Monday, January 19, 2015

Privacy: Zombie Cookies

The Tracking Cookie That You Can't Kill

by Julia Angwin and Mike Tigas,  ProPublica
Update, Jan. 16, 2014: In response to our revelation, Turn said it will suspend using its zombie cookie.

An online advertising clearinghouse relied on by Google, Yahoo and Facebook is using controversial cookies that come back from the dead to track the web surfing of Verizon customers.

The company, called Turn, is taking advantage of a hidden undeletable number that Verizon uses to monitor customers' habits on their smartphones and tablets. Turn uses the Verizon number to respawn tracking cookies that users have deleted.

This is being sent by your carrier to every site you visit using this device.




You are not being tracked by your carrier, or not viewing this on a mobile network.

"We are trying to use the most persistent identifier that we can in order to do what we do," Max Ochoa, Turn's chief privacy officer, told ProPublica.

Turn's zombie cookie comes amid a controversy about a new form of tracking the telecom industry has deployed to shadow mobile phone users. Last year, Verizon and AT&T users noticed their carriers were inserting a tracking number into all the Web traffic that transmits from a users' phone – even if the user has tried to opt out.

Users complained that the tracking number could be used by any website they visited from their phone to build a dossier about their behavior – what sites they went to, what apps they used.
 In November, AT&T stopped using the number. But Verizon did not, instead assuring users on its website that "it is unlikely that sites and ad entities will attempt to build customer profiles" using its identifiers.

When asked about Turn's use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, "We're reviewing the information you shared and will evaluate and take appropriate measures to address."

Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn's use of the Verizon tracking number and said "they were quite satisfied."

Turn's actions were spotted by Stanford researcher Jonathan Mayer, and confirmed by ProPublica's testing.

Turn and Verizon also have a separate marketing partnership that allows Verizon to share anonymized information about its mobile customers. In April, Verizon sponsored a Turn event in New York City called " Bringing Sexy Back to Measurement."

Turn, which calls itself a "Digital Hub," may not be a household name but it is a huge back-end processor of ads on websites.

It works like this: When a user visits a website that contains Turn tracking code, the company holds an auction within milliseconds for advertisers to target that user. The highest bidder's ad instantly appears on the user's screen as the web page loads. Turn says it receives 2 million requests for online advertising placements per second.

For its auctions to work, Turn needs to identify web users by cookies, which are small text files that are stored on their computers. The cookies allow Turn to identify a user's web browsing habits, such as an interest in sports or shopping, which it uses to lure advertisers to the auction.

Some users try to block such tracking by turning off or deleting cookies. But Turn says that when users clear their cookies, it does not consider that a signal that users want to opt out from being tracked.

"There are definitely people who feel that if they clear their cookies, they won't be tracked, and that is not strictly accurate," said Joshua Koran, senior vice president of product management at Turn.

Turn executives said the only way users can opt out is to install a Turn opt-out cookie on their machine. That cookie is not designed to prevent Turn from collecting data about a user - only to prevent Turn from showing targeted ads to that user.

ProPublica's tests showed that even Verizon users who installed the Turn opt-out cookie continued to receive the Turn tracking cookie as well. Turn said despite the appearance of the tracking cookie, it continues to honor the opt-out cookie.

Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out.

But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed.

Either way, this fix does not address the respawning of cookies that have been deleted– since Turn says it does not consider that an expression of user intent.

"It is our absolute desire to honor people's choices," said Ochoa, Turn's chief privacy officer.

For more coverage, read ProPublica's previous reporting on Verizon's indestructible tracking and AT&T's decision to stop using the technique.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.