Robert Thau November 4, 2014 7:20 AM

To be technically picky, they’re actually adding stuff to the HTTP request other than the URL — which they’re leaving alone. Modifying URLs themselves could potentially screw up requests to servers that weren’t expecting it.

(There’s a lot in a request besides the URL — User-Agent, cookies, connection management stuff a/k/a keep-alives; Verizon’s adding their user-id tag to that pool of stuff, collectively “request headers”.)

CallMeLateForSupper November 4, 2014 7:43 AM

Tnx for shining a light on this article. The article I read elsewhere several days ago was neither as clear nor as comprehensive.

The reasons to steer clear of all things mobile just keep on piling up!

bitstrong November 4, 2014 7:51 AM

I noticed the Yahoo articles and advertisements are very different depending on whether I connect via Verizon or AT&T, same PC, same time. Verizon portable hotspot or AT&T UVerse WiFi, Yahoo seems to remember everything I was interested in for the past month, when I connect via Verizon. Just wondering.

ramriot November 4, 2014 7:54 AM

Saw this a while back and it got me thinking. What if you program your device to add and identical header on all outgoing traffic, but make the value random and change on each request.

Three possible results:-

1/ Duplicate header > which one if valid when the ad company pays for de-anonymization, partial WIN!

2/ Header replaced > same as now

3/ Header passed through with no addition as it thinks its already done > WIN!

Not having a Verizon, AT&T etc connection I cannot try this out.

Second suggestion, use their existing system against them by programming servers to capture the header and compile dossiers on each unique user. Send this to Privacy Zar and point out the inherent privacy leak.

Mark Pilipczuk November 4, 2014 7:57 AM

I’m glad to see that AT&T is only “testing” this. I’ve got an X-ACR label in my Broadcast UID field with how many other folks?

I also have Do Not Track enabled in my Safari browser on my iPhone, opening a question for advertisers: Does AT&T or Verizon care enough to relay that information to you so that, if you choose to respect Do Not Track, you can elect not to use the Broadcast UID information on a particular user?

paul November 4, 2014 8:08 AM

I look forward to the dismissal of hacking cases against people deploying malicious hotspots, on the grounds that everything they did was within their EULA.

Bob S. November 4, 2014 9:41 AM

Essentially Verizon and many other tech companies in the USA are on the payroll data vendors for the government. They get paid handsomely to turn over personal electronic data to the government(s) and get the added bonus of being able to re-sell data to marketers. It’s all done with impunity due to both public and secret agreements that assure no accountability.

There is no way to challenge it. All the government/corporate partner need do is say “Secret, secret, secret” three times, or as many as necessary thus giving complicit courts and government agencies an excuse to leave it alone.

Sure, there are still a few rogue judges and officials out there. They are allowed to make noises, throw an occasional monkey wrench, but in the end the war machine simply negates them. I dread the coming post-election laws with titles like, “Electronic Data Freedom Act”. I am certain they will, upon reflection, give the government/corporations more freedom to ransack our electronic papers, effects and possessions.

Verizon wouldn’t be doing super-duper cookies without the explicit approval of the defense intelligence agencies.

The STASI would be jealous.

It’s for you own good comrade.

Anura November 4, 2014 10:22 AM

The best way to avoid this is to use a VPN and don’t send unsecured traffic through your carrier’s data connection.

Steve November 4, 2014 11:22 AM

So Verizon might be a pioneer here, or migt just be the first one to be noticed. Surely AT&T will follow suit, along with other cellular carriers.

And what is there to limit this to just mobile? If Verizon is doing it for their mobile network, there is a good chance this is also in use for their FIOS customers. Ditto for all other ISPs.

Rob November 4, 2014 11:35 AM

I’m a AT&T unlimited data plan customer and my phone has the X-ACR.

I spent 50 minutes on the phone with AT&T customer support educating them about this; they knew nothing when I called. The supervisor told me that AT&T was committed to not tracking their users, and there’d be no purpose to it, etc. Essentially contradicting everything that AT&T spokesman Siegel said in the Forbes piece.

If enough of us rattle the cage, hopefully they’ll come up with deactivation instructions that actually work (or else I drop my dataplan and go strictly on WiFi)

Anura November 4, 2014 11:58 AM


Both ATT and Verizon have rolled out similar programs. It’s a good bet that the next step is going to be to roll it out to ISPs. We need end-to-end encryption of the internet.

Bob S. November 4, 2014 12:02 PM


Re: “The best way to avoid this is to use a VPN…”

I don’t think so.

I signed up for one supposedly highly regarded. Their servers are handled by a provider with suspicious government ties and the IP address although a South American registry, is to titled to “West McLean” (Va?), a few hours after used it when I restarted the hidden Windows Administrator account popped up (with no password) and so it goes on and on.

Frankly, I think the damned thing is a government operation.

Why isn’t NSA-CIA-FBI-GCHQ whining about terrorists using USA based VPN’s?

stvs November 4, 2014 12:11 PM

Anyone know the squid directive to shut this down? Is it this?

header_access X-UIDH deny all

I already use these as a matter of course on all mobile and desktop platforms:

header_access From deny all

forge Referer in Privoxy

header_access Referer deny all

header_access Server deny all
header_access Link deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all

It’s very easy to configure and run an OpenVPN server and use OpenVPN on all mobile devices.

stvs November 4, 2014 12:31 PM

The wayback machine answers the question. Tell squid to deny these headers. T-Mobile uses MSISDN, Verizon uses X-UIDH, and AT&T uses x-up-subno.

header_access MSISDN deny all
header_access X-UIDH deny all
header_access x-up-subno deny all

Gopiballava November 4, 2014 12:32 PM

I used the opt-out link for AT&T, and it’s still injecting the X_ACR header. The author of the Forbes article wrote in the comments,
“AT&T later revised their approach to this. You can’t opt out of having the tracking code during the ‘test,’ but AT&T’s spokesperson says you will be able to opt out when their ‘relevant ad program’ actually launches.”

So their system knows that I have opted out – if I revisit the link, it tells me that I have indeed opted out – but it doesn’t actually opt me out. Wonderful.

Time for me to figure out how to force my iPhone to keep a VPN connection alive at all times, I guess. Annoying.

I wonder if something similar to the EU “we use cookies” warning could be encouraged? Try to get web sites on-board, having them display a link to the opt out link for people that have these malicious headers? Of course, currently it seems that you can’t really opt out properly.

Even if the UID changes every 24 hours, it’s still able to be used for malicious purposes. If I remove cookies from a site that uses this tracking ID, I can’t visit the site again until my UID changes or else they can reconnect my previous account to me. An owner of pairs of sites can connect any users who connect in the same 24h period. Anything less than a one-time use code is, IMHO, going to inherently have privacy implications that reach beyond what the carrier has intended to permit.

MF November 4, 2014 1:01 PM

It’s said that if you do not pay for a service then you are the product. How much do you have to pay in order to not be the product?

Nick P November 4, 2014 1:19 PM

@ Bob S.

“Why isn’t NSA-CIA-FBI-GCHQ whining about terrorists using USA based VPN’s?”

That’s such a simple and great point. Bruce should add it to his arsenal for any debates with FBI on encryption. Let’s see if they shuffle a bit in their chair before responding. If so, then BULLRUN is the answer to your question. 😉

Tim Helming November 4, 2014 3:14 PM

Anyone know if they modify the headers when the phone is tethered to another device (and the other device is the one originating the traffic)?

Anura November 4, 2014 3:20 PM

@Tim Helming

They modify the headers on the network side, so all unencrypted HTTP traffic going through the network, which includes teathered data, has the identifier added.

Nick P November 4, 2014 3:24 PM

@ Anura, Bob S.

As I think on it, I recall the OK Labs Nirvana phone concept where the phone became a desktop via a docking station. They worked with Citrix to let it do remote connections to business computers. This could work for us.

The mobile phone OS (application side) runs on an intranet computer. This is a real system, not a mobile SOC. It can therefore provide advanced security, performance, management, etc features. It can also make POTS or VOIP calls. The mobile phone SOC is set up to create a VPN to that computer through wireless or wifi. The VPN can also be implemented mostly or totally in hardware. Such a device will increase data usage dramatically, but trust as few middlemen as you want. You can always opt to only use it on WiFi. Additionally, more functionality in the interface (esp audio/visual) can be moved to mobile device if data bandwidth is a problem.

Peter A. November 4, 2014 3:25 PM

Verizon (and AT&T) now inject something into your traffic with impunity. So you should find another mobile operator.

But if they can do that and profit from it without even a slap on their wrist, what stops other mobile operators to do the same thing? So you need to VPN your mobile device or route the HTTP traffic through a proxy.

But what stops your VPN or proxy service to inject something into your traffic? So you need a VPN or proxy server that you can control. You may run it at home on your fixed ISP connection.

But what stops your home ISP to do the same thing – or worse? It does not need to inject any headers or cookies in order to sell you to advertisers. If Verizon provides a lookup service that given the value of the injected header returns information about you to whomever pays for it – what can stop any ISP (including Verizon as well) returning personal information in the response for a query with the connection’s source IP address? Think enhanced, dynamic, pay-per-query WHOIS service. This will be completely transparent to everyone but the real paying ad-customers of the ISP.

So you need to rent some (virtual) server space and configure your VPN/proxy all by yourself, and correctly. But what keeps your datacenter/VM provider from tagging your traffic or selling lookups for your personal details?

So you’ll buy your VM with bitcoins acquired via anonymous prepaid card (or the other way round) and provide false name and address. You’re safe at least… but no! You have to connect to your VM from somewhere! If that connection is tagged or can be looked up, what keeps your VM provider to re-tag and re-sell?

Using TOR for everything has its problems as well.

The only solution is legal. This can be stopped only if the company selling your data or using it for a different purpose than originally intended without your explicit consent expressed in a clear way (no fine print etc.) is quite inevitably going to be kicked REALLY HARD in its bottom [line]. It won’t be perfect but it’ll be a good start.

Anura November 4, 2014 4:02 PM

@Peter A

“The only solution is legal.”

That’s not a realistic solution either, at least it doesn’t work in countries like the US where politicians represent corporate interests instead of public interests.

Wael November 4, 2014 4:08 PM

@Peter A,

The only solution is legal

How about if they give us a piece of the pie? I am willing to give them my data for 50% of the money they make out of it 🙂 This is still a “legal” solution…
Look at it the other way: Satellite TV signals come to my backyard. If I intercept them, decrypt them, and watch TV channels for free, I can be prosecuted. Why is the reverse not valid? My personal data is on the internet (sometimes protected and encrypted), and carriers (Same entities that complain about DRM, and billing fraud,…) take the liberty to intercept my stuff, and sell it! That would be like me intercepting a satellite signal and ahem reselling it at a discount 😉 — Any attorneys in the house?

Wael November 4, 2014 4:48 PM

@Nick P,

The difference is that you typically agreed to a terms of service that allows it.

I knew that was coming — you are, of course, correct. But is that the case in all situations, or explicitly in the context of this thread’s subject matter? Hint: You saw the word “surreptitiously” in the title of this thread, which my dictionary defines as:
kept secret, esp. because it would not be approved of: they carried on a surreptitious affair.
How can I agree to something “secret, because I wouldn’t be expected to approve it”?

x November 4, 2014 7:20 PM

Somebody needs to write a browser add-on that inserts random garbage X-UIDH and X-ACR headers on every page request. If the ISP’s insist on doing this nonsense, then pollute their data and make it worthless.

AlanS November 4, 2014 8:53 PM

There’s also a more recent tool called Header Mangler. If you start inserting your own X-UIDH won’t they just strip it out or over-write it downstream? What we really want is non-Verizon customers inserting random X-UIDH headers.

khora November 4, 2014 9:12 PM

As someone who has worked with 130 different mobile operators, this is something that essentially all of them are doing in one way or another. Typically there is an agreement between a specific site and the operator to inject user ID into the traffic. The ID is often random to the site, but used to connect back to the operator for e.g. doing billing. Some operators add IDs to all traffic and some essentially add the phone number.

There are very few things unique to Verizon in this story. They add a tracking ID to all traffic and have paying corporate customers query their demographics and behavioral database. The only thing new here is that it is packaged in a low maintenance way (i.e. not adding headers only on specific targets when done for this purpose).

The second important thing to understand is that header injection is just an optimization. The API could just as well had been “send us the IP and port you are getting the request from and we’ll send you customer data”, but it adds latency. If you move to all HTTPS, then this latency is masked by the setup phase of TLS.

khora November 4, 2014 9:25 PM

If you start inserting your own X-UIDH won’t they just strip it out or over-write it downstream?

Yes, probably. There have been security issues where client headers weren’t overwritten, but I would assume Verizon to have a proper scrubbing, even if there are multiple X-UIDH coming from the client side. But you never know..

What we really want is non-Verizon customers inserting random X-UIDH headers.

Unless you happen to randomly pick an existing ID, I don’t see how this is going to affect anyone. To those who suggest that this will create a DoS attack on Verizon infrastructure need to remember that scalability was essentially invented by the telco industry before computers, and is something that they can do well when they chose to.

Wael November 4, 2014 10:22 PM


To those who suggest that this will create a DoS attack on Verizon infrastructure need to remember that scalability was…

Who suggested that? You’re the first to bring this up… Unless I missed it, most suggestions were directed towards preserving anonymity.

Coyne Tibbets November 4, 2014 10:51 PM

So we have X-UIDH from Verizon, MSISDN and X-MSISDN from someone (who from?), X-ACR(?), X-UP-SUBNO and X-UP-SUBSCRIBER-COS from AT&T, and Vodafone is using X-VF-ACR.

All at the same time.

Because everyone had the same bright idea to invade everyone’s privacy…using exactly the same strategy…at the same exact instant in time…

This looks to me like a government mandate. If it is, of course FBICIADHSNSADIA are not complaining.

Andrew_K November 4, 2014 11:43 PM

IMO the bigger problem is not what they are injecting. The problem is that they show on which scale they are prepared and equipped to mess with data streams.

This is technology otherwise associated with Intelligence, altough traffic manipulation is not that much of a new thing, too.

User tracking is probably just a vanilla application. Massive content manipulation is within reach. Whether the injection is a tracer or an additional JavaScript the will mess with the contents, that’s probably just a configuration thing.

This has “use end to end encryption!” written all over it, tough I personally still doubt that being a real solution to a systematic problem of the Internet.

Andrew_K November 4, 2014 11:49 PM

Apologies for the redundancy in the post above; I wanted to post it hours ago. Unfortunately I sent my laptop to sleep (there are things in life that just make you slam-close it) while it was just transferring this very piece of data. On waking up it resumed and… well, most of it has already been said by now.

Clive Robinson November 5, 2014 12:07 AM

I suspect there are only two ways to stop this,

The first as others have noted is a VPN style solution or through a header striping proxie etc down stream of the service provider.

The second is legaly for something like theft.

Courts can and do strike down contracts of adhesion especialy when it involves a monopolistic solution, the hard part is going to be showing a harm in terms of financial loss a court will recognise.

Clive Robinson November 5, 2014 12:20 AM

@ Nick P,

Along with Coyne Tibbits comment of,

This looks to me like a government mandate.

You should also consider Steve Friedl’s of,

I haven’t seen it reported who’s selling the gear

Which kind of makes it a doubly “interesting point”…

Clive Robinson November 5, 2014 12:41 AM

Off course this might be down –in part– to the FCC, who are being some what muddle headed about the internet.

Have a read through,

Be cause it raises a point about users and carriers.

Currently those who supply connectivity to users are not regarded by users any differently than a phone service provider, and the the suppliers of connectivity don’t want to be “put in that box” if they can avoid it.

Thus by “adding content to conversations” the service providers are differentiating themselves from phone service provision.

Rhialto November 5, 2014 5:23 AM

I find it very disturbing that they are actually altering the network data that my smartphone sends[1]! Technically that is a really really stupid thing to do. It means they have to alter sequence numbers in all subsequent data packets for instance. This is very invasive.

If taken strictly, it also means that they are not providing Internet service, since they are not transmitting the data I am asking them to transmit (but something else).

[1] if I had a smartphone. Another reason not to have one…

Vincent Van Ghost November 5, 2014 7:03 AM

I’m really sick off all this spying, data retention and mining so I’m signing up to a top VPN service. AT only about $40 a year they are pretty good value and have apps to make it easy for noobs.

Tor, or Orbot for mobile devices, should be used as much as possible where you aren’t signing into Social Media and identifying yourself, or shopping (even using Bitcoin may identify you on Tor) and aren’t using a VPN or Proxy. Though Tor can stop targeted advertising if you aren’t trying to hide your anonymity and greatly reduce data mining and other rubbish.

Not only should everyone endeavour to purchase a subscription to a good VPN service, but they should also ensure that their DNS requests are also encrypted and not leaking. You can buy an online gift card from Walmart or something then have it delivered online to a throw away email address, just to make it a little less obvious you’re paying for VPN service. There are also programs like DNScrypt but it’s much harder to set-up than a VPN service that uses OpenDNS. Once you set-up your VPN you should test if DNS queries are leaking to ensure you have configured it properly.

Disabling IPv6 in your operating system and browser also helps, in Windows right-click your Network Connection>Properties then deselect TCP/IPv6 and hit OK. In Mozilla based browser type “about:config” in the address bar and agree to be careful, then type “IPv6”, press enter and double click on “network.dns.disableIPv6” so it’s value changes from ‘false’ to ‘true’. Also use browser extensions like NoScript to block tracking and Ref Control to forge your header for sites you don’t frequent or want to add to the extensions white-lists.

Most good VPN services will allow 5 simultaneous connections so you can run the service on your desktop, laptop, tablet and smart phone. Apps are available for Android and IOS or you can set the VPN settings manually yourself. Once set-up run a couple of leak tests to ensure the VPN is configured properly and your device now presents a different IP address online.

You can also purchase routers online flashed with custom DD-WRT or Tomato firmware that provides increased security and VPN settings preconfigured for one of the top VPN services. Flashrouters has some good deals, but there are also other VPN router providers.

Do a search for the top Ten VPN services and pick one that suits your needs and lifestyle. Let’s stick it to the man and the data mining mob getting rich at our expense.

ATT complaints November 5, 2014 8:17 AM

Complain to AT&T about their failure to protect your confidentiality here:

PO Box 691020
Tulsa OK 74169-1020
fax: 918-204-6559

Bee November 5, 2014 8:58 AM

@ Vincent: good points, esp about watching for DNS leak. When I use my VPN using my phone, I get DNS leak.

Anyone know a way to stop DNS leak on
Android? My VPN provider doesn’t know. Thanks any help.

Gopiballava November 5, 2014 10:48 AM

@Vincent (and a few others with similar ideas):

“You can buy an online gift card from Walmart or something then have it delivered online to a throw away email address, just to make it a little less obvious you’re paying for VPN service”

Good luck trying to convince a jury that the reason you’re doing all of this is because you don’t want Verizon to share your demographic information with advertisers. The jury will probably believe the prosecutor’s claim that putting all this effort into hiding is evidence that you were doing something evil and bad and knew it was bad.

re: customized ads, I just used my iPad to search for some LCD displays on digikey. Then I went to my laptop and visited facebook. Right there was a banner ad from digikey showing me one of the LCD displays I was just looking at. Feelt a bit creepy.

John November 5, 2014 10:57 AM

If they are having to do this injection in order to track the users, does that imply that they had no means of tracking users prior, or just that they were limited to the NAT, and want a more granular level of tracking? I am sure the three letter agencies are thrilled with this, more data for them to subpoena.

Terry Cloth November 5, 2014 12:35 PM

Am I right in assuming X-'' headers in HTTP are analogous to theX-” headers in SMTP? That is, the official protocols completely ignore them and they are only of use to other programs?

If so, is there some way to specify a connection should not carry any X-headers, or should discard any received?

I fear that would, once more, require relying on the kindness of strangers who have already proven themselves unkind.

Curious November 5, 2014 2:05 PM

That patent appear to have a very recent publishing date:, 9. Sept. 2014.

Reading through that patent, is it just me or does the following from the text sound a little weird:

“(…) the content providers may provide services, applications, and/or content that are targeted to the subscribers. ”

“The content providers may, thus, not be able to provided targeted services, (…)”

I am not familiar with this kind of English. The phrasing with the word “targeted” sounds so weird to me. I am thinking that this is a clumsy way of describing a concept, or maybe I am just missing the point.

I can understand that perhaps “targeted content” is to mean the same as select content, but I think it still sounds vague and weird somehow. As if the notion of “targeted content” is lacking in clarity. I just think this kind of phrasing sound much too vague.

Jeremy November 5, 2014 2:44 PM

@Nick P,
The difference is that you typically agreed to a terms of service that allows it.

No, we have the legal fiction that you agreed to terms of service that allow it. But that legal fiction doesn’t even pass the straight-face test.

If we could wave a magic wand and make it actually impossible to use any product or service without reading, understanding, and following their terms of service, most of those services would go out of business overnight, because (1) most users of most services would rather stop using them than make the effort necessary to understand the terms, (2) most of the users who actually tried to understand the terms would fail, because they are not legal experts, and (3) many terms are completely impractical to follow even if you read and understood them.

I recently read (OK, skimmed) the TOS for a major web site and noticed that “accessing the Service” is a violation of the TOS. No joke. This site’s users probably number in the millions, and it is logically impossible that a single one of them is actually following the TOS (since anyone who follows that term is, by definition, not a user).

Bauke Jan Douma November 5, 2014 2:51 PM

For a start, features like these are implemented by programmers. There’s a good chance they are active on sites like Stackoverflow and its sister sites. What we need to do is get their names, or have people leak their names, out them, blacklist them, and ruin their online reputations.

Anura November 5, 2014 4:40 PM

@Terry Cloth

“Am I right in assuming X-'' headers in HTTP are analogous to theX-” headers in SMTP? That is, the official protocols completely ignore them and they are only of use to other programs?”

Correct, they shouldn’t be necessary for websites to functions; although you can’t guarantee they won’t break anything, it’s unlikely that they will.

“If so, is there some way to specify a connection should not carry any X-headers, or should discard any received?”

Unless you are connecting to a proxy server, this won’t be possible since this is happening at the network level. So, basically:

[Phone]–HTTP Request–>[Cell Tower]—>[TLA]—>[Cell Network]–|Tracking ID Inserted Here|–>[TLA]—>[Internet]—>[TLA]—>[Remote Server]—>[TLA]

The only way you can stop it is if the connection is encrypted so that the header can’t be inserted, either via a VPN (which works for all apps) or a secure proxy (which may have to be configured separately for each application). The other alternative is you can connect to another proxy that allows you to strip headers, but at that point you might as well just encrypt the connection. I wouldn’t be surprised if on some phones on some carriers, the browser itself started inserting an ID that would work even if it is encrypted.

Anura November 5, 2014 4:42 PM

TLA is kind of a poor term, given that it should really include the GCHQ. Maybe we should use Abbreviagencies instead?

Verizon customer (for now) November 5, 2014 5:20 PM

“The difference is that you typically agreed to a terms of service that allows it.”

I am a Verizon customer, and I am pretty sure I did NOT consent to having tracking info added to every http request. I also opted out of all targeted advertising, have “do not track” enabled, use Ghostery, and reset my advertising ID daily.

This is a showstopper for me, and I would never have signed up as a Verizon customer had I known they were doing this crap. I intend to call Verizon this week and let them know that if they don’t let me out out of the header injection, then I will opt out of their network.

Nick P November 5, 2014 6:44 PM

@ Verizon customer (for now)

Verizon Wireless Customer Agreement

Verizon Privacy Policy

Their agreements and policies are to have their customers under a high degree of surveillance, monetize that data themselves, and sell it to third parties in anonymized ways (specifics undefined). There’s also liability limits on customers’ lawsuits. So, anyone using this service should expect them to be monitoring in all sorts of ways.

They do provide opt out provisions for each specific thing they claim to be doing. If you used all of them, then you might have not consented and would have a claim against them. The problem here is that it would be limited to “direct damages” you incurred from this privacy violation. That’s probably hard to prove and would likely be a tiny amount of money if you did. So, they have a dual strategy of ensuring consent to many forms of surveillance in the contract and then ensuring their violations will have minimal financial impact. I’m sure other major cell companies have similar clauses.

Cell phone companies: not to be trusted. More justification for cell phones with end to end or proxied protection against carriers.

@ Other readers

Are there any legal cases about privacy violations with direct damages where the user won? Or invalidated that part of the agreement due to oligopoly or some legal standard? I’m curious about that.

Lurker November 5, 2014 7:39 PM

@Nick P

There are principles in contract law that would almost certainly roll back the terms at least in part, but how much would basically come down to the judge probably.

A drastic imbalance in bargaining power will, iirc, lead to any ambiguity basically defaulting to the weaker party’s favor for instance… which is probably why they are so long and thorough with these things.

If it’s basically trying to make it impossible to ever sue them and hiding behind legalese and such, the right judge would probably throw out all the limitations altogether (on the grounds that the conduct is outrageous, and that there’s no way he’s letting them have any cover at all… an appeals court might roll that back a bit of course).

Of course, the insane growth in length, obscurity, and obfuscation in all these ToS and all is just awful frankly. It used to be that common sense was allowed to resolve the nature of arrangements. Now it’s a triple-thick CYA that is so long they can’t resist slipping in language to screw the consumer extra hard because nobody without a law degree has a chance of parsing most of it.

Dirk Praet November 5, 2014 7:59 PM

@ stvs

Tell squid to deny these headers. T-Mobile uses MSISDN, Verizon uses X-UIDH, and AT&T uses x-up-subno…

I guess in Privoxy that would translate to

1) Add to user.filter


Remove AT&T, Verizon and T-Mobile header injections


CLIENT-HEADER-FILTER: rat-control remove MSISDN, X-UIDH and x-up-subno headers.


2) Add to user.action

Remove Att, Verizon and T-Mobile injected headers


at&t November 5, 2014 8:05 PM

I complained to AT&T. This is what they sent me:

To opt out of reporting initiatives:

To opt out of relevant advertising initiatives:
or . You must opt-out from each computer browser or wireless device they wish to exclude. Customer Service cannot complete the opt-out.

I did all that, but of course browsing to or shows that that X-ACR http header persists.

This looks like it can only be solved with VPN and a class action lawsuit.

Wael November 5, 2014 8:46 PM

@Dirk Praet,
Nice to see as always!

@Nick P,

Hope you’re doing well

He can bench-press a bus now 😉 And his Japanese is perfect!

Curious November 6, 2014 2:53 AM

I initially wanted here to try forumlate a sensible set of sensible problems regarding the use of anything “X-UIDH” in relation to existing issues with data retention/data collection/data gathering or anything ‘metadata’, however atm this is a unusually unclear in my head.

The things I sort of start thinking about are:
• Would anything “X-UIDH” fall outside the recent/future “debate” about data retention/collection/gathering?
• What laws relate to the use of “X-UIDH”?
• How does anything “X-UIDH” relate to the meaning of ‘metadata’ (the meaning of “metadata” being dualistic, being both a type/class of data, and personal data).
• Is any data from the use of “X-UIDH” personal, governmental, corporate or even “3rd party”?
• Is there a difference between how the laws regulate ISP activity (data retention) vs what data any other corporation/organization deal with?

I guess I was mainly speculating about how anything similar to “X-UIDH” would become a way to conduct espionage/surveillance, while simultaniously not being debated (by authorities) because of inadequate terminology, or simply having no intent to try discuss it.

Drup-ke-wri-moiv November 6, 2014 3:10 AM

Maybe they are not tracking users for commercial reasons. – If they have a (secret) court order to modify user requests.

Dirk Praet November 6, 2014 3:55 AM

@ Nick P. , @ Wael

Thanks, guys. I’m doing quite well. Been busy with a lot of stuff that’s been taking up most of my time. But I’m still around.

anonymous November 6, 2014 5:32 AM

@Rhialto: I fully concur: they are strictly not providing Internet connectivity, but something else. Something inferior.

and in doing so, they are “adding value” “creating content” for their true customers’ benefit and therefore some sick, twisted, lawyer’s interpretation of “free speech” apparently protects their infringement of your freedoms, including your freedom of speech.

How sick is that. Who isn’t sick of living in a world where such arguments are actually taken seriously. These guys shouldn’t be listened to. They belong in a loony bin, together with our worthless crony governments.

concerned but November 6, 2014 8:13 AM

Can someone tell me why my German T-Mobile smartphone might throw up this as a http request header on those two sites listed above ( and


That IP address resolves as ‘AT&T Services, Inc.’ – I’m using a German 3G service. I understand this hasn’t got anything to do with the Verizon tracking headers (my apologies for being off-topic), but hey, people often learn about a terrible disease when they go to the doctor for a simple back ache.

Coincidentally, tells me I’m based in Saint Louis!?

vas pup November 6, 2014 8:57 AM

@Jeremy • November 5, 2014 2:44 PM.
Your point is right. TOS or any privacy terms of usage are ugly kids of self regulation by the industry having the main goal to give you as a customer zero chance to challenge it in court, and even deny you access to the court (mandatory arbitration), ban class action law suits you name it. Those are examples when you actually read those multiple pages of legalize hard to understand even by the person with Law degree. Government regulation should provide mandatory minimum privacy protection for the customer, disclosure by the company ALL usage of collected personal information on customer request, opt-in as basic/default model of relationships. How? This Government regulations should be developed by non-Government, not affiliated with big business organizations like EFF based on input provided by folks like these respected bloggers, professionals like Bruce. Their recommendations/draft should be publicized on the net, submitted on the eve of the next election to all prospective politicians (legislative, executive – both state and federal level) and asking them on ALL meetings with electorate
to approve or deny such legislation. If they approve, then do nothing after being elected, provide them for grinding on Daily Show or Colbert Report making clowns out of them. If they deny – just don’t vote for them.
Sorry, I don’t see any light at the end of tunnel on this issue for now.

Dave November 6, 2014 9:35 AM

@all those suggesting Squid, etc.

Maybe I missed something here. If the headers are added by the carrier after the tower as it would seem since roaming phones were tagged too, then a proxy on the end points does nothing for you. Your phone proxy will find nothing to remove and even if it did the network will just put it back for you.

Or are you suggesting running through a proxy after the fact.

Silent Underground November 7, 2014 12:31 AM

I am totally taken back from this. I so loved Verizon’s buffalo burgers when I worked there, I had no idea they were in it to fuck me.

Admittedly, I was a bit more concerned about end user privacy when Verizon shifted me to work for Asurion who takes all the dead phones.

Curious November 7, 2014 1:09 AM

Can a supercookie be embedded into an IPV6 address?

Not being into security, I can’t really tell for sure if such a thing would make good sense. To be perfectly honest, I’ve always wondered if ipv6 would end up being abused somehow.

Somebody please stop me if “supercookie” is an inappropriate term. I noticed that Slashdot had an entry that used the phrase “stealth cookie”.

PJ November 7, 2014 9:51 AM

A couple of posts mentioned following the AT&T opt-out instructions without results, but my attempts appear to have been successful.

I visited and and both sites tested positive for tracking with ACR on a 4G LTE cellular network.

As suggested by the Forbes article linked at the end of the EFF article I visited and opted out for that device over the cellular network.

I cleared all browser data and restarted the phone.

Upon returning to the two testing websites, in both Firefox and Chrome (both with cleared data), the tests were negative for ACR. The ‘broadcast uid’ field was blank.

I also found that the tests were again negative after visiting other websites.

Wael November 7, 2014 10:12 AM



blockquote>As suggested by the Forbes article linked at the end of the EFF article I visited and opted out for that device over the cellular network […] I cleared all browser data and restarted the phone.Thank you! I also confirmed that on an iPad after reading your post. Seems a system restart is needed.

Wael November 7, 2014 10:25 AM

Steps for those with negative results:
– Go to and opt out
– Clear browser data
– kill browser process
– Cycle power
– Test tracking on both sites

For confirmation of the opt out status, visit again to opt out. It should say:
Our records indicate that this device has already opted out from receiving AT&T AdWorks Relevant Advertising.

Of course this is for AT&T. I don’t know whether Verizon has a similar option… I have to repeat this for several devices since the optout is valid only for the device the request came from (has a good possible implication.)

Curious November 7, 2014 12:15 PM

Speaking of Verizon. I learned today that there has been a sizable document leak about tax dealings in Luxembourg involving alot of international companies, and I noticed that Verizon is mentioned with its 12 page document. The story is 2 days old it seems, but I seem to have missed it completely.

I didn’t read the particulars, but the general issue of all these tax agreements seem to be about taxation rate being much lower than the standard 29% local tax, and instead might be as low as 10% or even 1%.

A rebuttal from Luxembourg seem to be about how they claim everything is totally ok and legal, and that the whole thing has been misrepresented or somesuch.

rob November 7, 2014 3:42 PM

I did the AT&T opt out thing and it didn’t work. Actually chatted with someone there and there is now an open case.

I highly recommend people do this. Create cost.

Tom November 8, 2014 12:12 PM

The best fix is surely for all web browser, on and off that particular network, to include a random version of the header on every request ?
Sounds like an easy Firefox extension…

BoppingAround November 8, 2014 5:09 PM


They used to say, “If you’re not paying for it, you’re the product.” But now you can be paying $80 a month for it, and still be the product.



I doubt it. This header is obviously added somewhere further the route (not on the end user terminal). Anything that comes in the field from a terminal would probably be overwritten.

Ray Fifo November 11, 2014 10:30 AM


What we really want is non-Verizon customers inserting random X-UIDH headers.

Unless you happen to randomly pick an existing ID, I don’t see how this is going to affect anyone. To those who suggest that this will create a DoS attack on Verizon infrastructure need to remember that scalability was essentially invented by the telco industry before computers, and is something that they can do well when they chose to.

Actually, it would be more about reducing the signal-to-noise ratio to a level where the advertisers would no long agree to pay Verizon’s requested fee for decrypting the header. Of course, if the noise is easily filtered, then it’s all for naught.

Buck November 15, 2014 11:33 AM

Well this is kind of a shame… I really thought the so-called ‘perma-cookie’ or ‘supercookie’ could have been a big win for the open-source community!

AT&T Stops Using Undeletable Phone Tracking IDs

AT&T says it has stopped its controversial practice of adding a hidden, undeletable tracking number to its mobile customers’ Internet activity.

“It has been phased off our network,” said Emily J. Edmonds, an AT&T spokeswoman.

No doubt, the telcoms will continue to sell these identifiers to various governmental agencies… But who knows, with all the positive PR in the press, they might even be able to snag some more customers (curious about how they can use this new tracking technology to better their ‘brand’ or ‘reach’ or whatever the kids call it these days).

Hmmm… I guess I can always just start up a billion dollar international ad agency, approach some ISPs with fistfuls of cash, buy up any database I can get my hands on, and then leak them all to ‘hackers’ >:)

65535 April 25, 2015 9:55 PM

@ Steve Friedl

“If this is working for the cellular carriers, isn’t it just a matter of time before the cable/DSL carriers start doing the same thing?”

Eventually, I would suspect these injected headers would be used with DSL/Cable. But, with a fixed location DSL/Cable connection the DSL/Cable companies already have your IP, location and all billing information.

The troubling aspect of any http injection is the chance of a key logger or other malware being load on your cell phone.

I am beginning to hear stories of Quantum family of bugs and other modular malware being put on civilians Androids and iOS phones by private investigators. Packet injection [and/or page/link redirection] could be the infection vector.

This malware is probably used high profile divorce cases where one of the two sides of lawyers is trying to ascertain the next legal move by his adversary.

In short, the Vup@n and the Hacking Te@m style of modular malware are now being used by private investigators on civilian iphones for monetary gain.

@ Nick P

Tangentially, it looks like Fox-IT has made progress with a Snort add-on to detect Quantum injections.

I would like to hear from some experts as to the effectiveness of this software to detect packet injections and remediation. This Fox-IT software appears to work best with man-on-the-side “race condition” http injections.

From what I understand, it flags duplicate packets with payloads 10% +/- differences at the snort firewall.

Take a look at the link Nick P and let me know if this stuff works [to harden against http injections at the office].

I don’t know how well the above would work against header injection from a mobile carriers [The AT&T and Verizon’s of this world really control what comes out of your connection – which they control… not to mention their abusive TOS agreements]. Snort probably is not made for iphones and may be of little help with mobile carriers.

gordo April 26, 2015 11:05 AM

@ 65535

Snort probably is not made for iphones and may be of little help with mobile carriers.

That appears to be so:

However, the below proof-of-concept might solve that:

DIY-Cellular-IDS [CIDS]:

For less than $300, LMG created a CIDS by modifying a Verizon Samsung femtocell and redirecting traffic to a Linux-based Snort server. To test the effectiveness of the CIDS, LMG infected a smartphone with the Android.Stels malware and developed custom-written Snort rules to detect it.


Do-It-Yourself Cellular Intrusion Detection System
LMG Security, July 24, 2013
[77 pages]

…and here’s the DEFCON 21 demo/presentation on YouTube:

Do-It-Yourself Cellular IDS
Published on Feb 23, 2014

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.