Flash Cookies Stir Privacy Concerns
A recent academic study found popular Web sites are using cookies from Adobe's Flash plug-in to track users and, in some cases, are recreating HTTP tracking cookies after users have deleted them. Researchers at University of California at Berkeley, Clemson University, Jacksonville State University, and Louisiana State University conducted the study. Of the top 100 Web sites ranked by Quantcast, a Web-audience measurement service, the researchers found Flash cookies in use on 54 of them—including, for example, AOL and Hulu. The study looked at the privacy policies of these Web sites and found that, in some cases, the use of Flash cookies differed from the sites' official privacy policies.
"We don't think there is anything bad about the technology," noted Chris Jay Hoofnagle, one of the study's coauthors and director of Information Privacy Programs for the Berkeley Center for Law & Technology." The issue is more about how it's used. Adobe saw it as a tool for storing preferences rather than tracking people. Advertisers started using Flash cookies because they found that HTTP cookies were not as effective. But this use represents an end run around a user’s privacy decisions."
Although companies are making a greater effort to communicate their use of technologies such as cookies, Flash cookies are relatively new and not well understood. Hoofnagle explained, "Even if these cookies were disclosed to consumers, there is still a problem in that this is a relatively new technology that consumers don’t know how to mitigate."
A cookie is the popular name given to a type of file that's stored on a user's computer as they browse a Web site. Cookies serve many useful functions such as storing users' site preferences and shopping cart items. They can also be used to store information about what users do on a site for generating ads that target specific user interests.
In some cases, third-party cookies are used across multiple sites. This raises privacy concerns because many users are wary of revealing personal information to third parties. "It's like you walk into a town and the merchants put a sticker on your back that tells everyone your shopping habits," said Ashkan Soltani, a graduate student at the University of California, Berkeley's School of Information and one of the paper's coauthors.
As these concerns became mainstream, trade groups such as the Network Advertising Initiative and TrustE were formed to help companies create and communicate their privacy policies. All the major browser vendors created tools to help users better manage the cookies stored on their computers.
Bypassing the Browser
As Adobe's Flash grew to become the most popular browser plug-in, many Web sites began using Flash local stored objects (LSOs) as another mechanism for storing data on a user's computer in a Flash cookie. But Flash cookies operate independently of the browser's privacy settings, and they can be shared across multiple browsers or stored when a user is surfing the Web in a privacy mode.
Soltani said, "The main difference is that Flash cookies are not well known. You have to take extra steps to circumvent Flash cookies. The user has to know they exist, and then go to a special site to delete them through a Web page, which is not intuitive."
Need for Consistency
"Using Flash cookies or other tracking technologies isn’t necessarily an issue," said Eric Nelson, principal of Secure Privacy Solutions, "but these technologies have to be implemented with the recognition of an individual's rights to know how their personal information is being collected, managed, and tracked and the right to opt out of providing that information." Nelson recommends that organizations adopt policies addressing any information that could impact an individual's privacy. "It's not only a best practice, but may also protect the organization from charges of unfair or deceptive trade practices."
To change the settings on your Flash player directly, visit
To improve your privacy settings, download Better Privacy extension for Firefox:
To clean your cookies, go to
Glary Utilities: www.glaryutilities.com/gup.html
Flush.app for the Macintosh: http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x