[devit]

They should be sued for that.

There is no way most customers are informed and intentionally consenting to them tampering with the HTTP requests they send to include their customer ID.

The obvious expectation of a customer of an ISP is that it sends the data through unchanged.

[astrodust]

It's things like this that drive people to want HTTPS everywhere, but even that is subject to subterfuge when the provider inserts their own "trusted" certificates to proxy that traffic.

There really should be provisions in the telecom bill that data traffic is to remain absolutely untouched.

Just imagine phone calls where mentioning the word "pizza" would trigger an advertisement being injected into it.

[13throwaway]

I don't know of any ISPs that are currently MITMing HTTPS. That seems like something that would be big news and get a CA revoked. Do you have a source for that?

[charonn0]

Not an ISP, but I think this was a reference to Lenovo's recent Superfish scandal.

[0]: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with...

[manigandham]

HTTPS is just transit data, they don't need to see that. They can still tell the sites you've visited and really they just want to ID you and optionally make that ID available to others who pay/participate in data syncing.

[andreasley]

It's not about Verizon. Of course they know where their users connect to. But by injecting a special HTTP header field, they make it possible for third parties to track the user – for example an ad network that serves ads on sites the user visits. Regular cookies are limited to certain domains, but this header is added to every request, making it cross-domain. HTTPS would prevent Verizon from injecting it.

[scintill76]

They may not be able to inject HTTPS, but they can offer an API that will map IPaddress:port to identity (as one mentioned here[1]), for only a bit more overhead than tampering with HTTP headers and without breaking TLS.

If they want to make some possibly non-standard protocol adjustments they mutually understand, they should be able to inject it, too. Researching the protocols/crypto to understand that more and trying to produce a POC are side-projects on my list, maybe some day.

The root of the issue is that your ISP often knows who you are, every site you connect to knows who your ISP is, and they have incentives to trade notes on you and few reasons not to.

[1] https://news.ycombinator.com/item?id=10357583

[Tepix]

I'm sure the three letter agencies also love it. But as we know now, the agencies don't have to rely on extracting cookies from intercepted traffic in this particular case: Verizon will happily go above and beyond the call of duty and betray the trust the customers put into them.

[manigandham]

The HTTP header was really the lowest tech they could've used and feels like more of a stopgap.

Most ISPs will use tracking at a much lower network layer and provide APIs for partners to match up IDs on demand. No need for HTTP headers.

[rgbrenner]

When I switched to verizon last year (shortly before articles about this last time).. I received a privacy notice in the mail. 1 page, front and back that covered this (and only this). It also had opt out instructions.

I remember it, because I had it sitting on my desk for a week before I got around to following the instructions.

[drumdance]

It's on page 73, section 4, subsection i) of the terms of service.

[kbenson]

It's very sad that I don't know whether you are joking because it's entirely plausible that they both have this in their TOS, and that their TOS is over 70 pages long.

[manigandham]

The data is unchanged. Most ISPs have internal tracking for each request to see how network data flows. You can just think of this as Verizon leaving those tags on - and in this case it owns AOL so it's sharing within the same entity.

Not saying good/bad - just how they treat it.

[ihsw]

Zombie cookies are ones that are added to HTTP responses by the ISP, so that even if the user clears their cookies manually or opens their browser in incognito mode then the tracking cookie persists.