Verizon's super-cookies are a super privacy violation

Verizon's super-cookies track online behavior and can't be deleted from mobile devices

You can always tell when a company doesn't care about customers' privacy. It's when it announces that it really cares about customers' privacy.

"Verizon takes customer privacy seriously," Debra Lewis, a spokeswoman for Verizon Wireless, declared in a statement Friday. She said privacy "is a central consideration as we develop new products and services."

Why this reminder of what should require no reminding? Because once again, Verizon Wireless was caught violating customers' privacy, this time with so-called super-cookies that tracked people's online behavior and that can't be deleted from mobile devices.

Those versions of cookies — or "identifiers," in Verizon-speak — could be used by the company or its marketing partners to see what websites you visit and what pages you linger over. Those data, of course, are a gold mine for Verizon and for anyone trying to sell you stuff.

AT&T had toyed last year with using super-cookies, but dropped the idea after privacy advocates called out the company for overreaching.

Verizon drew the same criticism. But it was further along than AT&T in using the tracking technology and apparently figured the issue was too esoteric for ordinary people to get worked up over.

Bad call.

The Electronic Frontier Foundation, a San Francisco digital-rights group, kept up the heat and gathered thousands of signatures with an online petition calling on federal authorities to crack down on Verizon.

The stakes rose considerably last week when four Democratic members of the Senate Committee on Commerce, Science and Transportation wrote to Lowell McAdam, chief executive of parent company Verizon Communications, asking what was up with these super-cookies.

The senators pointed out that although Verizon Wireless allows customers to opt out of having personal information shared with others, "it does not allow customers to remove the super-cookies altogether, doing nothing to stop third parties from exploiting their existence."

The danger, they suggested, was that tech-savvy marketers or hackers could use the super-cookies for their own purposes regardless of consumer's privacy preferences. They'd still be attached to your mobile account, after all, still watching what you do online.

Allow me to pause here for a quick observation: You have no privacy. At least not in the sense that you will be left alone if you so choose.

In this age of Big Data, with a vast industry of so-called data aggregators buying, selling, swapping and storing sensitive information on nearly everyone, it's impossible for anyone to completely stay off businesses' radar.

You can opt out of every marketing list you can get your hands on, and you'll still end up in a digital dossier somewhere, with information about the magazines you read, the car you drive and even the drugs you take cross-referenced with other publicly available data to create an alarmingly thorough profile of your likes and dislikes.

The best anyone can do at this point is to attempt to limit the privacy damage by disabling as much as possible the most invasive tools used by businesses to pry into your life.

That's why Verizon's super-cookies drew such a heated response. As privacy invasions go, this one's a doozy.

Needless to say, that's not how Verizon Wireless sees it. Like most companies that get caught violating customers' privacy, Verizon patted itself on the back for being a good corporate citizen.

"We listen to our customers," Lewis said in her statement, overlooking the months Verizon spent ignoring its customers' worries about super-cookies.

Because "delivering solutions with best-in-class privacy protections" is Verizon's chief focus, she said, "we have begun working to expand the opt-out to include the identifier."

When will the company make this expanded opt-out available to customers? All it's saying is "soon."

I spoke with Lewis on Monday. She said Verizon Wireless is innocent of any deliberate privacy violations.

"The ecosystem is evolving," Lewis said. "We're learning as we go."

Those lessons aren't coming very quickly.

For example, Verizon is informing customers that they can opt out of having their personal information shared by visiting the company's MyVerizon website.

But here's something Verizon is neglecting to mention.

Any visit to MyVerizon will result in — you guessed it — a cookie being generated for your computer or wireless device that will automatically enroll you in what Verizon calls its Relevant Mobile Advertising program, which oversees all online tracking.

Think about that: Verizon will violate your privacy even as you go through the steps the company has set up to protect your privacy.

I first wrote about Verizon's sneaky practices in April after I discovered that any visit by a computer user to the MyVerizon site generated a tracking cookie.

Lewis said the cookies generated for computer users are different from the super-cookies generated for mobile customers. But they're two sides of the same coin, and both are part of the Relevant Mobile Advertising program.

Lewis also had difficulty explaining what happens if a Verizon Wireless customer opts out of the program. Do the cookies go away, or are they just dormant?

Google, Yahoo and other tech companies have similar tracking programs. The big difference is that Google and Yahoo are giving things away for free in return. Being monitored online is the trade-off for using nifty programs such as Gmail and Yahoo Finance.

In Verizon's case, however, the company is charging a hefty monthly fee for wireless service. So whatever data it collects in the process are gravy.

Wireless customers have every right to be outraged by this double dipping.

But I'll say it again: You have no privacy.

And none of the companies you do business with care about that. They just care about getting caught.

David Lazarus' column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to david.lazarus@latimes.com.

Copyright © 2016, Los Angeles Times
52°