There are plenty of reasons to be anticipating the arrival of GNU/Linux phones and tablets. Verizon Wireless has given us another.
On March 7, the FCC slapped a $1.35 million fine on Verizon in a privacy case, a move that’s being hailed as a victory by some privacy advocates. If so, it would seem to be a hollow victory. For starters, the fine is too low to be much of a deterrent against a company which last year had annual gross income of over $63 billion. But there is much more wrong with the agreement the carrier reached with the FCC than merely the price tag.
The case revolves around Verizon’s use of a supercookie — a cookie that uses a variety of techniques to make it nearly impossible to remove or disable — which the carrier began placing on its customers’ phones in 2012. The cookie gathered information that combined a person’s Internet history — whether through browsers or apps — with their unique customer information. The company ran afoul of the law because of the way it shared the information it gleaned with third parties.
The purpose was to better target ads. For example, the Wall Street Journal reported that in 2014, data collected by the cookies was used to promote 1-800 Flowers Valentine’s Day ads with precision accuracy, with the ads only being sent to 25-44-year-old males with annual earnings of at least $75,000.
Because one of the functions of the cookie is to inject a unique header into customer web traffic, third party companies were able to exploit it. In 2014, for example, a mobile ad exchange owned by Twitter, MoPub, was found to be using Verizon’s cookie to target ads to phones, and in early 2015 the online advertising clearinghouse Turn, used by Google, Yahoo, Facebook and others, began leveraging Verizon’s added header information to create their own supercookie, which would automatically replicate itself if deleted. Two days after this last news was made public, Turn announced that it was suspending the practice.
The FCC’s new agreement with Verizon is inadequate at best. The carrier agrees to only use the cookie on an opt-in basis, with one major exception: The tracking mechanism is still available to Verizon to use as it pleases when users visit a Verizon owned website.
The problem with this should be obvious, as most Verizon customers will at some time or another access a Verizon website to deal with a billing or technical issue. This also leaves the door open for the cookie to be placed — no opt-in needed — when Verizon customers visit AOL, which Verizon has owned since June, or any AOL owned website, a list which includes such popular destinations as Huffington Post, Engadget and TechCrunch.
Indeed, that seems to be the case. In October, when it became clear to Verizon that its practices were being examined under the FCC’s magnifying glass, the company switched to the opt-in method for websites other than those it owned in an attempt to quell the investigation, specifically keeping access available to its AOL subsidiary.
“The UIDH [identifying code] will be sent only to Verizon companies, including AOL, and to a select set of other companies that help Verizon provide services,” Karen Zacharia, Verizon’s chief privacy officer, wrote in a blog at the time. “These companies will not be allowed to use the UIDH for any purpose outside of providing the Verizon and AOL services.”
This led Klint Finley to opine on Wired that “news that AOL will begin using them means that they’re not going away any time soon, and may even see more widespread use than before.”
Nate Cardozo, a staff attorney for the Electronic Frontier Foundation, told CIO Today that the settlement is “an unqualified win for consumers, for online security, and for privacy advocates who have been calling for tracking only on an opt-in basis.”
I see it differently. It was a feel-good agreement for the FCC and Verizon, but does little to nothing to address the privacy issues that surround the practice of tracking users online habits. Actually, it may be worse than doing nothing, as the press has announced this as a big victory, which lulls the public into thinking that everything is under control when it’s not.