Turn, an online ad company, is using Verizon’s hidden tracking header to tap into cookies deleted by the wireless company’s users and share them with other major websites and ad networks, like Facebook and Google, to form a tangled web of non-consensual online tracking, reported the Electronic Frontier Foundation.
The company monitors customers' habits on their smartphones and tablets, and uses the Verizon number to revive the deleted cookies.
"We are trying to use the most persistent identifier that we can in order to do what we do," Max Ochoa, Turn's chief privacy officer, told ProPublica.
The Zombie Cookie got its name from Jonathan Mayer, a computer scientist and lawyer at Stanford, who launched an investigation into these cookies after they continued to track users even after they deleted them and turned on private browsing.
“The privacy impact also goes beyond individual mobile browsers. If a Verizon customer tethered with their phone, their notebook could get stuck with the zombie value (the ultimate in cross-device advertising),” Mayer wrote in a blog post. “And the zombie value could spread between cookie stores on a device, including between the Web browser and individual apps (the ultimate in inter-app advertising).”
Last year, Verizon and AT&T both gave out customers’ tracking numbers to all websites visited on the users’ phones.
In November, AT&T stopped using the number. But Verizon did not, reassuring users on its website that "it is unlikely that sites and ad entities will attempt to build customer profiles" using its identifiers.
Jacob Hoffman-Andrews, a senior staff technologist at EFF, said this is a “spectacular violation of Verizon users' privacy,” which was made even worse by the carrier’s failure to enable users to opt-out.
“Through Turn's cookie syncing program the re-identification affects dozens of other sites and ad networks. According to Mayer's research, many ad networks and high profile sites, including Facebook, Twitter, Yahoo, BlueKai, AppNexus, Walmart and WebMD, receive copies of the respawned cookie,” Hoffman-Andrews said.
Turn and Verizon have a marketing partnership that allows Verizon to share anonymized information about its mobile customers.
Here’s how it works.
When a user visits a website that contains Turn tracking code, the company holds an auction within milliseconds for advertisers to target that user. The highest bidder's ad instantly appears on the user's screen as the web page loads. Turn says it receives 2 million requests for online advertising placements per second, according to Propublica.
For its auctions to work, Turn needs to identify web users using cookies, which are small text files stored on their computers. The cookies allow Turn to identify a user's web browsing habits, such as an interest in sports or shopping, which it uses to lure advertisers to the auction, the news site adds.
Some users try to block such tracking by turning off or deleting cookies. But Turn says it doesn’t consider users clearing cookies a signal that they want to opt out from being tracked.
"There are definitely people who feel that if they clear their cookies, they won't be tracked, and that is not strictly accurate," said Joshua Koran, senior vice president of product management at Turn.
They have to install a “Turn opt-out cookie” on their phones instead. That cookie is not designed to prevent Turn from collecting data about a user — only to prevent Turn from showing targeted ads to that user.
But ProPublica's tests showed that even Verizon users who installed the Turn opt-out cookie continued to receive the Turn tracking cookie. Turn said despite the appearance of the tracking cookie, it continues to honor the opt-out cookie.