Research from Stanford's Jonathan Mayer and ProPublica has shown that Verizon's undeleteable UIDH mobile tracking header is being used by advertising and tracking company Turn.com to respawn deleted cookies. The only complete protection from being tracked by Verizon's injected headers is to follow the advice in Verizon's privacy policy, and not use their product at all:
If you do not want information to be collected for marketing purposes from services such as the Verizon Wireless Mobile Internet services, you should not use those particular services.
But if you're trapped in a contract with Verizon Wireless, you may not be able to switch to another carrier. If that's the case, here's a review of which mobile apps (and desktop software, if you tether) will and won't protect you against UIDH and Turn.com's zombie cookies.
Which mobile apps protect you against Verizon and Turn?
We tested the following common mobile browsers and privacy apps:
App/browser | Platform | Protects against Verizon? | Protects against Turn? |
---|---|---|---|
AdAway | Android (rooted) | No | Yes |
AdBlock | Firefox for Android | No | Yes |
AdBlock Plus | Android (rooted) or Firefox for Android | No | Yes |
Chrome | Android or iOS | No | No |
Disconnect Pro | Android or iOS | Yes | Yes |
Firefox | Android | No | No |
Ghostery Privacy Browser | Android (iOS not tested) | No | No (yes if you press the "block" switch) |
HTTPS Everywhere | Firefox for Android | Partial | Partial (blocks cookie respawning)1 |
Orbot + Orweb | Android (root recommended) | Yes | Yes |
Onion Browser | iOS | Yes | Yes |
Safari | iOS | No | Yes (if you're careful)2 |
VPNs (eg Bitmask or any other privacy-friendly VPN) | Any | Yes | Yes |
Methodology: we installed each tool in its default configuration, and tested whether Turn was able to respawn its uid cookies after deletion in most situations.
Which desktop software protects you against Verizon and Turn?
If you tether your laptop to a Verizon device, or use a Verizon WiFi or USB mobile Internet connection, your laptop will be subject to non-consensual UIDH injection and tracking. Most of the mobile apps above are also available in desktop versions, but there are a few additional options:
Software/browser | Platform | Protects against Verizon? | Protects against Turn? |
---|---|---|---|
Internet Explorer | Windows, OS X | No | No |
Privacy Badger | Firefox, Chrome | No | Yes |
Tor Browser Bundle | Windows, Linux, OS X | Yes | Yes |
If you use Internet Explorer, you might consider a Tracking Protection List. Some of these help, others make the problem worse:
Tracking Protection List | Platform | Protects against Verizon? | Protects against Turn? |
---|---|---|---|
Abine TPL | IE 9+ | No | Yes |
EasyList TPL | IE 9+ | No | Yes |
EasyPrivacy TPL | IE 9+ | No | No3 |
Privacy Choice -- all companies | IE 9+ | No | Yes |
Privacy Choice -- companies without NAI oversight | IE 9+ | No | No |
TRUSTe TPL | IE 9+ | No | No (makes the problem worse!4) |
Who needs to do better?
Some major take-aways about the software that does, and doesn't protect you:
- Of the major browsers, only Safari offers even partial protection by default. Firefox, which has talked about offering better protection for its users, hasn't delivered anything practical yet.
- Amongst the ad- and tracker-blocking software, the results were surprising. Disconnect Pro, which includes both VPNs and tracker blocking, is a strong option, though it requires a subscription fee after a free trial period. Software like AdBlock, AdAway and AdBlock Plus, which don't claim to be privacy tools, or which require manual reconfiguration to block trackers, nonetheless protected their users against Turn. Ghostery, which claims to be a privacy tool, doesn't offer any protection by default! 5 EFF's own Privacy Badger works as expected, but isn't available on mobile yet (you can help out here!).
- The Google Play Store on Android has censored the apps that offer the most effective protection. Google needs to reverse this disastrous anti-user and anti-privacy decision, or be held accountable for Verizon and Turn's predation on their users.
- Defeating Turn's tracking is comparatively easy: users can (and are advised to) block all requests to Turn's domains. Verizon's practices are both more a more profound violation of trust — we need to trust our ISPs as much as we trust our priests — and harder to protect against. If for some reason you need to use the Verizon Wireless network, encrypting your requests so Verizon can't tamper with them is the only answer, and currently Tor, VPNs, and (for partial but continuous protection) HTTPS Everywhere are the only answers.
Update: 2015-01-15: tl;dr this post was updated to shorten the introduction.
- 1. HTTPS Everywhere prevents Verizon from injecting tracking headers, but only for sites that it upgrades to HTTPS. Because it covers Turn.com, it should prevent Turn from ever receiving UIDH headers.
- 2. If you ever click on a link to Turn.com, even accidentally, Safari will allow third party cookies from that site.
- 3. The EasyPrivacy blocklist appears to have been designed to work in addition to EasyList, but this is likely to confuse many users. This is true both for the ABP and TPL versions of these lists.
- 4. The TRUSTe TPL whitelists some trackers that receive Turn's respawned cookies via a sync API. It is therefore appears dangerous to install the TRUSTe TPL
- 5. The Ghostery mobile app is somewhat better, in that it at least makes tracker blocking a prominent option. But we fear that most Ghostery desktop users think they're being protected when they are not.