Verizon's Zombie Cookie Enables Targeting Advertising Efforts

Despite public statements that government surveillance goes against the Constitution and congressional scrutiny of Facebook’s tracking cookies, leading carriers such as AT&T and Verizon continue to develop so-called “stealth” tracking cookies.

These undeletable tracking cookies are able to bring even deleted cookies back from the dead. Such cookies are able to track a customer’s web activity and location and can’t be disabled through browser settings. Security researchers have only recently realized that Verizon has been modifying wireless customers’ traffic to embed a unique identifier traffic header.

More information

Many Verizon customers may have these zombie cookies installed in their mobile browsers. These contain identifiers that assist Verizon’s advertising partner, Turn, in the delivery of targeted mobile advertising. Through information provided by Verizon, Turn can restore this cookie even after users clear their browsers.

Verizon makes Turn’s persistent identifiers possible by sending an HTTP header called X-UIDH to every unencrypted website visited by Verizon customers. Customers interested in privacy should not do so in commonly accepted ways. Instead, they’re advised to do so only in ways accepted by the online advertising industry.

As far as Turn is concerned, clearing cookies from a browser doesn’t qualify as an acceptable expression of one’s desire for privacy. Nor does activating a browser’s privacy mode, or enabling a browser’s Do Not Track setting. In order to opt out, users must visit the Turn website, the Network Advertising Initiative website, or the Digital Advertising Alliance website.

According to Verizon’s website: “… it is unlikely that sites and ad entities will attempt to build customer profiles” using these identifiers. AT&T response to the privacy rights controversy was that their use was only for testing and has since terminated the program.

Despite their insistence that the undeletable cookies would not be farmed to build customer profiles without prior consent, Verizon’s cookies have been used by Turn, the advertising clearinghouse, to create zombie super cookies. The company has used Verizon’s hidden tracking cookie to resurrect deleted dead cookies.

Other voices

TechDirt believes that Verizon is not overly concerned about how their hidden cookie is abusing customers’ privacy rights:

“When asked about Turn’s use of the Verizon [unique identifier] number to respawn tracking cookies, a Verizon spokeswoman said, ‘We’re reviewing the information you shared and will evaluate and take appropriate measures to address.’ Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn’s use of the Verizon tracking number and said ‘they were quite satisfied.’”

According to ProPublica, Turn has also stated that it allows for opting out of their zombie cookies, but research has shown otherwise:

“Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out. But when ProPublica tested that claim on the industry’s opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed.”


This article takes a look at Verizon’s so-called “zombie” cookies, installed on customers’ mobile browsers. The cookies help advertising partners in targeted mobile advertising and can be restored even after being cleared from a customer’s browser.

CIPP Exam Preparation                                      

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Purposes and uses of PII (I.C.c.)
  • Privacy expectations (II.A.)
  • Personalization – end user benefits and privacy concerns (II.C.a.; II.C.b.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>