Victory against Verizon for violating privacy

Maybe you remember my post Verizon spies you out.

Today, Verizon gave up and decided to allow the customers to opt out of its UIDH Supercookie tracking program (see hold Verizon accountable for violating its users privacy for details).

So this is a victory against Verizon and now you may want check here: Verizon to learn how to opt out. But you may also want to check here: CPNI just in case you also want to opt out for Verizons CPNI.

This sounds like good news but why does every single user has to take action ? This is incredible and an ignorance of the customers expectations of privacy. If you read my post you know why.

“Verizion Test” in NetworkToolbox still available

At this point, I would like to remind you on the Verizon test I added to my app NetworkToolbox so you can check yourself if your iPhone or iPad still submits the UIDH. You can even check if you are not a Verizon customer.

Verizion is lying

Furthermore, Verizon is still lying. Yes, there is no other word which would adequately describe their following statement on the aforementioned website:

It is important to note that the UIDH is a temporary, anonymous identifier included with unencrypted web traffic. We change the UIDH on a regular basis to protect the privacy of our customers. We do not use the UIDH to collect web browsing information and it does not broadcast individuals’ web browsing activity out to advertisers or others.Verizon wrote

This is rubbish! See why:

Some users were so kind to send me their results of the Verizon Test of my NetworkToolbox app so I was able to find out the following (some information have been X-ed out here of course):

One user reported the following at one day:

IP: 70.192.85.XXX  UIDH: XXXyMTY1NDQyAHN9NinCLrAkO/DZNoMnX+zqPjWlJD/rGTV8JeGvSjdc

And a few weeks later this:

IP: 70.192.80.XXX  UIDH: XXXyMTY1NDQyAHN9NinCLrAkO/DZNoMnX+zqPjWlJD/rGTV8JeGvSjdc

So the IP address was different but the UIDH the same.

Another user reported this:

IP: 70.210.131.XXX  UIDH: XXX3NDI5Njg2NQCCGgKg3Pg0AeRF49zrPVGQJ6mMku1+YV1PbkqWhmUNKw==

And just two days later this:

IP: 70.210.132.XXX  UIDH: XXX3NDI5Njg2NQCTU6e+AvPSyJUuozY84f5P/wH856jPnSIDHuYAIJYbSw==

So here, the IP address obviously changes but also the UIDH did change.

Verizon said the UIDH is encrypted. Really ? Not really!

The UIDH is simply BAS64 encoded which is just another way of representing and packing a number. I wouldn’t really call it encrypted. So I BASE64-decoded both different UIDHs and voila: Both UIDHs contain one and the same number XXX4296865.

So is Verizon lying? Yes! The outcome of my investigation reveals that the UIDH is NOT temporary, not encrypted and in fact DOES broadcast individuals’ web browsing activity out to advertisers.

It is even easy to use by all websites not just of those of Verizon’s advertising customers.

In fact, Verizon is jeopardizing their customers privacy!

Don’t trust the evil!
Regards,
Marcus