Verizon fined just $1.4m for stalker supercookies
Weakest slap on the wrist – and FCC lets mobile giant keep its opt-out for subscribers
Verizon will pay $1.35m for its use of "supercookies," but its customers will still have to opt out of the permanent trackers, under an agreement [PDF] reached with the US Federal Communications Commission (FCC) on Monday.
The mobile giant will be required to tells its customers the supercookie exists and provide a simple option to have their tracker removed. Verizon will also have to actively seek permission from its millions of users before they can share the data with third parties.
But with the opt-out still in place, it will allow the company to gather and use huge amounts of information on its individual users and their browsing habits.
Back in 2012, Verizon started injecting its "unique identifier token header" (UIDH) into each HTTP request sent via its mobile data network. Each token is unique to each Verizon subscriber.
When users with the supercookie browse any website via Verizon, all the requests for content on the page – including the ads – are stamped with the unique identifier. When you move to the next site, the same token is sent to site's servers. When you return to a website, the token is once again presented to the site's servers. Clearing your cookies or using a privacy mode in your browser won't remove the supercookie: the token is embedded in every HTTP request going over Verizon's phone network.
That means that over time, it is possible to track these tokens and build a strong profile on a particular individual, which advertisers then use to show you so-called relevant adverts.
One of the key problems with the supercookie, however, is that clearing your cookie cache won't get rid of it. And even opting out of Verizon's ad-tracking program made no difference.
The FCC says it opened an investigation into Verizon's use of the supercookie in December 2014, following press reports on the issue. Two months later, political pressure came in the form of four senators who asked the FCC and the Federal Trade Commission to look at the issue.
"This whole supercookie business raises the specter of corporations being able to peek into the habits of Americans without their knowledge or consent," said Bill Nelson (D-FL).
"That's why I think we need to get to the bottom of this and perhaps new legislation."
A month later, in March 2015, Verizon provided its users with the option to remove the tracker.
Speaking about the settlement reached with the FCC, its enforcement bureau chief Travis LeBlanc said: "This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate. We would like to acknowledge Verizon Wireless's cooperation during the course of this investigation and its willingness to make changes to its practices for the benefit of its customers."
Privacy advocacy group Access Now also welcomed the decision, with its global policy and legal counsel Peter Micek saying it was "a clear win for user rights" and a "positive precedent against insidious, hidden online tracking, which is occurring across the globe." ®
Sponsored: Becoming a Pragmatic Security Leader