Verizon’s zombie cookie is now killable.
In a development initially reported by The New York Times, the telco will allow its users to opt out from what the privacy community and a censorious media referred to as a “zombie cookie.”
Previously, there was no way to opt out of Verizon’s persistent tracking mechanism. Users could opt out of having their information shared with third parties – but they couldn’t opt out of actually being tracked.
Due to an apparent loophole in Verizon’s tracking technology, Verizon partners could – in theory and in practice – use the company’s header to track users via their mobile devices by injecting a string of code into web traffic. Despite previous assurances to the contrary by Verizon spokespeople, Verizon’s unique identifier header (UIDH) could continue tracking users even if they’d taken actions to the contrary, including entering private browsing mode, clearing their cache or opting out of the program entirely.
Stanford University computer scientist Jonathan Mayer proved as much when he discovered that DSP Turn was apparently reviving opted-out cookies using Verizon’s UIDH. Turn claimed that it wasn’t actually reviving the cookie – it just looked like that on the back end due to a coding problem that the company was in the process of rectifying.
Verizon spokesperson Debi Lewis issued an official statement Friday confirming that Verizon would now allow its users to opt out for real. It was fairly vanilla, as to be expected.
“As the mobile advertising ecosystem evolves, and our advertising business grows, delivering solutions with best-in-class privacy protections remains our focus,” Lewis said in the statement. “We listen to our customers and provide them the ability to opt out of our advertising programs. We have begun working to expand the opt-out to include the identifier referred to as the UIDH, and expect that to be available soon. As a reminder, Verizon never shares customer information with third parties as part of our advertising programs.”
It’s noteworthy that Verizon’s last point – the fact that it never shares customer information with third parties as part of its advertising programs, including Precision Market Insights – doesn’t matter if those third parties are, or at least were, able to use Verizon’s technology to grab the cookies for themselves.
It’s arguable that Verizon’s move to enable UIDH opt-out could be fear of regulatory action more than anything.
As Mayer observed to AdExchanger in an interview following his Turn revelation: “If Verizon doesn’t get rid of the header, I could see some regulatory agencies start to take an interest and it would be entirely warranted … even all of Verizon’s lobbying [power] couldn’t buy them out of an investigation or enforcement if the FTC or the FCC was determined.”