Three Senate Democrats are asking the Federal Communications Commission and the Federal Trade Commission to investigate Verizon's decision to insert tracking headers -- also known as “supercookies” -- into mobile traffic.
“As we consider whether legislation may be necessary to fully protect consumers from the use of these supercookies, we also believe the Federal Communications Commission should use its full existing statutory authority to examine these practices,” Sens. Bill Nelson (D-Fla.), Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) write in a letter to the FCC. “In particular, the use of these supercookies may implicate the Commission's rules and policies related to consumer privacy and transparency.”
A Verizon spokeswoman said: “Verizon takes our customer’s privacy seriously. We’re aware of the letters and will respond.”
The letter marks the latest fallout from the news that the ad company Turn was drawing on Verizon's headers, called the UIDHs, in order to track people for behavioral advertising purposes. Even when users deleted their cookies, Turn was able to use the UIDHs to recreate those deleted files, according to research published last month by Stanford's Jonathan Mayer. Turn subsequently said it would stop using the UIDH for ad-targeting.
Nelson and the other lawmakers are specifically asking the FTC to “scrutinize all public and customer disclosures and information relevant to the use of [Verizon's] supercookie by third parties, including disclosures made before discovery of Turn's practices.”
Verizon started inserting the UIDH headers in 2012, but the practice didn't draw much attention until late last year, when privacy advocates said that ad networks and other outside companies could draw on the code in order to compile profiles of users. At the time, Verizon dismissed those concerns as unlikely, noting that it revised the headers frequently.
Verizon uses the UIDHs to track people's activity online and send them targeted ads. In the past, the company allowed people to opt out of receiving targeted ads powered by its own ad programs, but didn't allow users to opt out of header injections.
The telecom changed course late last week, when it said it will soon offer customers a way to opt out of the header injections. But privacy advocates say Verizon isn't going far enough. The digital rights group Electronic Frontier Foundation urged Verizon to stop using the headers altogether, or else ask customers to affirmatively opt-in to the headers -- also called “zombie cookies,” because they can be used to recreate cookies that users delete.
“The millions of Verizon customers who are unaware of the tracking header and their new ability to opt-out are still exposed to the risk of zombie cookies from firms less visible than Turn,” the Electronic Frontier Foundation said this week. “Customers who assume their mobile OS' tracking opt-out or their browser's privacy modes will be respected by Verizon are also still vulnerable.”
Verizon said in a letter sent to lawmakers on Wednesday that it “intends to continue to use the UIDH.”
The company also wrote that it's working to disable the UIDH for customers that are “ineligible to participate” in targeted ad programs, including “government and enterprise lines.”
Verizon added that it isn't aware of' other outside companies using the UIDH to track users. Its ad partners have promised that they won't use the UIDH to recreate deleted cookies.