Today, Verizon reached an agreement with the FCC to acquire affirmative consent before injecting their UIDH tracking header into their customers' web activity on non-Verizon owned sites. This is exactly what we asked them to do in November 2014, and is a huge win for Internet privacy. ISPs are trusted carriers of our communications. They should be supporting individuals' privacy rights, not undermining them.
Verizon started their tracking header program in 2012, but did not describe the program in its privacy policy at that time. In 2014, EFF analyzed the header and warned that it acted as an undeletable supercookie, bypassing typical steps people take to protect their Internet privacy, like deleting cookies or using browser extensions that block unwanted tracking.
After EFF publicized the details about the UIDH headers, and several news organizations picked up the story, we started to receive reports that AT&T was testing a similar tracking header, on a much smaller scale. AT&T did the right thing and halted the program in response to customer outrage.
In January 2015, Jonathan Mayer (who joined the FCC in November as Chief Technologist) published a study revealing that an advertising network named Turn was using the UIDH header to do exactly what Verizon claimed was impossible: Resurrecting deleted tracking cookies by using UIDH. This was particularly egregious because Turn was actually a Verizon advertising partner.
Following that news, in March 2015, Verizon finally announced their intent to implement opt-out from UIDH tracking. We stood firm on our opinion: this was a half measure that did not take into account the invasiveness of modifying customer traffic for non-routing purposes.
Today's news sets a new standard: ISP tracking is a great risk to individual privacy, and requires a correspondingly high standard of consent.
What's next
This agreement covers one specific form of tracking. There are other ways ISPs can implement the same tracking that would be much harder to detect. They can send tracking data only to selected web sites, hindering detection by third parties. ISPs can (and some very likely do) hide tracking data in a lower protocol layer, like TCP or IP, setting fields that are normally random based on an agreed-upon code. Or they could log all user browsing activity themselves and share it upon request. Detecting these more pernicious methods will require ongoing skilled technical work by the FCC and other watchdog organizations. Some of these methods may not be detectable technically, but will require ongoing monitoring of ISP business practices. We recommend the FCC continue in-depth investigations in this important area.
Tracking header injection isn't the only harmful way in which ISPs modify customer traffic. Increasingly ISPs are using the same techniques to inject advertisements or customer notices. This type of modification is both invasive and a risk to security: it is indistinguishable technically from a man-in-the-middle attack. We hope the FCC will make it clear to ISPs that this is not appropriate.
The FCC agreement with Verizon is an important step forward for Internet privacy within the US. However, traffic injection techniques have also been used outside the US. Other national regulatory agencies should take note of Verizon's opt-in requirement, and impose similar requirements on any local ISPs using traffic injection.
All told, this is a great victory for everyone who uses the Internet, and we congratulate the FCC on reaching this agreement.