There are plenty of reasons to be anticipating the arrival of GNU/Linux phones and tablets. Verizon Wireless has given us another.
On March 7, the FCC slapped a $1.35 million fine on Verizon in a privacy case, a move that’s being hailed as a victory by some privacy advocates. If so, it would seem to be a hollow victory. For starters, the fine is too low to be much of a deterrent against a company which last year had annual gross income of over $63 billion. But there is much more wrong with the agreement the carrier reached with the FCC than merely the price tag.
The case revolves around Verizon’s use of a supercookie — a cookie that uses a variety of techniques to make it nearly impossible to remove or disable — which the carrier began placing on its customers’ phones in 2012. The cookie gathered information that combined a person’s Internet history — whether through browsers or apps — with their unique customer information. The company ran afoul of the law because of the way it shared the information it gleaned with third parties.
The purpose was to better target ads. For example, the Wall Street Journal reported that in 2014, data collected by the cookies was used to promote 1-800 Flowers Valentine’s Day ads with precision accuracy, with the ads only being sent to 25-44-year-old males with annual earnings of at least $75,000.
Because one of the functions of the cookie is to inject a unique header into customer web traffic, third party companies were able to exploit it. In 2014, for example, a mobile ad exchange owned by Twitter, MoPub, was found to be using Verizon’s cookie to target ads to phones, and in early 2015 the online advertising clearinghouse Turn, used by Google, Yahoo, Facebook and others, began leveraging Verizon’s added header information to create their own supercookie, which would automatically replicate itself if deleted. Two days after this last news was made public, Turn announced that it was suspending the practice.
The FCC’s new agreement with Verizon is inadequate at best. The carrier agrees to only use the cookie on an opt-in basis, with one major exception: The tracking mechanism is still available to Verizon to use as it pleases when users visit a Verizon owned website.
The problem with this should be obvious, as most Verizon customers will at some time or another access a Verizon website to deal with a billing or technical issue. This also leaves the door open for the cookie to be placed — no opt-in needed — when Verizon customers visit AOL, which Verizon has owned since June, or any AOL owned website, a list which includes such popular destinations as Huffington Post, Engadget and TechCrunch.
Indeed, that seems to be the case. In October, when it became clear to Verizon that its practices were being examined under the FCC’s magnifying glass, the company switched to the opt-in method for websites other than those it owned in an attempt to quell the investigation, specifically keeping access available to its AOL subsidiary.
“The UIDH [identifying code] will be sent only to Verizon companies, including AOL, and to a select set of other companies that help Verizon provide services,” Karen Zacharia, Verizon’s chief privacy officer, wrote in a blog at the time. “These companies will not be allowed to use the UIDH for any purpose outside of providing the Verizon and AOL services.”
This led Klint Finley to opine on Wired that “news that AOL will begin using them means that they’re not going away any time soon, and may even see more widespread use than before.”
Nate Cardozo, a staff attorney for the Electronic Frontier Foundation, told CIO Today that the settlement is “an unqualified win for consumers, for online security, and for privacy advocates who have been calling for tracking only on an opt-in basis.”
I see it differently. It was a feel-good agreement for the FCC and Verizon, but does little to nothing to address the privacy issues that surround the practice of tracking users online habits. Actually, it may be worse than doing nothing, as the press has announced this as a big victory, which lulls the public into thinking that everything is under control when it’s not.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
I agree, a ‘feel good’ answer to a horrific state of affairs that hasn’t gone away or been settled by a long shot.
“fines,” “penalties” and such are just a very small, random cost of doing business to these giants. They could care less, especially because the media isn’t going to dig into wrongdoing because the media is paid for by the perpetrators. Pharmaceutical companies are particularly vile in this respect.
Time to unplug, climb a tree, take off my shoes and learn to play the banjo I guess. :\
Not surprising, but would you please explain how a Linux phone would make a difference.
Your link to Verizon financial shows net income of $17.88B, just 28% of the “over $68 billion”. Is the rest of the article more reliable, less reliable or as reliable as the first paragraph?
RE: Robert: Yes Christine, I’d like to know how in cases like Verizon, a Linux or FOSS phone would make a difference.
@Keith,
The $68 billion is gross, not net.
Are the rest of your comments more reliable, less reliable or as reliable as this one?
@Robert, tracyanne
Verizon’s tracking relies on unencrypted web traffic so they can inject their tracking header. Using solely HTTPS stops this cold.
Stopping this without having full control over your phone’s OS is problematic. A fully-FOSS phone would help stop your phone from generating any unwanted network traffic subject to their manipulation.
@Mike: In that case even a FOSS/Linux phone would only block this “super cookie” on sites that use encryption, as indeed would happen if one was using a third party browser (not the built in one) like Firefox for phones/tablets on a Verizon phone.
@tracyanne
We are at the point that people should be using encryption for EVERY site ALL THE TIME.
There is NO VALID EXCUSE for a site not to use HTTPS for all communication.
FOSS ensures there’s no monkey business going on in the phone, like redirecting your supposedly secure traffic through a local proxy on the phone that decrypts everything (see the recent issues with computer manufacturers placing root certs on their devices for exactly this purpose.
I agree Everyone should be using HTTPS, it doesn’t even cost anything to get a decent certificate with the EFFs Free certificate program. But yet we still have major sites with no encryption.
But until Everyone is using encryption, the problem will still not be solved by a FOSS/Linux phone.
you will notice that FOSS Force (http://fossforce.com) doesn’t use encryption, although it is available on their server, and a decent certificate is available free of charge, it’s just impossible to get a page that displays correctly if you force your browser to access https://fossforce.com, which means that scripts and css are probably not available via encrypted links.
I use EFFs HTTPS-Everywhere to force any site where encryption is available to serve up pages via https, FOSS force never gets forced to provide pages via https.
@tracyanne
You are right that a FOSS phone *alone* won’t solve the problem, but it is a necessary component. Otherwise the companies will do exactly what I said – they’ll middleman your traffic and you are no better off for having used encryption.
Once you use FOSS, it becomes a personal choice to visit any sites that don’t use encryption – knowing full well they can be tampered with. If people don’t visit unencrypted sites, then eventually they will be forced to change.
@Mike, so are you advocating that we all stop visiting FOSS Force untill they start serving pages via HTTPS?
I’m advocating nothing.
I said using a FOSS operating system makes it a personal choice. Using a non-FOSS operating system removes the choice from your hands.