Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning

In August 2009, the research team published Flash Cookies and Privacy, a paper that demonstrated that popular websites were using Flash cookies to track users. Some advertisers has adopted this technology because it allowed persistent tracking, even where users had taken steps to avoid web profiling. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users’ privacy-setting behaviors.

In this followup study, we reassess the flash cookies landscape and examine a new tracking vector, HTML5 local storage and cache cookies via eTags.

Flash Cookies and Policy Implications

This paper starts by describing the results of heightened awareness of the practices of using Flash cookies outlined in the 2009 paper, including attention from the Federal Trade Commission European regulators, investigations, lawsuits and revised industry practices.

Updated Research Results

After describing our methodology, we outline our findings:

HTTP Cookies

We detected cookies on all top 100 websites. In total, we detected 5,675 HTTP cookies. This is dramatically higher than the 3,602 we detected in 2009. Twenty sites placed 100 or more cookies, including seven that placed more than 150.

Flash Cookies

We found 100 Flash cookies on the top 100 sites, down from the 281 we found in 2009. These Flash cookies appeared on 37 sites, down from the 54 sites we found in 2009.

HTML5 Storage

Seventeen of the top 100 sites were using HTML5 local storage. These 17sites had a total of 60 key/value pairs.

Respawning

We found three respawning behaviors on two sites: hulu.com and foxnews.com.

In 2009, we reported that a QuantCast cookie was respawned on hulu.com. After our 2009 paper, QuantCast executives contacted authors Hoofnagle and Soltani almost immediately, and quickly acted to change the behavior of their service in order to prevent respawning.

Nevertheless, hulu.com, QuantCast, and other companies were sued for the practice, and the case settled this year. In a summary of Flash cookies filed with the court, it was claimed that websites such as Hulu did not know that third party services provided by QuantCast and Clearspring tracked users through Flash. This assertion effectively shifted the blame from consumer-facing websites to the third party tracking companies involved. In the settlement flowing from the suit, QuantCast and Clearspring explicitly promised to not respawn cookies using Flash, or to use Flash as an alternative to HTTP cookies for tracking purposes. These obligations did not apply to consumer-facing websites, such as hulu.com.

We found two different methods of cookie respawning on hulu.com, which is described in detail in the paper.

Conclusion

In 2009, we surveyed the most popular websites to determine how they were using Flash cookies. In this followup study, we found that fewer websites are using Flash cookies. Fewer are also respawning cookies using Flash. However, one popular site is using both Flash and the user’s cache to respawn HTTP and HTML5 cookies in a way that cannot be blocked currently by the browser.

We also found many HTTP cookies on top sites, most of which originate from third parties. Google in particular has the ability to track user behavior across nearly all top sites—97 of them.

Although there is much potential for privacy-enhancing applications of HTML5 local storage, it nevertheless may emerge as a new tracking vector. Seventeen of the sites we surveyed employed HTML5 local storage, several did so in order to mirror a tracking identifier from a third party.

Flash Cookies and Privacy II on SSRN

Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning

Flash Cookies and Policy Implications

Updated Research Results

HTTP Cookies

Flash Cookies

HTML5 Storage

Respawning

Conclusion

Further Reading

Related Press

Upcoming events

Recent Posts

Work

Follow RSS