Zombie Cookie: The unkillable tracking cookie

© David Sleight & Hannah Birch

[Editor's note: This story has been updated. See end of article]

An online ad company called Turn is using tracking cookies that come back to life after Verizon users have deleted them. Turn's services are used by everyone from Google to Facebook.

An online advertising clearinghouse relied on by Google, Yahoo and Facebook is using controversial cookies that come back from the dead to track the web surfing of Verizon customers.

The company, called Turn, is taking advantage of a hidden undeletable number that Verizon uses to monitor customers' habits on their smartphones and tablets. Turn uses the Verizon number to respawn tracking cookies that users have deleted.

"We are trying to use the most persistent identifier that we can in order to do what we do," Max Ochoa, Turn's chief privacy officer, told ProPublica.

Turn's zombie cookie comes amid a controversy about a new form of tracking the telecom industry has deployed to shadow mobile phone users. Last year, Verizon and AT&T users noticed their carriers were inserting a tracking number into all the Web traffic that transmits from a users' phone - even if the user has tried to opt out.

Users complained that the tracking number could be used by any website they visited from their phone to build a dossier about their behavior - what sites they went to, what apps they used.

In November, AT&T stopped using the number. But Verizon did not, instead assuring users on its website that "it is unlikely that sites and ad entities will attempt to build customer profiles" using its identifiers.

When asked about Turn's use of the Verizon number to respawn tracking cookies, a Verizon spokeswoman said, "We're reviewing the information you shared and will evaluate and take appropriate measures to address."

Turn privacy officer Ochoa said that his company had conversations with Verizon about Turn's use of the Verizon tracking number and said "they were quite satisfied."

Turn's actions were spotted by Stanford researcher Jonathan Mayer, and confirmed by ProPublica's testing.

Turn and Verizon also have a separate marketing partnership that allows Verizon to share anonymized information about its mobile customers. In April, Verizon sponsored a Turn event in New York City called " Bringing Sexy Back to Measurement."

Turn, which calls itself a "Digital Hub," may not be a household name but it is a huge back-end processor of ads on websites.

It works like this: When a user visits a website that contains Turn tracking code, the company holds an auction within milliseconds for advertisers to target that user. The highest bidder's ad instantly appears on the user's screen as the web page loads. Turn says it receives 2 million requests for online advertising placements per second.

For its auctions to work, Turn needs to identify web users by cookies, which are small text files that are stored on their computers. The cookies allow Turn to identify a user's web browsing habits, such as an interest in sports or shopping, which it uses to lure advertisers to the auction.

Some users try to block such tracking by turning off or deleting cookies. But Turn says that when users clear their cookies, it does not consider that a signal that users want to opt out from being tracked.

"There are definitely people who feel that if they clear their cookies, they won't be tracked, and that is not strictly accurate," said Joshua Koran, senior vice president of product management at Turn.

Turn executives said the only way users can opt out is to install a Turn opt-out cookie on their machine. That cookie is not designed to prevent Turn from collecting data about a user - only to prevent Turn from showing targeted ads to that user.

ProPublica's tests showed that even Verizon users who installed the Turn opt-out cookie continued to receive the Turn tracking cookie as well. Turn said despite the appearance of the tracking cookie, it continues to honor the opt-out cookie.

© Julia Angwin, Mike Tigas and Terry Parris Jr., ProPublica

Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out.

But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed.

Either way, this fix does not address the respawning of cookies that have been deleted - since Turn says it does not consider that an expression of user intent.

"It is our absolute desire to honor people's choices," said Ochoa, Turn's chief privacy officer.

Update :

Jan. 16, 2014: In response to our revelation, Turn said it will suspend using its zombie cookie.

Tech company Turn said it would stop using tracking cookies that are impossible to delete. The decision came in response to a ProPublica article this week that revealed the controversial practice.

"We have heard the concerns and are actively re-evaluating this method," Max Ochoa, Turn's chief privacy officer, wrote in a blog post.

He said the company plans aims to suspend the practice by "early February."

Turn's zombie cookie was exploiting a hidden undeletable number that Verizon uses to track its customers on their smartphones on tablets. Turn used the Verizon number to respawn tracking cookies that users had deleted. The company said it will now re-evaluate its practices.

Turn's decision to suspend the practice was a sharp reversal from its previous stance. It had previously argued that "clearing cookies is not a reliable way for a user to express their desire not to receive tailored advertising."

Critics across the Web vocally disagreed. Jason Kint, CEO of a trade association for digital content companies, wrote that "this kind of surreptitious behavior does nothing to build trust between consumers, advertisers and publishers." The Electronic Frontier Foundation, a digital rights organization, said Turn's action made it " impossible for customers to meaningfully control their online privacy."

The Wall Street Journal Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance, Financial Times

The Spokesman-Review

Chomsky: We Are All – Fill in the Blank.

This entry passed through the Full-Text RSS service - if this is your content and you're reading it on someone else's site, please read the FAQ at http://bit.ly/1xcsdoI.