• 03.07.16

FCC Busts Verizon Wireless For Tracking Users Without Consent

Wireless giant agrees to $1.35 million fine and requirements to ask customers permission to share data with advertisers.

FCC Busts Verizon Wireless For Tracking Users Without Consent
[Photo: Northfoto via Shutterstock]

Worried that you are being followed? If you’ve been a Verizon Wireless customer in the last three years or so, you have been. The good news: Thanks to a settlement with the Federal Communications Commission (FCC), Verizon can no longer share some data about you with outside advertising partners, unless it first gets permission. But it can still collect some personal data for its own advertising programs, unless you specifically opt out of the program.


The telecom giant just agreed to those terms, and a $1.35 million fine, with the FCC. At issue was something called the “Unique Identifier Header,” or UIDH, a string of characters tied to a specific mobile device that Verizon inserts into any web request from that device. In other words: Every time a Verizon Wireless phone (or other connected device) hit a website to pull down info, it was broadcasting its ID for all to see.

For almost two years, the UIDH program was a secret, without offering an opt-out policy. That inspired critics who eventually learned of it to dub UIDH the “supercookie”—something analogous to a tracking cookie, but that can’t be deleted. (“Zombie cookie” was another nickname, since it couldn’t be killed.)

Verizon started using UIDHs in December 2012 to enable better-targeted ads in its own advertising programs. It also shared the information with outside advertising partners. Verizon didn’t provide information to users until October 2014, buried in a FAQ page. Not until a flurry of media reports, activist criticism, and an FCC investigation took place did Verizon finally mention supercookies in its privacy policy in March, 2015.

Today’s agreement (called a “consent decree”) curbs (but doesn’t end) the UIDH/supercookie program. Sharing a customer’s UIDH with other companies to deliver target ads will be opt-in: Verizon will have to ask a customer’s permission before doing it. This is a good thing for privacy: At least one of Verizon’s partners used the UIDH to identify phone owners and re-install its tracking cookies that the owners had deleted from their mobile browsers. (Verizon did begin offering an opt-out program last summer.)

But by default, Verizon can still use your UIDH internally, including for its two advertising programs—Relevant Mobile Advertising (RMA) and Verizon Selects. The telecom company is branching beyond just being the pipes for moving data to becoming an advertising company in its own right. That’s likely the main reason it bought AOL in June 2015—not to get its dial-up service, its instant messenger app, or the Huffington Post—but to acquire AOL’s online advertising technologies. Verizon Wireless subscribers will still have to check the opt-out option to keep their device IDs from flowing into Verizon’s own advertising machine.

About the author

Sean Captain is a technology journalist and editor. Follow him on Twitter @seancaptain.