• by Wendy Davis , Staff Writer, January 15, 2015

The digital rights group Electronic Frontier Foundation is urging Verizon Wireless to abandon a tracking technology that enables ad networks to collect data and send targeted ads to mobile users -- even when they try to avoid tracking by shedding their cookies.

“It is clear that Verizon does not understand the privacy risks it is imposing on its customers,” the EFF says in a blog post this week.

Verizon's tracking system, which came to light last November, involves inserting a header into traffic on the mobile network. That header, called the UIDH, “is sent to every unencrypted Web site a Verizon customer visits from a mobile device,” the EFF said last November. “This tracker ... allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent.”

Verizon said at the time that it didn't believe that scenario was likely to occur. “First, the UIDH changes frequently,” the company wrote in a guide to its tracking headers.

“Second, other permanent and longer-term identifiers are already widely available in the wireless area and could be used to build customer profiles. For ad tech entities that have a presence on many websites, the UIDH does not provide any information beyond what those entities have by virtue of these and other already existing IDs,” Verizon said.

But the telecom's prediction was wrong -- at least according to Stanford's Jonathan Mayer. He reported this week that the ad company Turn already uses Verizon's UIDH to collect data and send targeted ads to mobile users who delete their cookies. He wrote that Verizon's UIDH allows Turn to recreate deleted cookies -- small text files that store the kind of information used for ad targeting.

Turn acknowledges that it does so. “At Turn, we always use the most stable identifier available to inform our bidding and campaign execution,” Max Ochoa, Turn's general counsel and chief privacy officer, says in a blog post. “In the case of Verizon devices, we use the non-cookie UIDH identifier.”

Ochoa says that Verizon changes the UIDH at least once every seven days. (Verizon hadn't previously disclosed how long its UIDH lasts.)

“It is vital to note that clearing a cookie cache is not a widely recognized method of reliably expressing an opt-out preference,” he writes.

Ochoa says that Turn honors the industry's self-regulatory code and doesn't serve targeted ads to users if their cookies reveal that they opted out via links at sites operated by the self-regulatory groups Network Advertising Initiative or Digital Advertising Alliance. Turn also says it won't serve targeted ads to people who opt out via its own link, or Verizon's opt-out mechanism.

But when privacy-conscious users clear their cookies, they also delete the opt-out cookies installed by the DAA and NAI. (Verizon's opt-out mechanism can persist even when users delete their cookies, according to Turn.)

The upshot is that at least some Verizon Wireless users who believe they've taken steps to avoid targeted ads could receive them anyway. And almost all Verizon Wireless users will still face some data collection by Turn. (Like many ad companies, Turn collects information even from users who say they want to opt out of behavioral advertising. Ochoa tells MediaPost that Turn uses that information for frequency capping, among other purposes.)

Verizon hasn't responded to MediaPost's inquiries.

Meanwhile, the EFF says Verizon's tracking program “should be shut down today.”