Death to Verizon Zombie Cookies!

January 20, 2015 Updated: January 20, 2015

They lurch along, eyes blank, unkillable, hungry for your personal information: The Verizon zombie cookies worked in darkness, until ProPublica published a story about them on Jan. 14. The thing was, even if a user cleared the cookies, they were reborn; they rose from the grave. Edgar Allan Poe could have written it!

According to PC Magazine, a cookie is a “small text file created by a Web site you visit that is stored on your computer … Cookies provide a way for the Web site to recognize you and keep track of your preferences.” They help advertisers send you targeted ads, and help pages load properly for a user. All this is efficient and helpful, but there are times when a person would like to be anonymous on the web. A dread zombie cookie did not allow that. It would recreate itself and reappear, associated with a device-specific UIDH (Unique ID Header), in English, with your Verizon cell phone or tablet. According to ProPublica, Verizon and AT&T users complained that the UIDH could track all their web activities on a certain device.

The Verizon zombie cookies came from “a method Turn uses to deliver tailored advertising to mobile browsers,” according to Max Ochoa, General Counsel and Chief Privacy Officer at Turn, an online ad company.

A cookie is a “small text file created by a Web site you visit that is stored on your computer.
— PC Magazine

Ochoa wrote in a blog post for his company that “Consumer privacy and choice are bedrock principles at Turn. We do not handle or store personally identifiable information (for example, name, email, phone number, credit card, SSN) to deliver relevant advertising. We are committed to honoring a user’s choice to opt out of tailored advertising from us.”

Ochoa wrote that they had done nothing wrong, but nonetheless would respond to people’s unease and stop the practice. “By early February, Turn will not “re-spawn” cookie IDs associated with the Verizon UIDH.”

He criticized the ProPublica story for what he said were a few inaccuracies, but wrote “we value the work that ProPublica is doing to bring attention to the broad issues of data privacy.”

If Ochoa is right, that his company was not in any way violating people’s privacy, it raises the question of what to worry about and what not to worry about.

An Associated Press story on Jan. 20 warned that the website connects to multiple third-party vendors. It asked whether an individual user’s private medical information could be exposed. It questioned why the federal health exchange links to so many outside vendors, unlike other government web sites. Yet since its purpose is to connect people to health insurance, it would seem that connecting to them must be necessary.

One security expert said that fears about data on are overblown. Sam Fields, VP of Operations at Netrepid, wrote in an email: “Data is always at risk—whether it’s because of brute force hacking attempts or because an intern with some data on a thumb drive forgets that drive at the coffee shop. When there is data out there in the wild, it is at risk. All of that said, if the team behind put security standards in place for encryption in transit and encryption at rest, and those encryption standards have been audited and accounted for, then user privacy should be fine and in line with the latest HIPAA and government standards.”