How Verizon and Turn Defeat Browser Privacy Protections
Verizon advertising partner Turn has been caught using Verizon Wireless’s UIDH tracking header to resurrect deleted tracking cookies and share them with dozens of major websites and ad networks, forming a vast web of non-consensual online tracking. Explosive research from Stanford security expert Jonathan Mayer shows that, as we warned in November, Verizon’s UIDH header is being used as an undeletable perma-cookie that makes it impossible for customers to meaningfully control their online privacy.
Mayer’s research, described in ProPublica, shows that advertising network and Verizon partner Turn is using the UIDH header value to re-identify and re-cookie users who have taken careful steps to clear their cookies for privacy purposes. This contradicts standard browser privacy controls, users’ expectations, and Verizon’s own claims that the UIDH header won’t be used to track users because it changes periodically.
This spectacular violation of Verizon users’ privacy—made all the worse because of Verizon’s failure to allow even an opt-out—has already had far-reaching consequences.
UPDATE (1/17/15): Ad Network Turn Will Suspend Zombie Cookie Program. When Will Verizon?
“The kale salad of a perfect response”
— student in my Internet Law class.
The context was why people saying nasty things online have an advantage, one reason being that it takes time to craft the kale salad of a perfect response.
I just joined Ello, the ad-free, public-spirited, clean-design alternative to Twitter.
It’s pretty, and I like the spirit of the thing, but I’m not sure yet what I’ll do with it — many of the accounts there seem much more graphics-oriented than I am. Not to mention cooler.
Looks like the IAB is being all Habermasian again:
IAB Statement on Internet Confidentiality
In 1996, the IAB and IESG recognized that the growth of the Internet depended on users having confidence that the network would protect their private information. RFC 1984 documented this need. Since that time, we have seen evidence that the capabilities and activities of attackers are greater and more pervasive than previously known. The IAB now believes it is important for protocol designers, developers, and operators to make encryption the norm for Internet traffic. Encryption should be authenticated where possible, but even protocols providing confidentiality without authentication are useful in the face of pervasive surveillance as described in RFC 7258.
Newly designed protocols should prefer encryption to cleartext operation. There may be exceptions to this default, but it is important to recognize that protocols do not operate in isolation. Information leaked by one protocol can be made part of a more substantial body of information by cross-correlation of traffic observation. There are protocols which may as a result require encryption on the Internet even when it would not be a requirement for that protocol operating in isolation.
We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected.
The IAB urges protocol designers to design for confidential operation by default. We strongly encourage developers to include encryption in their implementations, and to make them encrypted by default. We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.
We believe that each of these changes will help restore the trust users must have in the Internet. We acknowledge that this will take time and trouble, though we believe recent successes in content delivery networks, messaging, and Internet application deployments demonstrate the feasibility of this migration. We also acknowledge that many network operations activities today, from traffic management and intrusion detection to spam prevention and policy enforcement, assume access to cleartext payload. For many of these activities there are no solutions yet, but the IAB will work with those affected to foster development of new approaches for these activities which allow us to move to an Internet where traffic is confidential by default.
Google released 750 new icons for phones and tablets that will undoubtedly take over the world. They’re free for anyone to use.
(Click above for a larger image of a some of them.) Cory Doctorow thinks this move by Google is great, and one disagrees with Cory at one’s peril since he’s usually right.
I suppose it’s language-independent and transnational. I can’t help but think, though, that the task of memorizing the meanings for these pictures will be akin to learning Chinese.
Wasn’t the move from pictograms to the alphabet supposed to be a triumph of civilization?
Oh, joy: despite a vigorous round of patching, Shellshock isn’t dead, and isn’t even resting:
Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.
"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.
"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.
— iTnews.com.au, Further flaws render Shellshock patch ineffective. Spotted via Slashdot