Victory against Verizon for violating privacy

Maybe you remember my post Verizon spies you out.

Today, Verizon gave up and decided to allow the customers to opt out of its UIDH Supercookie tracking program (see hold Verizon accountable for violating its users privacy for details).

So this is a victory against Verizon and now you may want check here: Verizon to learn how to opt out. But you may also want to check here: CPNI just in case you also want to opt out for Verizons CPNI.

This sounds like good news but why does every single user has to take action ? This is incredible and an ignorance of the customers expectations of privacy. If you read my post you know why.

“Verizion Test” in NetworkToolbox still available

At this point, I would like to remind you on the Verizon test I added to my app NetworkToolbox so you can check yourself if your iPhone or iPad still submits the UIDH. You can even check if you are not a Verizon customer.

Verizion is lying

Furthermore, Verizon is still lying. Yes, there is no other word which would adequately describe their following statement on the aforementioned website:

It is important to note that the UIDH is a temporary, anonymous identifier included with unencrypted web traffic. We change the UIDH on a regular basis to protect the privacy of our customers. We do not use the UIDH to collect web browsing information and it does not broadcast individuals’ web browsing activity out to advertisers or others.Verizon wrote

This is rubbish! See why:

Some users were so kind to send me their results of the Verizon Test of my NetworkToolbox app so I was able to find out the following (some information have been X-ed out here of course):

One user reported the following at one day:

IP: 70.192.85.XXX  UIDH: XXXyMTY1NDQyAHN9NinCLrAkO/DZNoMnX+zqPjWlJD/rGTV8JeGvSjdc

And a few weeks later this:

IP: 70.192.80.XXX  UIDH: XXXyMTY1NDQyAHN9NinCLrAkO/DZNoMnX+zqPjWlJD/rGTV8JeGvSjdc

So the IP address was different but the UIDH the same.

Another user reported this:

IP: 70.210.131.XXX  UIDH: XXX3NDI5Njg2NQCCGgKg3Pg0AeRF49zrPVGQJ6mMku1+YV1PbkqWhmUNKw==

And just two days later this:

IP: 70.210.132.XXX  UIDH: XXX3NDI5Njg2NQCTU6e+AvPSyJUuozY84f5P/wH856jPnSIDHuYAIJYbSw==

So here, the IP address obviously changes but also the UIDH did change.

Verizon said the UIDH is encrypted. Really ? Not really!

The UIDH is simply BAS64 encoded which is just another way of representing and packing a number. I wouldn’t really call it encrypted. So I BASE64-decoded both different UIDHs and voila: Both UIDHs contain one and the same number XXX4296865.

So is Verizon lying? Yes! The outcome of my investigation reveals that the UIDH is NOT temporary, not encrypted and in fact DOES broadcast individuals’ web browsing activity out to advertisers.

It is even easy to use by all websites not just of those of Verizon’s advertising customers.

In fact, Verizon is jeopardizing their customers privacy!

Don’t trust the evil!
Regards,
Marcus


UPDATE: Verizon spies you out! – Verizon test added to NetworkToolbox

Verizon spies out their customers and creates behavioral profiles by deep packet inspection. They then even sell your data to make even more money.

You don’t believe me? Read further and finally check for yourself by using my recently added test to NetworkToolbox.

What Verizon does is that they insert some data to every network stream that goes from your device through their Wireless Cell/G3/4G/LTE network whenever you access any website. They are adding a special X-UIDH header that works like a supercookie. Any website can easily track a user, regardless of cookie blocking and other privacy protections. There is even no relationship with Verizon required.

This supercookie acts like a super UUID which uniquely identifies you to the website. Any website can track your visits and re-visits and linked websites can even track your visits to different websites.

But even worse: Verizon sells your identity to websites and closes the link between you as an anonymous visitor of a website and your real personality. It is unknown yet to what extend Verizon sells your personal information but they do and they are making lots of money with it. They call it “PrecisionID”.

Apple was blamed about the existence of the unique device ID and recently they even removed the MAC Address (as you, as a NetworkToolbox user will know). But such IDs can never be as dangerous as a unique ID inserted by your provider to any network stream between you and a website.

THIS IS CRAZY!

After hearing about that, I quickly created a scan for this type of information. To run this test, just perform a data update in your NetworkToolbox (if you don’t already did). Then, head to the “Security Check” Icon and select “Verizon Supercookie Test“.

Verizon offers the following website to switch off this supercookie:

https://www.vzw.com/myprivacy (This link needs to be copied and opened in Safari. Read below “funny side-storry” why)

I strongly suggest to use that service and once Verizon claims they switched it off, use the test to double-check if they really did.

Even if you are not a Verizon customer, just run this test and see if there is anything else your provider adds to your data stream. If so, please let contact me. Maybe we can reveal another spying provider. Would be interesting.

Funny side-story: If you visit the aforementioned link of Verizon, you will visit a website with a wrong certificate. Normally you should never bypass such a warning of your browser (even though not all browsers will generate a warning). You can use NetworkToolbox to see what’s going on here. Just use the “Certificates” tool of NetworkToolbox and enter www.vzw.com and port 443 (which is HTTPS). Now in the first line you can see where the issue is. It says “verizonwireless.com” but must say vzw.com. This is, why you get the warning.

So much to their technical expertise. Do you still trust them? I don’t.

Don’t trust the evil!
Regards,
Marcus

P.S. I am receiving a lot of mails from users per day. Some of you have new ideas but mostly questions. That’s fine and I really appreciate any mail. Please be patient if you don’t receive an immediate answer. I will either be busy on app improvements (like these days) or with answering mails.

However, based on the amount of mails, I assume there are a lot of people using my app even on a daily basis. On the other hand, there are just a few app reviews yet. If you are unhappy with my app, please let me know. My goal is to keep (or make) NetworkToolbox the best Network utility on the AppStore.

If you are happy, please write an app review (there is a button for that inside the app). App reviews are so important for app developers. Think about yourself: when will you purchase an app ? Yes, when there are many reviews saying that this app is great.

Thank you!