Are you f..ing kidding me? If I pay for Internet access, I demand best-effort of the provider to transfer the data packets unmodified (except, for IPv4, NAT usage), shortest way, to the target IP address.
I do not pay and then want to get tracked so that the provider or some other dickheads can data-mine me and make even more money. If I want this, I can choose a free plan (e.g. unlimited 3G, but with tracking).
About time everyone switches over to HTTPS with HSTS (so that no provider can perform a SSL MITM attack using its own trusted certs).
Frankly, I'm glad that Verizon is doing this, as it weakens their ability to argue that Title II net neutrality isn't necessary because no one is currently messing with traffic. Even better that they're doing it with their wireless network, since, as I understand it, they were given a bit more rope with which to hang themselves in the wireless ISP space.
That's exactly the problem. Having worked in telecom/voip space, it always baffled me how an ISP isn't a common carrier.
The common carrier designation solves an entire slew of problems that were previously experienced with other technologies as well. It addresses privacy, liability for what you are delivering, etc.
To hear the Cisco CEO tell it, placing the ISPs under Title II will take us back to 1950's voice and undermine innovation.
>liability for what you are delivering
While I fear further regulation may introduce unforeseen consequences or inhibit innovation, I also fear doing nothing is proving to have problems as well. Regulations need to be written by people with the knowledge to be very precise about how things are done; we don't want mandatory ISP deep packet inspection (I already get letters from my cable company about HBO torrents that I download).
Not sure that's accurate. From something posted on Cisco's website: "Apart from payment for the service, the carrier is absolved from liability regarding the content of the messages, and from the actions of the customers of the service. This form of social contract is the basis for the status of a common carrier."
Actually, no. First, there is some legit content on TPB. Secondly, however (and more importantly, in this context), for an ISP to block content in one illegal case implies (in a legal sense, rather than a technical one) the ability to block it in all such cases, which then exposes them to liability for the illegal content they didn't block.
Effectively, the only sustainable way to maintain common carrier status is to maintain a deliberate ignorance of the legality — or lack thereof — of any traffic they might carry.
Sadly the USPS stuffs your mailbox with advertisements now too. There is no opt out and they've actively discontinued working with third party services that would filter your mail for you.
By mail volume the USPS is basically a government subsidized advertising delivery service these days.
It doesn't subsidize it, such data "products" are a new revenue source for the ISPs. While I don't think it's wrong for them to want to make more money, it is wrong to alter a paid service and go directly against the best interests of their customers.
My bad, in this case I agree somewhat. Though it helps fund USPS, I'd rather see USPS be a true public service and be funded by taxes and not funky arrangements with spammers.
I can see that. I don't have much of an opinion on the ideal arrangement for USPS myself, although I do think it works fairly well at the moment and maybe we should leave well enough alone in that case. But really I just wanted to set the record straight in terms of what's actually subsidizing what.
I'm not okay with it, but still use Verizon for broadband. I basically have no other choice.
This is why, despite being a big fan of NN, I wonder if it's going to be enough. We need more competition in markets, so when ISPs do chickenfuckery such as this, we can all vote with our feet.
Yep it's time to just stop using plain HTTP. Unfortunately I think that the number of people who care enough about this to suffer the pain are not enough to change ISP behavior.
Nobody has agreed to send your traffic the 'shortest way' to the target IP address (despite your demand). They routinely send it whichever way is cheapest for themselves, which leads to hot-potato routing among other things.
"took steps to secure these Device IDs, and began allowing their users to delete them, in the same way they could delete cookies in their desktop Web browser."
That's a joke. Android's permission model encourages users to freely give out their device serial number. The permission to read device ID is hidden behind the permission that allows an app to determine if you're on a call. A totally innocuous permission (which should not be a permission) smuggles in a very intrusive one.
Oh, and for a kicker, device ID permission also gives apps access to the number of who you call or calls you. So even security conscious users that check permissions can easily get tricked. "Sure, I want this flashlight app to turn off if I get a call so I don't blind myself trying to answer" - bam, you just gave away your permanent ID and call logs.
This could be a negligent incompetent mistake on Google's part, but it seems unlikely because it's so nonsensical and they've done nothing to rectify it in years.
I'm also starting to believe that Android's extremely vague permissions are not that vague because of their engineers' incompetence, but because it was done this way on purpose.
Google promised at I/O that a permission system with more fine-grain control would come in Lollipop, but it's still nowhere to be seen.
Agree with this, especially after their fine-grain control App Ops, which received a very positive response, was completely removed, and the reason they gave for doing so quite nonsensical: "it can break apps" - obviously, that's why people want to use it - to prevent apps from "breaking" their personal privacy.
(My Android's ID/serial number is 0123456789ABCDEF, the same as tens of millions others out there, so I'm not so worried about it. One of the perks of owning an unbranded generic Chinese device, along with a new random MAC address whenever I reset the WiFi...)
This is so wrong. An ISP is not meant to interject information into a client's request, build profiles of their subscribers, help "provide targeted content," or any such activity. Apparently ISPs are making so little money by providing services they were originally born to provide, they need to go and do totally unwanted activity like this. They're internet service providers, not customer profiling service providers.
It's clear that these companies do not have their customer's best interests at heart, though I'm not sure that they ever have.
Furthermore the notion that the addition of an HTTP header to the request would be a patentable invention is absurd. The protocol explicitly supports it. Nothing was invented here.
> They're internet service providers, not customer profiling service providers.
Google is a search engine and application provider, not a customer profiling service provider. Similar things could be said of Facebook, cable/satellite TV, automobiles, retail stores, government agencies. But all are focusing on collecting information and building profiles.
> Google has proposed a new Internet protocol called SPDY that would prevent these types of header injections – much to the dismay of many telecom companies who are lobbying against it
Wow, I was pretty ambivalent about SPDY/HTTP2 before but now I really hope it catches on.
Actually a binary format (designed to be machine-friendly) is better for MITM injections as it's easier to parse and manipulate... the only benefit of HTTP2/SPDY is that iirc it requires TLS.
I'm waiting for the first carrier to perform SSL MITM.
As bad as it is, at the least it should be easy to opt-out of that (unless they do something ridiculous like charge you extra if you refuse to opt-in). Just remove the certificate your ISP gives you.
HTTP2 doesn't require encryption but it does compress the headers. I'm guessing compression makes it too CPU-intensive for telecoms to manipulate the headers on the fly.
This is in progress. HTTP 2.0 does exactly what you specify. The tcpinc working group at the IETF is also looking at adding this at a lower level for all TCP connections.
It's unlikely they'll ever get mass usage because both are uncomfortable to work with.
If a certificate is compromised, changing it means all pinned clients will get a huge warning. Either the user ignores the warning (in which case pinning is useless) or he doesn't and the site is harmed. Keeping a compromised certificate is even worse.
For WoT you first need a web of trusted individuals.
Unfortunately key distribution over insecure channels is still an unsolved problem.
Holding back innovation just because it would wipe out their business.
This, my dear friends, is why ISPs need to become regulated, government-owned utilites. Or has anyone seen regulators preventing experiments on self-driving cars and trains in order to keep train conductor's jobs?
Yet, these laws you mention actually make sense (at least those Uber and Airbnb "fight" against).
Taxi regulations exist to prevent Uber's "surge pricing" model, thereby guaranteeing the customer the same price for the same distance, no matter how late at night it is or how drunk the customer is (at least in Germany; the taxi market as a whole seems to be broken in the US so that's another story).
Hotel regulations exist to protect other tenants in a building from the kind of bullshit which has happened multiple times: ever-changing, drunk tenants demolishing stuff, being loud, throwing sex parties, etc.
The only law area being "disrupted" where the existing regulations don't protect any legitimate interests aside from MAFIAA's Big Money is the TV distribution, and I'm sad that Aereo got problems there. But well, that's the area of Big Money, no chance to compete there :(
My provider, TracFone, appears to be sending beacons. This is a low cost pay-as-you-go service that buys airtime from the big carriers. My particular phone uses the Verizon network.
I wonder in how many states doing this is an illegal form of tampering with electronic communications. It seems to me interfering with communications would be illegal unless it is necessary for network operations, which advertising trackers obviously are not.
Verizon has been pushing their "Smart Rewards" program on me for months (http://www.verizonwireless.com/wcms/myverizon/smart-rewards....). After reading the fine print, you are actually consenting to monitoring of all traffic through your account that will be shared to third parties. I respect the fact they have some sort of opt in that has some return... Inho they are swindling the typical oblivious consumer trolling for a free Jamba Juice gift card
It's a little amusing and rather sad that the word "smart" now seems to be used to describe products and services that act against their users and often perform surveillance on them, implying that it's somehow a "smart" thing to let this happen.
Will the ISPs overwrite this header if already present?
If so, isn't that a kind of huge problem?
If not, can't someone make a mobile browser that sets these headers to some random value?
Make a web service that "coincidentally" uses the same header for something else, or add it as part of a new feature of an existing popular web service. Of course, it should have an app. Tell its users to complain to Verizon when the service breaks for them/the app doesn't work.
I remember for a while the only way to change the User Agent header for iOS UIWebViews was to set the user agent header in lowercase, as long as it's after the actual header, PHP will uppercase both and the later one will win (for $_SERVER atleast, obviously this is PHP specific.)
Yes, the fun is to figure out what they're using and exploit it. HTTP is a terrible format to parse, with lots of idiotic extra features that have no legitimate usage. But it'd be fairly easy for them to harden things, just abort if they run into anything weird.
Which may be a way around this. Run a local proxy that does stuff like use line folding, comments in headers, and other things to make their parse code abort. Of course, you then run the risk of breaking compatibility with actual HTTP servers (with good reason-those are bad features and such messages are probably an attack). And of course the ISP can always fix their code.
A solution to this is to setup openvpn on a VM someplace and route all your phone's data traffic through that. I've done this using the Fedora open vpn guide (https://fedoraproject.org/wiki/Openvpn). To get it working on the iPhone I also had to add this to the server config:
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
The problem with doing this is that now all your web traffic is associated with the IP of the VM, which is presumably even easier to track back to you.
You'd have to do something exceedingly clever like have the VM automatically route VPN traffic into Tor.
For what it's worth, this article is 2 weeks old and it seems Verizon may have either stopped this or is now respecting opt-outs. I'm curious if others are seeing this.
While I was definitely getting that header added to my outbound traffic two weeks ago, it is not happening to me now. I noticed that a day or two ago, and it still seems to be the case now.
That you're the product if you're not the customer does not imply that you're not the product if you are the customer. Companies sell personal data all the time, cause they can make extra money off their customer base.
When I've read the first part of the first sentence, "Twitter's mobile advertising arm enables its clients to use a hidden...", I've thought "I'm a client, but never heard of ... oh, nevermind.".
It would be possible for Verizon to implement this really bad system without anybody noticing and even if Speedy/HTTP 2 or HTTPS is used:
Currently they inject the header with an ID which changes e.g. daily and charge third parties to associate the ID with a profile. They can only inject in HTTP.
If instead the third party (e.g. an adserver) contacts a Verizon server with the IP (and port number in case of carrier grade NAT) on every request and that server gives back the profile and Verizon charges the adserver for this, then nobody would ever know and there would be not much protection against it (without a third party proxy or vpn to hide the IP).
It should be possible to counter this by running a proxy somewhere and use that. Privoxy would work for this and while you're at it you can make it remove the ads too.
I still don't understand why I appear to be the only Verizon customer on the Internet that doesn't have this header injected. There is nothing special about my account (other than its age, perhaps, I have only been a Verizon customer since the iPhone 6 release,) but it just doesn't show up for me.
Are you sure you're not using any proxies, VPNs, or local wifi?
I have seen the header disappear for a brief period, only to return a day later. I've seen another user reporting that the header disappeared after they used all web-based opt-outs, and complained by phone... but then reappeared after traveling to a different region.
So there does appear to be some volatility and inconsistency in what Verizon is doing. Also, reportedly, government and some business accounts may be immune.
So keep checking, especially after travel: even if you haven't seen it so far, you might someday.
Are you connected over Wi-Fi instead of Verizon's wireless network?
Update: I turned off Wi-Fi and still didn't find the header. I wonder if business vs personal accounts makes a difference? I'm on a shared business plan.
Update: Perhaps they are identifying identification sites and not tacking it on in those cases? Quite a stretch and tin foil hatish.
Update: Or perhaps someone else on the shared plan already opted out.
I'm not seeing it either. I have a new 2GB data plan through Verizon with a rooted Galaxy S4 and every "test" site I visit doesn't show it. I'm not on WiFi.
www.runads.com is doing the same for their mobile advertising campaigns.
The ad-tech industry is targeting mobile advertising as the Next Big Thing, and they're right to do so. Anyone not tracking and optimizing ads toward the permacookie will be left behind.
It appears that there is a huge business opportunity for someone to find a way to defeat this type of tracking. Of course, it would probably need to be a subscription type of service, which bodes well for steady recurring revenue.
Textbook example of escalation. Start with relatively easy to remove cookies. Savvy people clear their caches, the criminals move to automatic localstorage weapons. The savvy people start wearing AdBlock armor and rejoice. The criminals move up to armor piercing injection bullets. The everyday mom and pop don't stand a chance. 1984, yeah right man, orwell is today.
I do not pay and then want to get tracked so that the provider or some other dickheads can data-mine me and make even more money. If I want this, I can choose a free plan (e.g. unlimited 3G, but with tracking).
About time everyone switches over to HTTPS with HSTS (so that no provider can perform a SSL MITM attack using its own trusted certs).