March 9, 2016
By Julia Angwin, ProPublica
Verizon agreed to pay $1.35 million to settle Federal Communications Commission charges that it violated customers’ privacy when it used a hidden undeletable number to track cellphone users.
In the settlement, Verizon also agreed to make its unkillable “zombie” cookie opt-in, meaning that users are not tracked by default. Previously, users had been tracked by default unless they opted out.
However, the settlement does not apply to Verizon’s tracking of its customers who visit the 40 percent of websites that use AOL’s ad network. That is because Verizon owns AOL, and therefore it is not considered a third party that requires opt-in.
That means that unless Verizon users opt out, they can still be identified when they use their smartphone or tablet to browse Web pages containing AOL’s tracking code.
The Verizon controversy dates back to the fall of 2014, when a flurry of news outlets, including Wired and ProPublica, reported that Verizon and AT&T were attaching tracking numbers to their subscribers’ Internet activity, even when users opted out.
The tracking numbers could be used by websites to build a dossier about a person’s behavior on mobile devices 2014 including which apps they use, what sites they visit and for how long.
Soon after, AT&T stopped using the controversial identifiers. But Verizon said it would keep using them 2014 and assured users on its website that “it is unlikely that sites and ad entities will attempt to build customer profiles” using its identifiers.
In January of 2015, ProPublica reported that an online advertising company was doing just what Verizon had promised wouldn’t happen. A company called Turn was using Verizon’s identifier to respawn tracking cookies that users had deleted. ProPublica dubbed the unkillable identifier a “zombie cookie.”
Two days later, Turn said it would stop using the zombie cookie. And a few weeks later, Verizon also reversed course, and said users could now kill the previously unkillable cookie – but users still had to go in and fiddle with their privacy settings.
In October, Verizon said it would give the zombie cookie a new life as a way to boost the tracking abilities of its AOL subsidiary.
The new settlement is the latest sign that the FCC is stepping up privacy enforcement actions. The FCC chairman has said that the agency will soon propose new privacy rules for Internet providers.
In the Verizon case, the agency alleged that the company’s actions violated the privacy protections of the Communications Act. It also said Verizon violated the commission’s Open Internet rules, which requires telecommunications carriers to be transparent about the use of their customer’s proprietary information, and to only use to provide services.
Verizon spokeswoman Adria Tomaszewski said that the FCC order would not change the company’s current practices because it had already stopped using the super-cookie in all cases except sharing with its AOL network.
“Over the past year, we have made several changes to our advertising programs that have provided consumers with even more options,” Tomaszewski said. “Today’s settlement with the FCC recognizes that.”
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.
Julia Angwin is a senior reporter at ProPublica. From 2000 to 2013, she was a reporter at The Wall Street Journal, where she led a privacy investigative team that was a finalist for a Pulitzer Prize in Explanatory Reporting in 2011 and won a Gerald Loeb Award in 2010.