, Relevant Mobile Advertising and Verizon Selects. Thus they’re dubbed “zombie cookies” — they can come back from the dead, regenerating when a user’s cookie ID is blank. Even after users opt out of these programs, Verizon can still inject it’s unique advertising header when users browse HTTP sites (HTTPS appears to be one way to block the header). Opting out of those programs only keeps Verizon from “passing along additional customer information. If a business is using the header as a tracking identifier–like Turn is–the Verizon preferences are entirely ineffective,” writes Mayer.

Furthermore, Mayer found that opting-out of Turn’s own tracking program via its website also failed to keep the zombie cookie from reappearing.

Mayer goes on to negate Verizon’s public comments about the privacy controls in its header. AT&T has said it has stopped its use of persistent tracking IDs in reaction to public scrutiny.

When asked about Turn’s use of Verizon’s header to renew its own tracking cookies, Praveen Atreya, a Verizon technology director, told the New York Times, “They did not talk to me. If they did, I would not have been satisfied.”

Mayer’s report will certainly add fuel to the argument that Internet Service Providers (ISPs) and broadband providers should be reclassified as “common carriers” as telecommunications services are. That classification would mean Verizon Wireless, AT&T and others would have to adhere to data-privacy rules prohibiting them from packaging and selling customer data to ad targeting services.

“We feel this practice is legal,” Max Ochoa, Turn’s chief privacy officer, told the New York Times. “But given people’s concerns, as soon as we get the new codes rolled out, we will suspend this practice.”