In August 2009, the research team published Flash Cookies and Privacy, a paper that demonstrated that popular websites were using Flash cookies to track users. Some advertisers has adopted this technology because it allowed persistent tracking, even where users had taken steps to avoid web profiling. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users’ privacy-setting behaviors.
In this followup study, we reassess the flash cookies landscape and examine a new tracking vector, HTML5 local storage and cache cookies via eTags.
Flash Cookies and Policy Implications
This paper starts by describing the results of heightened awareness of the practices of using Flash cookies outlined in the 2009 paper, including attention from the Federal Trade Commission European regulators, investigations, lawsuits and revised industry practices.
Updated Research Results
After describing our methodology, we outline our findings:
We detected cookies on all top 100 websites. In total, we detected 5,675 HTTP cookies. This is dramatically higher than the 3,602 we detected in 2009. Twenty sites placed 100 or more cookies, including seven that placed more than 150.
We found 100 Flash cookies on the top 100 sites, down from the 281 we found in 2009. These Flash cookies appeared on 37 sites, down from the 54 sites we found in 2009.
Seventeen of the top 100 sites were using HTML5 local storage. These 17sites had a total of 60 key/value pairs.
We found three respawning behaviors on two sites: hulu.com and foxnews.com.
In 2009, we reported that a QuantCast cookie was respawned on hulu.com. After our 2009 paper, QuantCast executives contacted authors Hoofnagle and Soltani almost immediately, and quickly acted to change the behavior of their service in order to prevent respawning.
Nevertheless, hulu.com, QuantCast, and other companies were sued for the practice, and the case settled this year. In a summary of Flash cookies filed with the court, it was claimed that websites such as Hulu did not know that third party services provided by QuantCast and Clearspring tracked users through Flash. This assertion effectively shifted the blame from consumer-facing websites to the third party tracking companies involved. In the settlement flowing from the suit, QuantCast and Clearspring explicitly promised to not respawn cookies using Flash, or to use Flash as an alternative to HTTP cookies for tracking purposes. These obligations did not apply to consumer-facing websites, such as hulu.com.
We found two different methods of cookie respawning on hulu.com, which is described in detail in the paper.
In 2009, we surveyed the most popular websites to determine how they were using Flash cookies. In this followup study, we found that fewer websites are using Flash cookies. Fewer are also respawning cookies using Flash. However, one popular site is using both Flash and the user’s cache to respawn HTTP and HTML5 cookies in a way that cannot be blocked currently by the browser.
We also found many HTTP cookies on top sites, most of which originate from third parties. Google in particular has the ability to track user behavior across nearly all top sites—97 of them.
Although there is much potential for privacy-enhancing applications of HTML5 local storage, it nevertheless may emerge as a new tracking vector. Seventeen of the sites we surveyed employed HTML5 local storage, several did so in order to mirror a tracking identifier from a third party.
Respawn Redux: a detailed technical followup describing the technical mechanisms behind Hulu/KISSmetrics respawning practices described in the paper
Researchers Expose Cunning Online Tracking Service That Can’t Be Dodged Wired, July 30, 2011
New tracking technology bypasses incognito mode, browser cookie deletion The Examiner, July 31, 2011
Hulu Caught Respawning Cookies as ETags Enter Tracking Fray Adotas, August 1, 2011
KISSmetrics, Hulu Sued Over New Tracking Technology Mediapost, August 1, 2011
Web-Analytics Firm KISSmetrics Reverses Course on Sneaky Tracking Wired, August 1, 2011
AOL, Spotify, GigaOm, Etsy, KISSmetrics sued over undeletable tracking cookies Extreme Tech, August 4, 2011