Recent news that Verizon has been quietly helping advertisers track its wireless customers via unique identifiers, and AT&T’s professed plans to do the same, raise troubling privacy issues for consumers.
The moves signal the latest efforts by U.S. wireless carriers to monetize customer data by selling it to marketers for targeted mobile ad delivery purposes.
With over 200 million wireless customers between them, Verizon and AT&T own a wealth of consumer data. But like other wireless companies, they have been unable to exploit the data fully for a variety of privacy-related reasons and technical ones as well.
Chief among those reasons has been the lack of a mobile equivalent of a browser cookie for tracking smartphone users as they browse the Web with their devices. Marketers trying to deliver tailored advertisements on mobile devices have been largely stymied because of their inability to profile the web browsing habits of smartphone users.
Verizon’s Unique Identifier Header (UIDH) is designed to get around that shortcoming. It basically is a unique string of alphanumeric and special characters that is inserted into each web request that a user makes from his or her Verizon wireless device.
The UIDH gives web marketers a way to uniquely identify each Verizon wireless device that accesses a particular website and also to track the device across other websites that may be part of the same advertising network.
From a privacy standpoint, UIDH represents a huge problem, said Jeremy Gillula, a staff technologist at digital rights advocacy group Electronic Frontier Foundation (EFF).
For one thing, Verizon has been using it for nearly two years apparently without much notice to customers. The company’s use of UIDH in fact was discovered only after someone alerted EFF of the issue and the group decided to investigate.
“What Verizon is doing is taking the data you are sending out to a website and adding a header which has this unique ID to it that seems to follow you wherever you go.”
Unlike browser cookies that can be blocked or disabled, Verizon’s UIDH cannot be turned off by the user because the data insertion happens at the network level.
Widespread consumer concerns over this sort of persistent tracking of mobile devices have been holding back wireless companies from moving more aggressively into the mobile ad delivery space.
The biggest privacy concern is that this is a sort of persistent super cookie. “No matter what you do, the header gets sent out, giving marketers a way to tag users,” Gillula said. This is true even in situations where a user might have opted out of Verizon’s Relevant Mobile Advertising Program or blocked browsers from tracking them, he said.
The fact that consumers have to specifically opt out of the tracking is also troublesome because often many have little idea they are being tracked in the first place. A more privacy friendly approach is to offer an opt-in approach, Gillula said,
In a statement, Verizon downplayed privacy concerns and described UIDH as a temporary, anonymous identifier sent along with the address information that accompanies each Web request by a wireless user.
Verizon itself does not use the identifier to track where its customers go on the Web, the company stressed. If a customer has not opted out of Verizon’s Relevant Mobile Advertising program, Verizon’s ad serving partner will receive demographic and other information specific to that UIDH to help them deliver targeted ads, the statement noted.
The reason the UIDH is not disabled even when users opt out is because it has purposes that go beyond just mobile advertising. It is also used by Verizon to recognize and authenticate wireless subscribers to Verizon’s applications and those of other third parties, the statement said.
According to Verizon, advertisers are unlikely to build customer profiles using UIDH because the identifier changes frequently and because other permanent identifiers are available that marketers can use for this purpose.
AT&T Begins Testing
Verizon is not the only wireless carrier seeking to get into the mobile ad delivery business. Rival AT&T is already testing a tool that like Verizon’s UIDH will let marketers uniquely identify wireless users visiting websites using their mobile devices.
AT&T spokesman Mark Siegel confirmed the company’s plans to use the identifier to help advertisers deliver targeted mobile ads. But unlike Verizon, AT&T will disable the identifier for customers who opt out of its Relevant Mobile Advertising program, Siegel said. AT&T customers will be able to opt out all their devices from a single place if they do not want to participate.
“You not only will not get the ads, we are also not going to be sending any code. We will respect your wishes. It’s a slightly different approach,” from Verizon’s UIDH, Siegel said.
AT&T will also change the unique identifier every 24 hours as an added measure of protection against persistent tracking for people who participate in the mobile ad program, he added.
Much of what is going on in the space is being driven by the huge success of companies like Google in monetizing online customer data, said Jeffrey Chester, executive director of the Center for Digital Democracy.
“The nation’s broadband companies, including Verizon, AT&T and Comcast, have dramatically expanded their customer tracking, rising serious privacy and consumer protection issues,” he said. “Verizon and the others have “Google envy,” and want to reap the tremendous financial benefits by further monetizing their customer’s data,”
Despite their claims, little of what is going on is being done in a privacy appropriate manner, Chester maintained. “The FTC, FCC and state attorneys general should investigate and force these telecom giants to stop their unfair data surveillance practices.”
More on Identity Theft:
- Identity Theft: What You Need to Know
- How Do I Dispute an Error on My Credit Report?
- 3 Dumb Things You Can Do With Email