A few months ago, we noted how Verizon and AT&T were at the bleeding edge of the use of new “stealth” supercookies that can track a subscriber’s web activity and location, and can’t be disabled via browser settings. Despite having been doing this for two years, security researchers only just noticed that Verizon was actively modifying its wireless users’ traffic to embed a unique identifier traffic header, or X-UIDH. This identifier effectively broadcasts user details to any website they visit, and the opt-out settings for the technology only stopped users from receiving customized ads — not the traffic modification and tracking.
AT&T responded to the fracas by claiming it was only conducting a trial, one AT&T has since claimed to have terminated. Verizon responded by insisting that the unique identifier was rotated on a weekly basis (something researchers found wasn’t true) and that the data was perfectly anonymous (though as we’ve long noted anonymous data sets are never really anonymous). While security researchers noted that third-party websites could use this identifier to build profiles without their consent, Verizon’s website insisted that “it is unlikely that sites and ad entities will attempt to build customer profiles” using these identifiers.
As such, you’ll surely be shocked to learn that sites and ad entities are building customer profiles using these identifiers.