In August 2009, I and other graduate students at the University of California, Berkeley – School of Law, Berkeley Center for Law & Technology published Flash Cookies and Privacy, a paper that examined of the use of ‘Flash cookies’ by popular websites.

Websites and Cookies

Advertisers are increasingly concerned about unique tracking of users online. Several studies have found that over 30% of users delete first party HTTP cookies once a month, thus leading to overestimation of the number of true unique visitors to websites, and attendant overpayment for advertising impressions.

Mindful of this problem, online advertising companies have attempted to increase the reliability of tracking methods. In 2005, United Virtualities (UV), an online advertising company, exclaimed, “All advertisers, websites and networks use [HTTP] cookies for targeted advertising, but cookies are under attack.” The company announced that it had, “developed a backup ID system for cookies set by web sites, ad networks and advertisers, but increasingly deleted by users. UV’s ‘Persistent Identification Element’ (PIE) is tagged to the user’s browser, providing each with a unique ID just like traditional cookie coding. However, PIEs cannot be deleted by any commercially available antispyware, mal-ware, or adware removal program. They will even function at the default security setting for Internet Explorer.”

United Virtualities’ PIE leveraged a feature in Adobe’s Flash MX: the “local shared object,” also known as the “Flash cookie.”

What Flash Cookies Are

Flash cookies are different than standard HTTP cookies, the paper explains. Flash cookies can contain up to 100KB of information by default (HTTP cookies only store 4KB). Flash cookies do not have expiration dates by default, whereas HTTP cookies expire at the end of a session unless programmed to live longer by the domain setting the cookie. Flash cookies are stored in a different location than HTTP cookies, thus users may not know what files to delete in order to eliminate them. Additionally, they are stored so that different browsers and stand-alone flash widgets installed on a given computer access the same persistent Flash cookies. Flash cookies are not controlled by the browser. Thus erasing HTTP cookies, clearing history, erasing the cache, or choosing a delete private data option within the browser does not affect Flash cookies. Even the ‘Private Browsing’ mode recently added to most browsers still allows Flash cookies to operate fully and track the user. These differences make Flash cookies a more resilient technology for tracking than HTTP cookies, and creates an area for uncertainty for user privacy control.

Research and Findings

With rising concern over “behavioral advertising,” the US Congress and federal regulators are considering new rules to address online consumer privacy. A key focus surrounds users’ ability to avoid tracking, but the privacy implications of Flash cookies had not entered the discourse.

Additionally, any consumer protection debate will include discourse on self-help. Thus, consumers’ ability to be aware of and control unwanted tracking will be a key part of the legislative debate.

To inform this debate, the research team examined the top 100 websites to determine which were using Flash cookies. We also examined these sites’ privacy policies to see whether they discussed Flash cookies.

We found that more than 50% of the sites in our sample were using Flash cookies to store information about the user.

Some were using it to ‘respawn’ or re-instantiate HTTP cookies deleted by the user. This means that privacy-sensitive consumers who “toss” their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies.

In addition to storing user settings, many sites stored the same values in both HTTP and Flash cookies, usually with telling variable names indicating they were user ids or computer guids (globally unique identifiers). They are even used on government websites to assign unique values to users.

We also found that privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.

These experiences are not consonant with user expectations of private browsing and deleting cookies. Users are limited in self-help, because anti-tracking tools effective against this technique are not widespread, and presence of Flash cookies is rarely disclosed in privacy policies.

Recommendations

The paper suggested that tighter integration between browser tools and Flash cookies could empower users to engage in privacy self-help, by blocking Flash cookies. But, to make browser tools effective, users need some warning that Flash cookies are present. Disclosures about their presence, the types of uses employed, and information about controls, are necessary first steps to addressing the privacy implications of Flash cookies.

Flash Cookies and Privacy on SSRN

Initial Press Coverage

You Deleted Your Cookies? Think Again Wired, August 10, 2009
Study: Adobe Flash Cookies Pose Vexing Privacy Questions PC World, August 11, 2009

What Happened Next

After the paper was filed as a comment in a government proceeding regarding the federal government’s use of cookies, and press in Wired Magazine, online advertising network Quantcast quickly stopped using Flash cookies to rebuild cookies that users intentionally deleted.

Flash Cookie Researchers Spark Quantcast Change Wired, August 12, 2009

The findings in this paper also became the basis for multiple class action lawsuits.

Code That Tracks Users’ Browsing Prompts Lawsuits New York Times, September 20, 2010

In July 2010, Quantcast, MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd were sued in federal court on the grounds they violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to recreate cookies deleted by users.

Privacy lawsuit targets ‘Net giants over “zombie” cookies Ars Technica, July 27, 2010
Big Media sites sued over use of “zombie cookies” ZDNet, July 28, 2010
Lawsuit Tackles Files That ‘Re-Spawn’ Tracking Cookies Wall Street Journal, July 30, 2010

In December 2010, Quantcast agreed to pay $2.4 million to settle the class action lawsuit alleging it secretly used Adobe’s ubiquitous Flash plug-in to re-create tracking cookies after users deleted them.

Online Tracking Firm Settles Suit Over Undeletable Cookies Wired, December 5, 2010

Additional Research

This research was replicated in 2011. The paper, Flash Cookie and Privacy II, also examines the prevalence of HTML5 cookies and eTags.

The article Respawn Redux provides a detailed technical followup regarding Hulu/KISSmetric’s respawning practices.