Ah, Verizon. You keep giving and giving.
posted by C.A.S. at 12:54 PM on January 15, 2015 [3 favorites]

What a bunch of fuckers. To the developers and IT folk who implemented this, I say: what the fuck are you doing? Jobs in tech are just not that hard to come by, and when the business people ask you to do something like this, you should tell them to fuck off.
posted by Aizkolari at 12:59 PM on January 15, 2015 [20 favorites]

"Saying no is not a reliable way for a user to express their desire not to have my boot on their face, and Turn absolutely respects a consumer's opt-out preference when expressed in the only way the jackbooted thug industry is sure to recognize — but let's not dwell on specifics, shall we?"

What is the only way to opt-out? Staying off the Internet completely? Using TOR and TAILS?
posted by flippant at 12:59 PM on January 15, 2015 [4 favorites]

Please don't blame the developers and IT folks for this.
posted by oceanjesse at 12:59 PM on January 15, 2015 [24 favorites]

Chief Privacy Officer for The Turn responded

Haven't seen a job title that oxymoronic in a while. Basically he's Chief Henhouse Protector for The Foxes, Inc. — and indeed, unsurprisingly, the guy's chief professional competency does appear to be fluency in Newspeak.

those are some awful weird Italics
posted by RogerB at 1:01 PM on January 15, 2015 [3 favorites]

Please don't blame the developers and IT folks for this.

I didn't mean to blame them; clearly the fault lies with whoever came up with the idea, not the men and women who wrote the code to make it happen. I guess I was thinking more along the lines of how cool it would be if tech workers had a code of conduct like physicians do.
posted by Aizkolari at 1:07 PM on January 15, 2015 [9 favorites]

What is the only way to opt-out? Staying off the Internet completely? Using TOR and TAILS?

Basically, yes. That, or VPN to a gateway outside of Verizon's network.
posted by indubitable at 1:07 PM on January 15, 2015 [2 favorites]

Turn absolutely respects a consumer’s opt-out preference when expressed in the only way the online ad industry is sure to recognize.

Which is what -- a brick through the lobby window at Turn corporate headquarters? Turn CEO's car going up in a ball of fire? I bet the online ad industry would recognize those. Of course, those actions would be wrong, and no one should perform such recognizable acts.
posted by Kirth Gerson at 1:08 PM on January 15, 2015 [21 favorites]

So do I need to now assume that this is happening with all networks, and Verizon is just unlucky enough to get found out first?
posted by cubby at 1:10 PM on January 15, 2015 [1 favorite]

No, this is something anyone running a server can easily detect. As explained in the FPP, AT&T discontinued the practice, and Verizon is currently the only (wireless, U.S.) provider doing this.
posted by RobotVoodooPower at 1:17 PM on January 15, 2015 [2 favorites]

And the fact that anyone can detect this cookie is the diabolical thing. It means any two websites can share data to tell if a given user is the same person, if that user connects to both sites over HTTP on Verizon Wireless.
posted by RobotVoodooPower at 1:21 PM on January 15, 2015 [3 favorites]

I wonder if there are any tools for rooted/jailbroken phones to disable this.
posted by exogenous at 1:27 PM on January 15, 2015

Please don't blame the developers and IT folks for this.

Just following orders!
posted by Mayor Curley at 1:32 PM on January 15, 2015 [45 favorites]

No, this has nothing to do with the phone, it happens on the network.
posted by indubitable at 1:33 PM on January 15, 2015

~Please don't blame the developers and IT folks for this.
~I didn't mean to blame them; clearly the fault lies with whoever came up with the idea, not the men and women who wrote the code to make it happen.

You do understand that the idea to do this very likely involved meetings with developers in the first place, right? At some point, "I was just doing my job" ceases to cut it. These seemingly infinite tracking, spying, monitoring, etc. technologies aren't being brainstormed by middle managers who only then hand it off to actual techs. Techs are involved in the brainstorming from the get-go. Sometimes, shit like this actually IS the idea of a developer.
posted by Thorzdad at 1:34 PM on January 15, 2015 [31 favorites]

EFF has a little more info on how the supercookies work.
posted by peeedro at 1:36 PM on January 15, 2015 [2 favorites]

I wonder if there are any tools for rooted/jailbroken phones to disable this.

Sadly, the best tool is to go get (or host, if you're so inclined) a VPN service and make sure your phone is configured to always, always use the VPN. Verizon can't inject HTTP headers into your traffic if all your traffic through their part of the connection is encrypted.
posted by introp at 1:46 PM on January 15, 2015 [1 favorite]

Clearing cookies is not a reliable way for a user to express their desire not to receive tailored advertising, and Turn absolutely respects a consumer’s opt-out preference when expressed in the only way the online ad industry is sure to recognize.

The way to opt out is to cancel your Verizon service and then clear your cookies.

Another option may be to clear your cookies and then refuse to use anything but https.
posted by aubilenon at 1:49 PM on January 15, 2015 [1 favorite]

I'm saying that we shouldn't blame the IT people because they aren't breaking the law. They're doing their jobs. We should blame the laws that allow people to do things like this. The people that make the laws aren't doing their jobs. Ultimately the laws are where the incentives are going to have to come from.
posted by oceanjesse at 1:50 PM on January 15, 2015 [2 favorites]

I was under the impression that not every site uses HTTPS.
posted by teponaztli at 1:50 PM on January 15, 2015

Just go through the normal VPN process or is there something else that needs to be done so that privacy is assured enough? I am on AT&T but plenty of students are on Verizon.
posted by jadepearl at 1:54 PM on January 15, 2015

The way to opt out is to cancel your Verizon service and then clear your cookies.

Not necessarily:

Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers. Notably, Verizon appears to inject the X-UIDH header even for customers of Straight Talk, a mobile network reseller (known as a MVNO) that uses Verizon's network. Customers of Straight Talk don't necessarily have a relationship with Verizon.

posted by peeedro at 1:56 PM on January 15, 2015 [2 favorites]

Customers of Straight Talk don't necessarily have a relationship with Verizon.

Customers of Straight Talk don't know how cell phones work if they think they don't have a relationship with one or more of the four carriers.
posted by straight at 1:59 PM on January 15, 2015 [4 favorites]

They're doing their jobs.

Some jobs shouldn't be done.

(I don't think anyone wants to live in a society where everyone operates under pure profit maximization bounded only by a finite set of laws. Law is a backstop to conscience, not a replacement.)
posted by PMdixon at 2:04 PM on January 15, 2015 [24 favorites]

Clearing cookies is not a reliable way for a user to express their desire not to receive tailored advertising, and Turn absolutely respects a consumer’s opt-out preference when expressed in the only way the online ad industry is sure to recognize.

I completely agree. I hope Mr. Ochoa enjoys the new service in which I have enrolled him, wherein I drive a Ford E350 onto his lawn every night and release three dozen feral cats in heat onto his front lawn. Time was, just screaming "Oh, god, no, what are you doing?" or "Get out of here before I call the cops!" out the window would suffice to opt out of this exciting advertising opportunity, but these are more dynamic times we're living in. Now he'll have to express a more affirmative desire to opt out, by wearing his underwear on his head every time he leaves the house. (It's all explained in Ch. 9, §§ 1 of the EULA, Mr. Ochoa... I'm sure you've read it in its entirety)
posted by Mayor West at 2:07 PM on January 15, 2015 [41 favorites]

Just following orders!

Well, just cashing a paycheck, anyway.
posted by a lungful of dragon at 2:14 PM on January 15, 2015

Wearing one's underwear on one's head is not a reliable way to express the desire not to have three dozen feral cats and a Ford E350 on one's lawn. Once Mr. Ochoa works out the industry standard way to express that preference, you can implement it, Mayor West.
posted by The Bellman at 2:15 PM on January 15, 2015 [1 favorite]

Turn absolutely respects a consumer’s opt-out preference when expressed in the only way the online ad industry is sure to recognize.

Written on the back of a hundred-dollar bill, presumably.
posted by Kadin2048 at 2:17 PM on January 15, 2015

What is the only way to opt-out?

Carrying on with the blog post:

"When a consumer opts out – either through the industry standard tools provided by the DAA or the NAI, or through Turn’s own opt-out – the record of that choice is preserved on Turn’s servers. Subsequently, when Turn receives a bid request associated with that cookie or UID, Turn will see the opt-out flag associated with that ID and will never submit a bid for an online behavioral advertising (OBA) campaign.

At Turn, we always use the most stable identifier available to inform our bidding and campaign execution. In the case of Verizon devices, we use the non-cookie UIDH identifier."

Which to me is largely gibble-gabble, and I have no idea if it means much of anything.
posted by nubs at 2:37 PM on January 15, 2015

Just following orders!

I don't do this kind of work, but if I did, I'd do it extra hard if people tried to compare inserting headers into a HTTP transaction so systematically murdering 12 million human beings.
posted by sideshow at 2:39 PM on January 15, 2015 [14 favorites]

All this data tracking goes on, and I still haven't seen much actual evidence that it benefits them much in terms of selling shit (I assume this is the stated reason to do it). It's just such massive evil overkill. The NSA, at least, has Evil Overkill in their mission statement, but Verizon is a phone company with shitty customer service (I'm told) and whoever they're selling my data to doesn't really seem to know what to do with it in terms of getting me to buy shit. Maybe I'm an outlier, but I find it easier to believe that the telecoms just have these really powerful tools but no idea how to really use them, and when they do have ideas, they're creepy and stupid and still don't work.

It's just insult to injury, is what I'm saying. It's like someone stalking you for a year just so they can ask you to buy a timeshare that you still aren't going to buy. Because while they know (or suspect) you don't want a timeshare, thanks to the stalking, their boss told them to sell timeshares to you.
posted by emjaybee at 2:41 PM on January 15, 2015 [1 favorite]

I don't do this kind of work, but if I did, I'd do it extra hard if people tried to compare inserting headers into a HTTP transaction so systematically murdering 12 million human beings.

I don't think the internet is somewhere people want to see extra hard head insertion.
posted by srboisvert at 2:49 PM on January 15, 2015 [2 favorites]

if people tried to compare inserting headers into a HTTP transaction so systematically murdering 12 million human beings.

But this kind of work is what makes bigger things possible. The Nazis were fiends for paperwork, and could not have run death camps without a very elaborate bookkeeping system. It was all very state of the art for the day. And of course this is what you'd need to pull off something like the blanket confiscation of funds, cancellation of marriages, and roundup of the newly minted criminal heretic class possible as depicted in The Handmaid's Tale.
posted by localroger at 2:57 PM on January 15, 2015 [3 favorites]

I have a hard time believing that some IT person at Verizon is so much more of a cog in the machine of evil than the average member of a public that's been willing to let this sort of thing happen again and again and again, even when it comes to things like intelligence services spying on elected officials or, like, reacting at all to the Snowden revelations beyond nodding sagely and assuring everyone that they knew it was happening all along.

The average person needs to actually be making a fucking effort on their own to obstruct ubiquitous surveillance before someone else can be expected to give up their livelihood for the sake of said average persons being shielded from surveillance.

Or, what sideshow said.
posted by XMLicious at 2:58 PM on January 15, 2015 [5 favorites]

All this data tracking goes on,

But downloading movies is punishable by death. Funny.
posted by phaedon at 3:10 PM on January 15, 2015 [1 favorite]

Well, you see, it's like me helping to design a better cluster bomb. I'm not literally stacking bodies like cordwood and dumping them into ovens while wearing SS insignia, so clearly there are no ethical considerations involved.
posted by indubitable at 3:37 PM on January 15, 2015 [5 favorites]

I don't do this kind of work, but if I did, I'd do it extra hard if people tried to compare inserting headers into a HTTP transaction so systematically murdering 12 million human beings.

I don't think the internet is somewhere people want to see extra hard head insertion.

Rule 34 would seem to suggest otherwise.
posted by ActingTheGoat at 3:41 PM on January 15, 2015 [6 favorites]

Don't give money to Verizon. Don't use Verizon services. Stop validating their practices.
posted by Bovine Love at 3:47 PM on January 15, 2015 [1 favorite]

The Nazis were fiends for paperwork...

So is the FDA in order to prove that the peanut butter you eat is made from peanuts and not cardboard. Record keeping is really really good, and like most things, it can be used poorly.

Also, I think we overestimate the power of developers in this scenario. If the development team or director at Verizon said "No, I am not doing this," I imagine the response would be "how do you propose we make money, software boy?" or "you're fired." Telling someone to quit because of non-optional tracking is a good moral stance, but it's hard to find work anywhere, and even if it's relatively easy for software people, it's still demoralizing to be unemployed, worried that your boss will slander you to his/her colleagues, and to come home and tell your spouse & kids that you don't make money anymore because you're fighting the good fight.

The ubiquity of advertising is a textbook definition of a banal evil and we should resist it, but I don't think global enslavement is inevitable because of these decisions.
posted by Turkey Glue at 3:50 PM on January 15, 2015 [6 favorites]

So is the FDA in order to prove that the peanut butter you eat is made from peanuts and not cardboard. Record keeping is really really good, and like most things, it can be used poorly.

Do you intend to compare telecom companies tracking their users with the FDA tracking food products, for moral purposes?
posted by LogicalDash at 3:51 PM on January 15, 2015 [1 favorite]

Mayor Curley: "Just following orders!"

By that logic, let's blame the computers!

oceanjesse: "We should blame the laws..."

My mistake... let's blame the orders!
posted by Riki tiki at 3:58 PM on January 15, 2015

I kid, but my point is that blame is a very slippery concept...

1. Blaming a non-human entity (including an abstract idea) loses its meaning.
2. Blaming too many people loses its focus.
3. Blaming others while being partially culpable yourself loses its purity.
4. Blaming people who are completely innocent loses its validity.
5. Blaming people who can make a believable claim of complete innocence loses its momentum.
6. Blaming people who can frame others for their actions loses its credibility.
7. Blaming people who can claim they acted under coercion loses its resonance.
8. Blaming people with wildly varying levels of guilt loses its fairness.
9. Blaming anyone for something that the public doesn't understand loses its outrageousness.
10. Blaming people who are definitively, provably guilty and you usually have no one left to blame.

None of which is to say that blame is useless. It's an exercise, and one that can have productive or counterproductive results depending on whether you use it wisely:

Whistleblowers often have to sacrifice the "purity" of the accusation just to alert others to the problem in the first place. Unfortunately, it's often considered tattling, snitching or playing the "blame game", all of which carry a lot of stigma for the accuser and undermine the weight of the accusation (not to mention the risk of retaliation).

Blaming an abstract concept can bring awareness to the issue, putting pressure on those who are directly or indirectly responsible for the problem.¹ But otherwise, what's the meaning? When people say "blame the laws", what does that amount to in practice? Should you blame the legislators? The lobbyists? The voters? The media? The lobbyists for paying for the media to influence the voters to elect the legislators?

Even one of the most repulsive examples from my list — blaming people who can frame others — can be useful. It requires the guilty to spend some effort and capital to defend themselves, and in the common case of scapegoating a subordinate, it reduces other subordinates' willingness to throw themselves under the bus (or naiveté that they wouldn't be thrown under it).²

So where does that leave us in this situation with Verizon? Well, in my opinion:

1. It brings attention to an issue that people didn't know about.
2. The blame is focused on a few organizations, and a few subsets of people within those organizations.
3. The people calling attention to it are not culpable.
4. No one being explicitly blamed can be considered "completely innocent".
5. Some who are being explicitly blamed can probably (believably) claim that they're completely innocent, barring a leak of internal documents.
6. Some being blamed can easily frame others for the decision, barring a leak of internal documents.
7. Some being blamed (developers) can claim that they're acting under coercion, though that is mitigated by the fact that no one who is capable of implementing this would have trouble finding employment elsewhere.
8. The set of people being blamed is (due to the note in #7) within a reasonable range of culpability.
9. No one understands tracking cookies, so why should they feel offended?
10. If this became a legal issue I suspect it'd be easy to find people who are provably to blame. But because of point #9, it likely wouldn't have any political pressure to go that far.

Based on the above, I think it's reasonable to believe that this situation has some legs. I would've been more pessimistic, but internet outrage managed to make some real progress towards net neutrality.³

I think in the post-Snowden era it's easy enough to explain to people "Verizon is tracking you, they're letting other people track you, there's pretty clearly no justifiable reason for it, and you're powerless to stop it without drastic financial or political measures."

It's a bit ridiculous to think we won't eventually address the benefit of having physical wires between you and your internet provider, or that we won't eventually have end-to-end encryption for virtually every online interaction. It's an indictment of our current economic system that companies like Verizon and Comcast behave the way they do when (with even a modicum of ethical behavior) they could have a positive foothold in the next generation — and therefore long-term sustainability — by name recognition alone.

¹ The rhetorical impact of blaming "rape culture" or "racism" are great examples: the gravity of the accusation can make powerful people fear being associated with it. However, it takes a lot of thankless dedication to cultivate that into something productive; people will ignore you, laugh at you, and fight you, and then maybe you win.
² In our current culture, though, even clear cases of scapegoating often fade from memory quickly, and people often consider themselves the "exception" who won't get chosen for sacrifice by the powerful. I think this is part of a major spiritual crisis in American society.
³ In the short term, at least. I have doubts about the long-term health of net neutrality unless people really start understanding what it means.
posted by Riki tiki at 3:58 PM on January 15, 2015 [9 favorites]

I think it is entirely appropriate to hold the developers responsible for doing this. It's almost inconceivable that someone was able to get approval to add headers to every HTTP request going over the network without some input from the technical side. It's entirely unethical and they are the people who should know better. As someone mentioned up the thread, it's likely that the engineers and ops people who put this together were tightly integrated with if not the originators of this project.

This is a an example indicative of a broader problem in technology development and software engineering; that practitioners consider themselves immune from charges of unethical conduct. It's absurd to expect that individual citizens are as responsible for the integrity of a bridge that they pass over as the civil engineers who designed it. Likewise, it's horseshit to expect users to be responsible for obscure changes to network infrastructure that they rely on.

Thumbing through the IEEE Code(thanks valrus):

Principle 1 PUBLIC Software engineers shall act consistently with the public interest. In particular, software engineers shall, as appropriate:

1.01. Accept full responsibility for their own work.

The fact that people might have to sacrifice their livelihoods to stop this sort of thing from being implemented is exactly the reason that ethical standards need to exist. Saying "Attaching persistent unique identifiers to all the communications that our subscribers send over the web which are readable by anyone on a network the communication traverses as well as at any endpoint the subscriber communicates with is an unprecedented compromise of the subscribers' expectations to privacy and we shouldn't build it" should never be something that would get you fired without a substantial wrongful termination settlement. People should get fired for building it.

in addition, the engineers on this project almost certainly violated:

1.04. Disclose to appropriate persons or authorities any actual or potential danger to the user, the public, or the environment, that they reasonably believe to be associated with software or related documents.

1.05. Cooperate in efforts to address matters of grave public concern caused by software, its installation, maintenance, support or documentation.
...
3.03. Identify, define and address ethical, economic, cultural, legal and environmental issues related to work projects.
...
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.
...
4.01. Temper all technical judgments by the need to support and maintain human values.
...
6.01. Help develop an organizational environment favorable to acting ethically.
...
6.10. Avoid associations with businesses and organizations which are in conflict with this code.

6.11. Recognize that violations of this Code are inconsistent with being a professional software engineer.

6.12. Express concerns to the people involved when significant violations of this Code are detected unless this is impossible, counter-productive, or dangerous.

6.13. Report significant violations of this Code to appropriate authorities when it is clear that consultation with people involved in these significant violations is impossible, counter-productive or dangerous.

That's not to say it isn't consumers responsibility too to vote with their wallets, but when it comes to a high paying profession with a hot job market, methinks some protest too much.
posted by ethansr at 4:08 PM on January 15, 2015 [10 favorites]

It's doesn't take much effort for IT managers to work around developers' hesitation about creating things like this. It starting by getting one developer to implement a generic header insertion feature with no fixed purpose. Then they get another to write a user cookie generator. Then they find a third to right some very simple glue code (or even just a config file) that merges them together. The developers might be told "it's only for a small-scale trial", or "it's just a proof of concept", or whatever.

(I am being charitable and assuming the developers would object. but I've certainly met some that would implement the whole thing without a second thought)
posted by grahamparks at 4:18 PM on January 15, 2015 [4 favorites]

Of course, that IEEE Code is essentially a random document. It has no authority, 99% of engineers have never read or agreed to it, etc. Very different than doctors or civil engineers or whatever.

Which to me is largely gibble-gabble, and I have no idea if it means much of anything.

Here's what they're saying --- normally, you have 2 options for avoiding IBA (interest-based advertising, AKA personalized ads). You can register your "opt out" by setting a cookie in your browser (by going to NAI, for example -- which will show you something like "These 26 member companies have enabled Online Behavioral Ads for this web browser." and allow you to opt out).

In that method, you are registering an affirmitive desire to not be tracked, which is stored in your browser and sent along with an ad request (page load, essentially) as a "cookie". Member companies are supposed to see that ID and say "oh, this person doesn't want us to store or use data about them when picking an ad" and pick it based on non-personal factors (what site you're on, what content you're looking at, etc).

There's another, fairly simply method --- which is to always clear cookies or use a "privacy mode" in your browser, like Incognito Mode in Chrome. Because this clears your cookies every browser session, it prevents them from being able to track you across time. The advantage of this method is it works even if a company is being unethical and not following your opt-out directive.

What Turn is saying is "hey, we follow opt-out, trust us". Which, maybe they do. But because they use this Verizon-inserted cookie that you can't control from your browser, your ONLY method of opting out is (1), using privacy mode will not work as it normally would. So now you have to trust them that they are actually obeying that directive.
posted by thefoxgod at 4:32 PM on January 15, 2015 [1 favorite]

Copyright © 1999 by the Institute for Electrical and Electronics Engineers, Inc. and the Association for Computing Machinery, Inc.

"Copyright 1999. Hmmm, good-intentioned or not, that hacker ethos is long dead. That's kind of a downer."
posted by RobotVoodooPower at 4:39 PM on January 15, 2015 [1 favorite]

To what extent has the idea of a legally binding professional / ethical code of conduct been discussed, out of interest? By whom? Would it fly? Seems necessary.
posted by cotton dress sock at 4:43 PM on January 15, 2015

We'd need a union or other trade organization with real power before we could have the leverage to adopt any formal code of professional ethics, but those kinds of organization don't seem to get political traction anymore because we're all such rugged individualists now.
posted by saulgoodman at 5:05 PM on January 15, 2015 [2 favorites]

Also Libertarianism would have to not be rampant among IT people.
posted by Pope Guilty at 5:07 PM on January 15, 2015 [13 favorites]

Please don't blame the developers and IT folks for this.

It's addressed above, but... why not blame the people who wrote this? I'm a little irritated by the idea that developers and IT folks are just blameless drones who are only tools of management. Someone wrote this, and then probably got a raise or a promotion... and that's why they wrote it!
posted by elwoodwiles at 5:07 PM on January 15, 2015 [2 favorites]

when expressed in the only way the online ad industry is sure to recognize.

So... putting the severed heads of dead horses in the beds of all the relevant executives and board members, right?
posted by weston at 5:08 PM on January 15, 2015

Do the people who set up web sites for companies large and small and include the analytics and advertising network code in their pages, the code that does the tracking and actually builds a database from identifiers like the one discussed in the OP, need to quit their jobs?

How about people who work for a company that would include such tracking code on their corporate web site? Do those people have to quit their jobs? Do they need to go so far as to vocally insist that their employers not track visitors to the company web site? Are they even obligated to simply try to find out and be conscious of to what extent their own company's web site(s) and the enterprise and industry they've involved themselves in track web visitors, or is that asking too much?

This isn't analogous to wrongs against victims of the criminals tried at Nuremberg or innocent people being bombed. This is like a situation where all of the people being bombed are being bombed by their own democratic government and their own country's companies which they themselves patronize, know ahead of time that there's going to be constant bombing everywhere they live and travel, and also work for a firm that not only consumes bombs itself but makes money from the bomb industry, and those people still expect others involved in the technical design of the bombs to quit their jobs. It's like a citizen of the United States excoriating someone for working at a petroleum company.
posted by XMLicious at 5:08 PM on January 15, 2015 [2 favorites]

Also, when developers do good they're treated like 'rugged individualists' but when they do bad 'they're just following orders.' Can't have that one both ways, kids.
posted by elwoodwiles at 5:09 PM on January 15, 2015 [1 favorite]

You do know that the NSA already sniffs ad cookies to locate hacking targets, right? Not really a stretch to assume they really like these cookies too?

I'm curious who is going to enforce this new lawful-good code of conduct. Starfleet Command?
posted by RobotVoodooPower at 5:12 PM on January 15, 2015 [1 favorite]

it's likely that the engineers and ops people who put this together were tightly integrated with if not the originators of this project.

To go Godwin in another direction, Ted Taylor (the man who developed miniaturized atomic weapons like the Davy Crockett shell) quit nuclear weapons research in 1966 because...

It all starts with that devilishly creative act of imagining something which is infinitely destructive. Then they go to Franklin Roosevelt or Harry Truman or Ronald Reagan and say, "Here's this thing, do you want that?" The answer is invariably, "You bet we do!"

posted by localroger at 5:14 PM on January 15, 2015 [2 favorites]

I've given up on expecting people to act in good-faith. Most people are willing to go-along-to-get-along and not risk their jobs over things. A little petit-tyrrany goes a long way.
posted by mikelieman at 5:29 PM on January 15, 2015

I printed a couple related EFF articles for my dad, who is a diehard Fox News fan and staunch opponent of net neutrality. IOW, clueless.

He's also a long-term Verizon customer - and quite incensed over this! Fox News has, to their credit, instilled a concern in him for his privacy, and he already runs some anti-tracking browser plugins. He intends to lodge a complaint with Verizon and threaten to take his business elsewhere. Good for him!

I also advised him to take the printouts to work, where he consults for a large company who does a lot of business with Verizon. I hope he does so.

Don't discount the lay public's awareness of the Orwellian threat of big business and/or gov't tracking. Even my dad is on our side here. He just needed me to bring it to his attention.

Tell every person you know about this, especially if they do business with Verizon in any way.
posted by MoTLD at 5:30 PM on January 15, 2015

Surely you people realize that the IT work for this was outsourced to Java developers in India. Developers who give zero fucks about your cookie insecurities.

This is Verizon we're talking about, not Etsy.
posted by swift at 5:46 PM on January 15, 2015 [5 favorites]

Also Libertarianism would have to not be rampant among IT people.

While there are some high-profile examples, 90-95% of IT people I have met/worked with are not libertarians. This stereotype is way overblown. I'd say the majority are center-left (US center-left, like Clinton, not global center-left), with the rest kind of scattered around the spectrum (certainly including libertarians).

Entrepreneurs do seem to be much more heavily libertarian, especially in SV. But actual devs? In a couple decades I have met some but they're not so common as people think.
posted by thefoxgod at 5:58 PM on January 15, 2015 [5 favorites]

Who cares about libertarians here? If you aren't going to face a fine or jail time for doing stuff like this, people are going to do it, and do it at scale, and make money doing it!
posted by oceanjesse at 6:06 PM on January 15, 2015 [1 favorite]

I'm declaring my browser a Sovereign Citizen and charging rental space for cookies used with an exponentially accumulating payment surcharge based on time.

That can't possibly go wrong and will be 100% effective.
posted by nfalkner at 6:11 PM on January 15, 2015 [5 favorites]

Hey man, if you can get them to sign the EULA on your cookie cache, more power to you (Literally).
posted by I-Write-Essays at 6:16 PM on January 15, 2015

The fact the IEEE/ACM Ethics Code carries no weight is exactly the problem. It's written (I won't argue well, but at least competently) as if their members are responsible adults who work in a profession that people's lives and livelihoods depend on and so requires extra ethical scrutiny.

I'm not saying that every full stack ninja/rockstar/|-|4X0R at a startup should be required to have a License to Code stuck in the band of their fedora, but that the person who gets to choose whether or not to put a unique subscriber id in every http request on one of the largest mobile networks in the country has a slightly different level of responsibility.

I do believe that some advertising data collection practices are unethical, but that shouldn't be construed as saying the entire field is unethical. For example, Gmail's "robots reading your mail vs almost unlimited storage and really nice UX" is a bargain that many people (including me) are perfectly happy with, although some are not.

A problem arises, like it did with Hulu/Kissmetrics/friends/etc, when you purposefully work around people's efforts to avoid tracking. This AT&T + Verizon work is even more pernicious because it transparently attaches an ID which is associated with a particular subscriber regardless of what IP addresses they are assigned, what browser, or even what machine they used.

As RobotVoodooPower mentioned, that means that if third parties are watching your traffic, you only need to occasionally accidentally access a resource over HTTP for them to associate your HTTPS communications with your subscriber id, not to mention other protocols. Of course that takes a great deal of uncertainty out of the work of whoever is tracking you.

And this happened for two years before anyone really noticed. Keep that in mind when you think about this. It's not like this is something that no one had time to consider the consequences of. This was purposeful: it was implemented in some of the most sensitive infrastructure the company has, it was implemented in way that would be difficult to detect, and it was implemented in a way that is impossible to prevent.
posted by ethansr at 6:27 PM on January 15, 2015 [4 favorites]

Speaking of being impossible to prevent... I have an iPhone on Verizon Wireless, and I used that site to check if I was emitting a UIDH, and it said I had none, so... did I just fail to detect it, or is it not universally applied?
posted by I-Write-Essays at 6:44 PM on January 15, 2015 [1 favorite]

I would 100% quit a coding job if my job was to do this kind of heinous shit. After figuring out how to do it, because it's an interesting technical challenge to be that diabolical.
posted by empath at 7:01 PM on January 15, 2015 [2 favorites]

Libertarianism, btw, is far more common among it executives and investors than it is among people like sysadmins and coders.
posted by empath at 7:03 PM on January 15, 2015 [1 favorite]

I-Write-Essays, the first (Wired) link says that it didn't happen on all connections, but Verizon couldn't tell them why or why not. EFF speculates it's limitations of equipment.

empath, that's the spirit!
posted by ethansr at 7:06 PM on January 15, 2015 [1 favorite]

I have been trying to get this idea across for sometime, the private sector is much less regulated than government. Government benefits from private sector overreach, by gathering information they can't legally get about people, from holes in business.

I noticed in the last two days, clearing private data doesn't work in Firefox, when I choose quit, like it says it will. For a long time I have left off browsing by entering, clear private data as a search, when that comes up, then I choose settings, privacy, then, clear private data. Then I back out to the browser and choose quit. When I go back to Firefox, then I have no history. This is in an Android phone. For a while choosing quit would erase everything, but not today.

This may be different than the super cookies thing, but I think it might be evidence of it.

All that data to make sure the corporations are safe.
posted by Oyéah at 7:08 PM on January 15, 2015

I-Write-Essays: It was supposedly disabled the first time the brouhaha surfaced.

I don't know about Verizon, but at&it's equivalent was never any kind of secret. It was in their openly accessible developer documentation. At least they (the new at&t, nee Cingular) didn't have the exposed capability that AT&T Wireless had of getting the subscriber's telephone number with a DNS lookup. And to be fair to both of them, when they first implemented the header back in the early 2000s it was, intended to be helpful to subscribers in that it provided a way to avoid having to repeatedly log in to websites once they associated your UID value and account, which was actually quite helpful when all we had for text input was T9. Also, the privacy implications were not stupidly obvious at the time given the as-yet-underdeveloped state of the ad networks. This was before AdSense was even a thing.

At the time, on Cingular anyway, you could even avoid the tracking header by not using their proxy. Of course, the image compression provided by their proxy was rather useful given that typical downlink speeds were below 64Kbps at the time, and often less than half that. (And even worse on providers using Qualcomm's CDMA stuff; for whatever reason they were always a day late and a dollar short when it came to packet data despite US GSM-based providers being some of the slowest in the world to roll out upgrades)
posted by wierdo at 7:49 PM on January 15, 2015 [2 favorites]

IEEE Software Engineering Code Of Ethics

Too bad the web industry pretty much stopped using software engineers. The terms you are looking for are full-stack-ruby-and-jquery-dev and python-coder-for-cloud-apps.

Those little shitheads didn't go to any engineering school. And have probably never heard of the IEEE, much less paid dues.
posted by j_curiouser at 8:53 PM on January 15, 2015 [1 favorite]

One of the mantras in How Designers Destroyed the World is that you should not be afraid to be fired for refusing to make the world a shittier place. Monteiro should include this if he ever updates this talk.
posted by fifteen schnitzengruben is my limit at 9:30 PM on January 15, 2015 [3 favorites]

I am stuck using Verizon because they are the only carrier with reception in the remote areas where I work, but I have no affection for them whatsoever and this news is just the icing on the cake of their shitty service.
posted by Dip Flash at 10:30 PM on January 15, 2015

much less paid dues.

I've actually been wondering if it's worth renewing my membership for ACM/IEEE, now that I'm not able to get away with student rates. Stuff like this makes it almost tempting, but there's balancing it against the cost of it vs. what I'd actually get out of it (as opposed to the symbol of it).

Man, I miss my Computer Ethics course.
posted by CrystalDave at 12:05 AM on January 16, 2015 [1 favorite]

...now that I'm not able to get away with student rates

check with your benefits person. many midsize to large firms will cover "Annual fees for one professional membership." ymmv
posted by j_curiouser at 12:09 AM on January 16, 2015

"Turn absolutely respects a consumer’s opt-out preference when expressed in the only way the online ad industry is sure to recognize" ..

.. which requires of running the Tor Browser Bundle or Tails, or even using a VPN provider based outside the U.S. if you want higher performance.
posted by jeffburdges at 1:02 AM on January 16, 2015

Basically, yes. That, or VPN to a gateway outside of Verizon's network.

The problem is that the large VPN services are identified and blocked. The solution is that virtual hosts with a fuckton of bandwidth and storage are stupid cheap these days. Cipherpunks and allied white-hats need to make a pointy-clicky-swipey front end to a hardened Linux/BSD/OpneIndiana distro that's only there to provide VPN and remote data backup services. A consumer-targeted virtual security appliance.

Not a good solution for OpSec if you're doing dire deeds (like journalism), but if you'd rather commercial entities not spy on you, your own personal cloud service is the trick.
posted by Slap*Happy at 5:08 AM on January 16, 2015

Verizon blocks VPN providers on their LTE network? That's news to me.
posted by wierdo at 6:35 AM on January 16, 2015

I was thinking more generally than Verizon, to be honest - the Great Firewall and a few more restrictive national or municipal ISPs. Verizon does not (yet) clamp down on VPN providers.
posted by Slap*Happy at 7:07 AM on January 16, 2015

As Swift says. I completely agree.

- The need for this was probably identified by somebody in marketing, likely at the request of a partner (like Turn). They wanted a way to keep tracking people even after cookies were cleared.
- The spec for this was probably created by a tech/lead in the marketing group to satisfy the request from marketing.
- the work was bid out to several vendors, probably by someone in "purchasing" or "vendor management"
- somebody got the contract to build it, and I'd bet that it was outsourced to the cheapest bidder.
- that vendor pitched it to a dev group that specializes in something like Java or some other fine web programming language.
- some developer got it handed to them, wrote the code and sent to QA, where it then passed up the line and was implemented.

It's very likely that the "developer" you all are wanting to throw under the bus is some person in a third world programming house making 2 bucks an hour.

And I don't think they give two shits about some ethereal, 15 year old code of conduct written in another country that has serious implications as to whether or not they get paid their two bucks.
posted by disclaimer at 10:43 AM on January 16, 2015 [2 favorites]

localroger: The Nazis were fiends for paperwork, and could not have run death camps without a very elaborate bookkeeping system.

Most genocides don't actually require lots of paperwork, so I'm unconvinced.
posted by IAmBroom at 11:12 AM on January 16, 2015

Man, I like that IEEE code of conduct. But I've been programming for almost 20 years in lots of business environments, and I've been to various developer conferences and read a ton of books and blogs, and I've never even heard of it. So, there seems to be an adoption problem.
posted by freecellwizard at 11:45 AM on January 16, 2015

One thing I'm unclear on: I know the UHID doesn't show up when your phone is using wi-fi, but it's still there, right?
posted by jalexei at 11:49 AM on January 16, 2015

As far as I understand the UHID is derived from your phone's ID as it supplies its credentials to talk to the cell towers. Then Verizon takes that info and tags it onto any HTTP request that your device initiates, translating your ID information between one handshake and the next, so you are still positively identifiable to any web service you use.

When your phone uses WiFi, it doesn't touch the cell provider's network, so there would need to be software/firmware on the device itself for it to sabotage its own anonymity and tag its own traffic. The equivalent would be if your home ISP, say, then took your cable/fios/etc login information, and modified outgoing requests so you're trackable to whoever wants to track you when your device (or any device from your home network) uses the web.
posted by tigrrrlily at 1:45 PM on January 16, 2015 [1 favorite]

Man, I like that IEEE code of conduct...and I've never even heard of it.

If you take an engineering ethics class, you get the background to put your development into larger perspective:

How to kill people with radiation apps.
I thought you said we could reuse that code block.
How to not write a fucking engineering document and avoid killing astronauts
Feet & Meters: Who cares? They're just doubles. $193.1 million spacecraft lost because incomplete unit testing.
Maps are easy - it's all in open APIs...

Here are three questions to always ask:

- I wonder whether they were Engineers?
- Did they use strongly typed languages?
- What was the unit test coverage?
posted by j_curiouser at 2:07 PM on January 16, 2015 [1 favorite]

Most genocides don't actually require lots of paperwork

It is, quite literally, well documented.
posted by localroger at 3:44 PM on January 16, 2015

An Example:

On April 12, 1933, the German government announced plans to conduct a long-delayed national census. The project was particularly important to the Nazis as a mechanism for the identification of Jews, Gypsies, and other ethnic groups deemed undesirable by the regime. Dehomag offered to assist the German government in its task of ethnic identification, concentrating upon the 41 million residents of Prussia. This activity was not only countenanced by Thomas Watson and IBM in America, Black argues, but was actively encouraged and financially supported, with Watson himself traveling to Germany in October 1933 and the company ramping up its investment in its German subsidiary from 400,000 to 7,000,000 Reichsmark—about $1 million. This injection of American capital allowed Dehomag to purchase land in Berlin and to construct IBM's first factory in Germany, Black charges, thereby "tooling up for what it correctly saw as a massive financial relationship with the Hitler regime."

The Nazis had to identify target subgroups who were not conveniently recognizable by markers like skin color, and they didn't want to just leave the bodies rotting in the street so they transported their victims to death camps which produced great logistical challenges, such as acquiring tons of Zyklon-B per month and disposing of mountains of ash and property. As William Shirer documents at length in The Rise and Fall of the Third Reich it was all state of the art and still not completely adequate to meet the Nazis' goals. The technical challenges, such as lively bidding for the construction of the crematoria, were all documented in great detail and those documents ended up sending people to the gallows at Nuremberg.
posted by localroger at 4:11 PM on January 16, 2015 [1 favorite]

How is any of that documentation showing that most genocides require lots of paperwork?

It actually does more to overturn your previous claim that "inserting headers into a HTTP transaction" is analogous to any prerequisite for "systematically murdering 12 million human beings" much less is some stepping stone to "blanket confiscation of funds, cancellation of marriages, and roundup of the newly minted criminal heretic class".

If indeed the header insertion was even intentionally implemented for the purpose of traffic analytics tracking out on the internet and not for some other internal network testing reason, before some management or marketing person realized how it could be exploited.

If Verizon even implemented it themselves! It seems just as feasible to me that this is just some pre-existing deep packet inspection feature on some piece of network equipment that got flipped on. Maybe under normal operation there's another piece of gear at the other edge of the network that strips out the added header, and the Hitler/Sauron/Antichrist-level act of evil here was turning off the setting that strips the header out, rather than inserting them in the first place.
posted by XMLicious at 4:52 PM on January 16, 2015

How is any of that documentation showing that most genocides require lots of paperwork?

I never said most genocides required a lot of paperwork. I said the Nazi genocide required a lot of paperwork, because the Nazis wanted to have some selectivity about who they killed and did not want to leave the bodies in the street. This created several huge logistical problems which they only managed to partly solve by, among other things, becoming one of IBM's biggest customers.

Note that the first and most important thing the Reich went to IBM for was to identify their victims. This is exactly the sort of thing that gets a lot easier if you could, say, automatically make a record of everyone's communications conveniently tagged by who they are to see who is a member of a synagogue and who subscribes to the Advocate and High Times.
posted by localroger at 4:59 PM on January 16, 2015

Also, I don't think anybody seriously believes Verizon is trying to set up a run for The Handmaid's Tale; more likely they're trying to target ads. The problem is that what they've created is exactly what the fascists in The Handmaid's Tale would need to easily implement their cool plan.
posted by localroger at 5:02 PM on January 16, 2015

I never said most genocides required a lot of paperwork.

Then it was pretty pointless to respond to IAmBroom like that, if you weren't actually disagreeing with or arguing against the comment of his which you directly quoted.

Anyways, having read more, I wonder if any tech-savvy people who end up sending traffic through Verizon have tried setting their own, fixed, X-UIDH header at the browser level to see if Verizon overrides it with theirs. If they don't, that could be a little monkeywrench to screw up their plans temporarily, though it probably would be easily overcome once they realized what was going on.

Another thought that occurs to me is that if there were a way to send a fake header value through the network you might be able to trick Turn into re-instantiating someone else's cookies, and thus they might be exposed to some sort of legal liability by sharing that information? Though of course that usually goes much worse for the persons exposing the breach than the company exposing other peoples' data.
posted by XMLicious at 5:29 PM on January 16, 2015

This is about the most vicious and evil derail I've seen in a long while. You're both bad, and you're both viscerally wrong while being technically correct (and if you quote Abrams Trek at me, I swear to god...)

Verizon sucks as a company, get Straight Talk or Sprint. Coverage sucks, but if YOU CAN'T USE IT BECAUSE DATACAPS AND SPYWARE, who cares?

Nazis... good Godwin, the rest of it is dumb.
posted by Slap*Happy at 6:49 PM on January 16, 2015 [2 favorites]

You seriously only just now noticed Nazis being mentioned.
posted by XMLicious at 7:00 PM on January 16, 2015

If I may acquaint you with my first post in the thread, you might notice that

• I didn't bring up the Nazis, I was replying to sideshow
• It was not about genocide in general, it was about Nazis
• My most recent comment is about why it is exactly correct to compare Verizon's stupid shit to what Nazis would want, because back in the day the actual Nazis went to the closest thing they had to Verizon in their day for the closest thing they could manage.
• It is generally agreed that it's not Godwin to mention actual Nazis doing actual things actual Nazis actually did.

Another fun thing actual Nazis actually did was subverting the secret ballot. In many towns they did this by writing numbers on the blank ballots with milk, which acted like invisible ink. They kept records of the order in which citizens cast their ballots, then put the ballots in order according to the watermarks and assembled their enemies list accordingly. Now consider what the kind of people who would go to that effort would do with Verizon's innocent li'l UID headers.
posted by localroger at 7:10 PM on January 16, 2015

You seem to have linked to one of my comments, localroger, rather than your own. But anyways, as I was following along yesterday it appeared to me that the thread was Godwinned way up here.

P.S. to no one in particular: "Godwin's law" is from a quarter century ago, now. Wait, let me get my dentures in and say that again.
posted by XMLicious at 7:20 PM on January 16, 2015

Holy fuck. I just checked my Recent Activity and thought "I don't remember commenting in any threads involving Nazis"
posted by exogenous at 7:35 PM on January 16, 2015 [2 favorites]

I'm old. You and localroger are still foolish and offensive for obsessing about Nazis in a cellphone thread.

Find. Other. Metaphors.
posted by Slap*Happy at 7:52 PM on January 16, 2015 [2 favorites]

It's not a metaphor.
posted by localroger at 11:29 PM on January 16, 2015

Verizon will now let users kill previously indestructible tracking code. With helpful picture of zombie and Eiffel Tower cookies.
posted by dirigibleman at 11:08 PM on February 1, 2015 [1 favorite]

Looks like good news — the article says: In a statement e-mailed to reporters on Friday, Verizon said, "We have begun working to expand the opt-out to include the identifier referred to as the UIDH, and expect that to be available soon." Hopefully Verizon follows through on this.
posted by exogenous at 6:21 AM on February 2, 2015