The FCC slaps Verizon on the wrist for using invasive “supercookies,” but a loophole will allow its mission to monetize paying customers will continue.
Privacy advocates cheered earlier this week when the Federal Communications Commission cracked down on Verizon for tracking its paying customers without their consent. But thanks to a loophole in the Commission's ruling, the largest carrier in the US will still be collecting a great deal of that behavioral information unless users proactively opt out.
Since 2012, Verizon has been quietly spying on its customers with unkillable "supercookies," persistent tracking beacons that allow the telecom behemoth, its advertising partners, and any third party that knows to look for them to track users as they browse the web.
On Monday, the FCC issued a consent decree hitting Verizon with a $1.3 million fine for injecting those tracking beacons, called Unique Identifier Headers or UIDH, into unencrypted traffic on its network without customers' knowledge or consent—a violation of both the Communications Act of 1934 and the FCC's Open Internet Transparency Rule.
Apart from the fine, the FCC also ruled that Verizon must be more transparent about its use of the beacons and, crucially, must not share customers' beacons with third parties unless they opt in.
But the decree has a glaring loophole: Verizon can still track customers who haven't specifically opted-in through AOL's expansive advertising network, which according to ComScore reached 35 percent of all desktop internet users through ads appearing on websites they visited in January. That's because Verizon now owns AOL, making its ad network a Verizon subsidiary instead of a "third party."
"With respect to sharing UIDH internally within Verizon, Inc. and its subsidiaries, it must obtain either opt-in or opt-out consent from its customers," the FCC's decree states.
In other words, apart from Verizon parting with some pocket change and being subject to new transparency requirements, very little has changed.
Verizon even admitted to ProPublica that the order doesn't affect its current operations, since it had already stopped sending the beacons except to visitors of sites that are part of AOL's ad network—which, again, already reaches an enormous percentage of web users. In October, when Verizon announced it would revive the beacons to use across AOL web properties, its ad network's reach was as high as 43.3 percent of the web-using populace, according to ComScore.
You may recall the uproar that occurred when researchers first discovered Verizon attaching the UIDH tracking beacons to all unencrypted traffic on its network. The company responded by allowing customers to opt-out and reassuring that outside third parties wouldn't use the beacons to create their own customer profiles. The latter claim lasted about a week, at which point security researchers discovered a company called Turn doing exactly what Verizon said wouldn't happen (Turn shortly after announced it had stopped using the beacons, but there was nothing stopping other companies from doing the same).
The consent decree also officially terminates the FCC's investigation of Verizon's UIDH practices, so there will likely be no further examination of the company's consent-less tracking. And while the company now provides a way to opt-out, it's well-known at this point that default settings always rule the day, and few people ever go to the necessary lengths to change settings once they're opted in to something.
The fact is Verizon, like a rapidly increasing number of companies, is now in the business of monetizing behavioral data. And if big companies can't easily monetize that data via third party ad networks, they can simply buy out those networks and do everything in-house.