Recent news that Verizon (News - Alert) has been injecting text strings into HTTP headers when its wireless customers browse the Web has many privacy activists seeing red. Often referred to as ‘perma-cookies’, these strings, which Verizon refers to as unique identifier headers (UIDH), cannot be disabled by changing browser settings and opting out of the company’s advertising programs does not help much either. A Web developer in Florida says that it has a solution to help website owners address the problem.
WebFl.us is a website development firm located in southern Florida that develops websites, provides search engine optimization (SEO) and uses Responsive Web Design (RWD), an approach to developing sites that provides the best viewing experience for users. Making text easier to read, limiting the need for scrolling or window sizing and supporting multiple environments are some of the goals RWD seeks to achieve.
WebFl.us’s uses its own flavor of RWD that it calls ssRWD, to make websites that load fast and perform well, use RWD techniques mentioned earlier and also use HTTPS Strict Transport Security (HSTS). Using HSTS prevents ISPs from adding strings to HTTP headers and creating perma-cookies.
Opting out of a provider’s advertising programs does not solve the problem. All that does is prevent Verizon and its partners from sending targeted ads to you. The UIDH is still being generated, plus nothing is keeping another site from storing the UIDHs it receives to build user profiles. Other parties like the NSA and hackers could also use UIDHs.
Kenn White, a security expert has setup a page that allows mobile users to see their UIDHs, if they have one. You have to access the page using your carrier’s service instead of a WiFi (News - Alert) connection. The page appears to have been created on October 27, and as of October 31, had over 1 million tests for UIDHs. White recommends using HTTPS, a VPN or a proxy service to prevent UIDHs from being created. He claimed that a UIDH that Verizon created on his account remained unchanged for nine days. AT&T (News - Alert) is another company that has been using UIHDs with its customers.
While Webfl.us provides customers a valuable service in making their websites ‘perma-cookie-proof’ it’s not like ssRWD is so unique that no one else could offer it too. It’s also important to realize that ssRWD only thwarts UIDHs from the website provider’s perspective—not the user’s. Anyone visiting other websites should follow the advice of Kenn White if they are concerned about privacy.
If there is anything alarming about these findings, even though there are solutions, it’s this: up until a few weeks ago few people were aware of these UIHDs. What other privacy-compromising technology is out there that we don’t know about?
Edited by Maurice Nagle