It would be possible for Verizon to implement this really bad system without anybody noticing and even if Speedy/HTTP 2 or HTTPS is used:
Currently they inject the header with an ID which changes e.g. daily and charge third parties to associate the ID with a profile. They can only inject in HTTP.
If instead the third party (e.g. an adserver) contacts a Verizon server with the IP (and port number in case of carrier grade NAT) on every request and that server gives back the profile and Verizon charges the adserver for this, then nobody would ever know and there would be not much protection against it (without a third party proxy or vpn to hide the IP).
Currently they inject the header with an ID which changes e.g. daily and charge third parties to associate the ID with a profile. They can only inject in HTTP.
If instead the third party (e.g. an adserver) contacts a Verizon server with the IP (and port number in case of carrier grade NAT) on every request and that server gives back the profile and Verizon charges the adserver for this, then nobody would ever know and there would be not much protection against it (without a third party proxy or vpn to hide the IP).