Verizon fined $1.35 million for its use of supercookies

Action shows cost of employing business practices that fail to respect privacy

Today the U.S. Federal Communications Commission announced it is fining Verizon $1.35 million for the carrier’s use of supercookies — also known as zombie cookies or “unique identifier headers” (UIDHs) — to track mobile users’ web browsing behavior.

“The FCC’s decision is a clear win for user rights,” said Peter Micek, Global Policy Counsel at Access Now. “This sets a positive precedent against insidious online tracking, which is occurring across the globe. We expect regulators worldwide, from the European Union to India, to follow the FCC’s lead, and for other telcos to take notice.

“Today’s victory is validation for the hundreds of thousands of people who took action on this issue, testing their connections to detect mobile tracking headers, and signing our petition to the FCC,” Micek continued. “Together, we can stop practices that imperil our rights online, and show companies that it’s critically important to be transparent about what they’re doing and to respect our privacy.”

UIDHs let companies track people across the web to target ads. People cannot block them because they are injected by carriers beyond our control, yet they can leak private information and make people vulnerable to criminal attacks or even government surveillance.

Access Now was alerted to this issue in October 2014, when reporters discovered that Verizon was logging data about its customers’ web browsing behavior — even if those customers had opted out of such schemes.

Soon after this discovery, we launched AmIBeingTracked.com, a tool that allowed people around the world to test whether their mobile carrier was injecting similar perma-cookies into their web requests. More than 330,000 people took the test, the results of which are detailed in our report, “The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy.”

“The use of supercookie tracking is a global epidemic,” said Deji Olukotun, Senior Global Advocacy Manager at Access Now. “Using our tool at AmIBeingTracked.com, hundreds of thousands of mobile users discovered they are being ensnared in mobile tracking schemes, usually with no reasonable way to opt-out. We are encouraged by the FCC’s decision, and we urge regulators around the world to also take action to protect user privacy.”

In addition to concerns about transparency and user privacy, Access Now highlighted a number of possible security issues with the use of “supercookies.” These tracking headers can make users vulnerable to spoofing by criminals. They also potentially enable authorities to surveil users without their knowledge. Even without this type of third-party abuse, however, the very existence of these cookies violates our privacy rights if users cannot truly opt out.

For additional information about tracking headers, see:

The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy

Access Now delivers petition to U.S. agencies to investigate zombie cookies