Why Privacy Experts Are Worried About Verizon's 'Zombie Cookie' That's Now Going to Share Data With AOL's Ad Network — What It Means for You

Earlier this week it was revealed that Verizon would be combing its advertising program with AOL's ad network, raising the eyebrows of some privacy advocates.

And here's why.

A sign hangs on the Verizon headquarters on May 12, 2015 in New York City. Verizon announced today that it is buying AOL for $4.4 billion. (Andrew Burton/Getty Images)

Verizon has a feature that's been dubbed the "zombie cookie" or "supercookie." More formally called by Verizon the Unique Identifier Header, the UIDH is a code, unique for each individual mobile user, that Verizon includes "in the address information that accompanies some of the Internet (http) requests transmitted over our wireless network."

"Header information is included in all Web traffic and includes information such as the device type, preferred language and content support," Verizon explained, noting that this information gives insight into "how to best display the site on the phone or other device that sends the request."

While that might sound innocuous, Jacob Hoffman-Andrews with the Electronic Frontier Foundation wrote last year the UIDH was a "perma-cookie" that is "sent to every unencrypted website a Verizon customer visits from a mobile device" that "allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' Web browsing habits without their consent."

Couple that with the announcement that Verizon will be sharing this information with AOL's ad network starting in November to, it says, "make our advertising programs better" and some are concerned.

From ProPublica's perspective, which first reported the "little-noticed announcement" by Verizon this month, this means AOL's ad network, which is on 40 percent of websites, "will be able to match millions of Internet users to their real-world details gathered by Verizon, including — “your gender, age range and interests.”

While Verizon says that the "UIDH does not contain any personally identifiable data and it does not broadcast individuals' historical Web browsing activity to advertisers or others," Hillery Nye, general counsel and chief privacy officer at Glympse Inc., a mobile tracking firm, disagrees.

"It reveals personally identifiable information in ways they're not being transparent about," Nye told TheBlaze in a phone interview.

"They are able to differentiate between devices and users," she explained. "Once they marry that information with AOL data, then you have a process called de-identifiable information."

This is when she said you have various pieces of the puzzle and can, thus, identify a person with the information that you have, despite not actually having their name, social security number or the like.

To put why this could be a privacy concern into perspective, Nye provided an example she once heard during a speech.

"Anybody who feels like it doesn’t matter that people have your personally identifiable information ... just send me all of your passwords," she recalled the speaker saying.

"There's this fundamental notion of privacy. We don’t like idea that there are entities out there collecting information we haven’t fully agreed upon and that we don’t fully understand," she said.

What's more, Nye added that "we don’t know exactly what happens to this information."

"Will the government be able to use my browsing history to create some profile about me that could impact me later down the road?"

One popular example that shows how data can be married with personally identifiable information is the now-infamous story of how Target created a pregnancy prediction model that could estimate close to a shopper's due date. That model ended up being used to send targeted ads to a teenage girl.

"My daughter got this in the mail!” father said to a Target employee, according to the New York Times a few years ago. “She’s still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?”

A few days later, a manager from the store called the father to apologize.

"I had a talk with my daughter,” he said, according to the Times. “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

"As a consumer, information can be revealed about you in the form of ads," Nye said. "If I get a bunch of Weight Watchers ads, Botox ads ... people will make inferences about who I am, whether or not those inferences are accurate."

Those inferences can then be used elsewhere or even against you, she said.

What does Verizon have to say? In a blog post this week, Verizon's Chief Privacy Officer Karen Zacharia wrote:

The UIDH will be sent only to Verizon companies, including AOL, and to a select set of other companies that help Verizon provide services. These companies will not be allowed to use the UIDH for any purpose outside of providing the Verizon and AOL services.

The advertising programs use online and device identifiers, including AOL browser cookies, ad IDs from Apple and Google, and the UIDH. Online advertising depends on a range of different identifiers and Verizon’s approach is in line with best-in-class industry standards for privacy protection.

Finally, our customers will continue to have choices about whether or not to participate in these programs. The information that we are providing to our customers includes where they should go to exercise their choices and to find additional information (customer sign-in is required).

And AOL? Its CEO Tim Armstrong told Tech Crunch, which is owned by AOL, that "if consumers don’t trust you, it’s not worth whatever you’re going to do with the data.

“Data is oil for this economy. Oil can be used really well, and oil can be used really poorly," he said, also adding that Verizon is more data sensitive than other companies.

Nye, who has been in the industry for 20 years and is very familiar with reading and helping write privacy agreements, said she believes there are several red flags with the combining of systems to enhance advertising and user experiences between Verizon and AOL.

In the end though, what's a consumer to do?

"At the end of the day, there is a delicate balance between a good consumer experience and going overboard and having too much intrusion into my life and my privacy," she said. "Consumers need to remember they have the right to opt out, the right to not take all these ads and all this other stuff.

"Now, the price to doing that might be relinquishment of free services," Nye added, but just because you signed on to use a Verizon phone "doesn’t mean you signed on for a situation that’s going to make you feel uncomfortable about about the use of your information."

After some backlash over the "supercookie" tracking you with the UIDH even after cookies had been deleted, Verizon reversed its policy to allow people to opt out of its Relevant Mobile Advertising program last year. This is done by calling 1-866-211-087 or updating your privacy settings on your account or through your My Verizon mobile app.

Something to note though, Verizon states that "if a customer chooses to participate in Verizon Selects, the UIDH will be present even if the customer has also opted-out of the Relevant Mobile Advertising program." Verizon states if you choose to opt-in to Verizon Selects, you can opt-out later by changing your preferences.

Engadget pointed out that using your phone, you can find out if you're being tracked by visiting the site AmIBeingTracked.com.