Why is Verizon being forced to end its 'supercookie' collection?
Verizon's unannounced use of 'supercookies' for years prompted an FCC investigation which resulted in a fine and change in cookie policy for the telecommunications company.
Charles Krupa/AP/File
Verizon Communications’ implementation of a specialized “supercookie” that tracks users on the Internet has come under fire from the Federal Communications Commission (FCC).
The FCC will force Verizon to pay a $1.35 million fine for its use of the specialized, difficult-to-remove HTTP cookies, and the telecommunications company will be allowed to use the data mechanism only on Verizon services, or if customers decide to opt in to allow Verizon to insert the cookies for all of their unencrypted Web browsing.
Internet cookies are small pieces of information stored on Internet browsers, sent from websites to track an Internet user’s online actions. Every time a website with cookies on it is accessed, some information is sent from a user's computer to the site’s server to convey user activity. While the technology is common and most often used to keep track of information like items in a shopping cart across a website, cookies can also be used to track general browsing activity, keeping track of clicks, page views, and login information.
While the use of cookies is pervasive across many websites and services, Verizon’s supercookie technology crossed a line, according to the FCC based on its open Internet regulations. What sets the supercookies apart from their regular counterparts is their resistance to being avoided; almost anyone accessing the Internet via Verizon would be subject to the trackers. And unlike a normal cookie, which tracks users' activity on a single website, Verizon's supercookie could be used to track users across all unencrypted websites, allowing advertisers to construct a complex model of each user's online activity.
Verizon also failed to notify its users of the existence of the Unique Identifier Headers (UIDHs) or allow them to opt out of the tracking. Verizon used the information gained from the supercookies, which it started using in 2012, to focus its advertising based on users’ browsing history.
Verizon failed to publicize the practice until 2014, and did not allow consumers to choose to withdraw from supercookie tracking until 2015. And the online advertising company Turn began appropriating the Verizon cookies to target its ads, even recreating them in the event that users actively blocked or deleted the data, all despite Verizon’s claim that “[I]t is unlikely that sites and ad entities will attempt to build customer profiles for online advertising or any other purpose using the UIDH.”
This implementation of so-called “zombie cookies” that return even after users removed them was eventually ended by Turn, and was followed by Verizon's announcement that users could opt out of the supercookie operation.
“Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online,” said Travis LeBlanc, chief of the FCC Enforcement Bureau, in a Monday release about the FCC supercookie settlement.
“Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate. We would like to acknowledge Verizon Wireless’s cooperation during the course of this investigation and its willingness to make changes to its practices for the benefit of its customers,” he added.
“Over the past year, we have made several changes to our advertising programs that have provided consumers with even more options. Today’s settlement with the FCC recognizes that,” Verizon said in a statement to Ars Technica. “We will continue to give customers the information they need to decide what programs and services are right for them.”