Thursday, October 23, 2014

Verizon Wireless injecting tracking UIDH header into HTTP requests

Reading Hacker News today, I found a frightening post on Verizon Wireless injecting tracking UIDs into HTTP requests. The upshot is that Verizon Wireless is sending a unique identifier for you to each and every unencrypted website you visit, which means that advertisers (or worse) can track everywhere you have been. This occurs even if you opt out of all the Verizon tracking, use a privacy mode in your browser, enable Do Not Track, use a different browser, send your own bogus UIDH header, change to a new phone, or use a tethered laptop for browsing. The only known solution is to encrypt all your browsing. You can do this using HTTPS Everywhere, but this only works if the website supports HTTPS. The best solution is to use full encryption using a VPN like Tunnelbear or TOR. More details follow.

First a little bit of background. When your browser accesses a webpage, it uses a protocol called HTTP to talk with the server hosting the webpage. As part of the request, your browser sends some header fields which provide information about what you want to get back. This includes your IP address and some information about your browser which can actually be enough to uniquely identify you. To see some of the information your browser is sending, check out your request headers here or here.

Verizon Wireless is adding its own header, X-UIDH, which includes a unique identifier that it sends to the webpage. You can check whether your phone is getting the header added here or here. Just make sure you turn off wifi before running the test. Verizon has two patents on the subject: Obtaining targeted services using a unique identification header (uidh) and Multi-factor authentication using a unique identification header (uidh). The most illuminating part is Figure 5 from the first patent:

It becomes very clear that all this is intentional, which was confirmed by my call to Verizon. I talked with a representative of Verizon Wireless, and once they understood the situation they offered several (ineffective) solutions. (1) Use HTTPS instead of HTTP. Naturally, this will only work for the small subset of web services that provide HTTPS. (2) Use Do-Not-Track in the browser. However, my testing showed this had no effect. (2) Use a privacy mode. Again, this had no effect. After talking with a supervisor, the representative then told me that this behavior is normal and expected. Moreover, he claimed that the UIDH header and a standard HTTP connection are a sign to the webserver that you are a good internet citizen, and not a hacker trying to do something untoward. This was a blatant misrepresentation of why some websites do not support HTTPS. After further discussion he ended up agreeing with me, but said there was nothing he could do to help.

What can we do? First off, this is already being exploited in the wild so start using a VPN. Next, let's get Verizon Wireless to change this policy. Do your own testing, tell your friends, and post your complaints online! There is already a bunch on UIDH on Twitter.

Monday, April 7, 2014

Visualization Intern & Res. Sci. Positions @ IBM Watson & Research, Cambridge MA

Update: The positions are no longer available.

IBM's Watson Group (Cambridge, MA) is looking to hire several summer Research Interns and Research Scientists to join the Cognitive Visualization Lab. We are looking for candidates with a research track record in Information Visualization, preferably with experience in Human-Computer Interaction, decision-making processes, and social sciences.
Our research group aims to advance the state of the art on visual analytics. We are an interdisciplinary group comprised of computer scientists, data scientists, social network analysts, and designers. We are working on a diverse set of truly fascinating projects, including pure Research and Development (R&D)/papers (VIS/InfoVis/VAST, CHI, EuroVis), applied mathematics, developing prototypes for the most important industries in the world, and gallery installations. These positions would be working directly with Cody Dunne and Mauro Martino.
Our laboratory is located a few minutes from the MIT campus in an inclusive and friendly work environment. Despite being small geographically, Boston has 58 colleges and universities and hosts a vibrant academic atmosphere.

Research Keywords

Information Visualization, Data Science, Big Data Analytics, Information Design, Social Computing, Network Analysis, Human-Computer Interaction, Cognitive Science

Key Responsibilities

  • Design, implement, and evaluate a novel visual analytics prototype following user-centered design principles.
  • Investigate creative Human-Computer Interaction systems for deeper levels of expression and engagement.
  • Publish and present results to both the academic community and to non-scientists.

Internship Postings

Research Scientist Postings