They have also injected Javascript into pages (selling new modems) and add(ed) unique headers to HTTP traffic so websites could identify individual users despite their best attempts.
This must have been pre-HTTPS since you’d need to MitM the SSL certificate for that to work