Verizon Wireless began including Unique Identifying Headers (UIDH) in the address information of incoming Internet data requests from Verizon customers about two years ago, and the controversy continues about whether the practice intrudes on user privacy.
Critics of the practice say that UIDHs can ultimately allow Web servers to build profiles of users when their mobile devices generate the tokens, but Verizon denies that the information can be used to identify an individual user.
Jacob Hoffman-Andrews, a senior staff technologist with the Electronic Frontier Foundation (EFF), a non-profit privacy group, recently posted a comment on Twitter denouncing the practice. "I don't know how I missed this: Verizon is rewriting your HTTP requests to insert a permacookie? Terrible," he posted.
"The issue is that Verizon is injecting this unique identifying header to all Web browsing their customers do, even to sites unaffiliated with Verizon," Hoffman-Andrews wrote to eWEEK in response to an email inquiry about his post. "So those sites can track users based on the X-UIDH value. And injecting the header at the network level means that clearing cookies does not work to clear the tracking that sites have applied to you."
Adria Tomaszewski, a Verizon Wireless spokeswoman, told eWEEK in an Oct. 28 email reply to an inquiry that the UIDH data has been in use since late 2012 and that the information "accompanies users' Internet data requests transmitted over our wireless network."
The UIDH data is dynamic and changes often on user devices, and can be used to authenticate subscribers as well as help "to associate devices with targeted ad campaigns for the Relevant Mobile Advertising program to the extent a customer has not opted-out of the program," wrote Tomaszewski.
"We do not use the UIDH to create customer profiles," she wrote. "Verizon Wireless does not use the UIDH to track where customers go on the Web. And, information about Web browsing is not part of the relevant mobile advertising program."
Customers are free to change their privacy choices and opt out of the Relevant Mobile Advertising program at any time, she wrote. "If/when a customer opts out of Relevant Mobile Advertising via their privacy choices, while they may still see the dynamic identifier, there is NO information associated with the ID and therefore, no ability to use it for advertising purposes."
No part of the information that could identify customers personally is shared outside of Verizon, wrote Tomaszewski.
Verizon was involved in a separate data privacy matter in September, when it was ordered by the FCC to pay a $7.4 million fine for violating the privacy rights of about 2 million new customers by using their personal information to market services to them without first informing them of their right to opt out, according to a recent eWEEK report.
The Federal Communications Commission (FCC) said it was the largest fine ever involving an investigation into privacy issues around the personal information of telephone users, though a relatively small hit for a company that generated $31.5 billion in the second quarter.
According to the FCC, Verizon did not tell new customers—either through their first invoices or in welcome letters sent to them—how they could opt out of having their personal information used in marketing efforts. Along with the fine, Verizon also agreed to let customers know about their opt-out options in every bill they send out over the next three years.
Giving customers such information is critical at a time when people are becoming more mobile, according to Travis LeBlanc, acting chief of the FCC's Enforcement Bureau.
"In today's increasingly connected world, it is critical that every phone company honor its duty to inform customers of their privacy choices and then to respect those choices," LeBlanc said in a statement. "It is plainly unacceptable for any phone company to use its customers' personal information for thousands of marketing campaigns without even giving them the choice to opt out."
Officials for Verizon, which has been battling with the FCC over issues around net neutrality, said in a statement that the problem was the result of an oversight, and stressed that the customers' information was kept safe.