Verizon confessed its violation of privacy laws and agreed to “pay a fine of $1,350,000 and implement a compliance plan that requires it to obtain customer opt-in consent prior to sharing a customer’s UIDH [Unique Identifier Headers] with a third party to deliver targeted advertising.” On March 7, 2016 the Federal Communications Commission (FCC) and Verizon entered a consent decree for Verizon’s use of “Supercookies” between 2012 and 2014. In November 2014 I blogged about “Supercookies” including the EFF’s description of Supercookies which included a “tracker, included in an HTTP header called X-UIDH”:
Like a cookie, this header uniquely identifies users to the websites they visit. Verizon adds the header at the network level, between the user’s device and the servers with which the user interacts.
Unlike a cookie, the header is tied to a data plan, so anyone who browses the web through a hotspot, or shares a computer that uses cellular data, gets the same X-UIDH header as everyone else using that hotspot or computer.
That means advertisers may build a profile that reveals private browsing activity to coworkers, friends, or family through targeted advertising.
The New York Times report “Verizon Settles With F.C.C. Over Hidden Tracking via ‘Supercookies’ included these observations:
The penalty was small, but the enforcement action drew wide attention from the telecom industry as a glimpse of the F.C.C.’s expanding ambitions into privacy regulation.
The agency is expected to soon consider first-time privacy rules for Internet service providers that could include mandates that wireless and fixed broadband providers get permission from users before tracking their behavior online.
This appears as a big win for privacy even though the fine was not that great.