Hidden Flash cookies track even opt-out users on web's biggest sites

OUT-LAW News, 17/09/2009

Over half of the most popular 100 websites use secret behaviour-tracking software to monitor users, mostly without their knowledge, and in several cases the software recovers information the user has chosen to delete.

Small pieces of identifying code hidden in Adobe's near-ubiquitous Flash media player can be used to track users' behaviour. The pieces of code behave similarly to 'standard' cookies and are known as Flash cookies.

Researchers at the University of California, Berkeley have discovered that Flash cookies can measure and report the behaviour of users even when those users have disabled or deleted standard, or HTTP, cookies. It found that several of the most popular 100 websites have Flash cookies which 'respawn' HTTP cookies, meaning they store information and write it into HTTP cookies on a person's revisit to that site, even if that person has told their computer to delete HTML cookies.

"This means that privacy-sensitive consumers who 'toss' their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies," said the researchers in a report on flash cookies. "Few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe."

The research was carried out by Berkeley students

Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas and Chris Jay Hoofnagle. Their paper, 'Flash Cookies and Privacy', examines the use of Flash cookies and the privacy protections that they can evade.

Many users are now well educated about cookies, which website owners use to track user behaviour so that they can better understand the use of their site and sell advertising on the back of that knowledge.

Cookies are also well understood by legislators and authorities who have taken account of them when writing and enforcing privacy laws. Flash cookies are almost unheard of, though, and the report said that this means that users are unable to protect their privacy as much as they might want.

The research found that 54 of the 100 most popular sites used Flash cookies, but that only four sites mention them in their privacy policies.

"Given the different storage characteristics of Flash cookies, without disclosure of Flash cookies in a privacy policy, it is unclear how the average user would even know of the technology," said the researchers. "This would make privacy self-help impossible except for sophisticated users."

US advertisers' body the Network Advertising Initiative (NAI) allows users to opt out of the behavioural advertising systems its members base on the records provided by traditional cookies.

The report found that on many sites Flash cookies are performing the same functions as HTTP cookies but are less well understood and combated by users. It found that they did this even for users who had opted out of HTTP cookie tracking.

"Some top 100 websites are circumventing user deletion of HTTP cookies by respawning them using Flash cookies with identical values," said the report. "Even when a user obtains a NAI opt-out cookie, Flash cookies are employed for unique user tracking. These experiences are not consonant with user expectations of private browsing and deleting cookies."

Struan Robertson, a technology lawyer with Pinsent Masons, the law firm behind OUT-LAW.COM, said that the widespread use of Flash cookies is a worry.

"The concern here is stealth tracking," he said. "Even people who go out of their way to control their use of cookies don't know this is happening and can't control Flash cookies in their browsers. That is not compatible with the transparency and fairness that Europe's data protection laws expect."

"Website operators in Europe will break the law if they put Flash cookies on visitors' machines without disclosing what they're doing in their website privacy policies and without giving the user the opportunity to opt-out."

The UK's Privacy and Electronic Communications Regulations say that a company must not use the internet "to store information, or to gain access to information stored" on someone's computer unless that person is given "clear and comprehensive information about the purposes of the storage of, or access to, that information" and "is given the opportunity to refuse the storage of or access to that information." Equivalent laws are in place across the European Union.

Digital rights group the Electronic Frontier Foundation's Seth Schoen said that Adobe itself could fix the problem.

"Browser developers should do more to let users understand and control how they're being tracked," said Schoen. "Unfortunately, Adobe has made that extremely difficult with regard to Flash cookies, since they're stored outside of the browser's control, and since the official Flash plug-in isn't open source, users can't easily fix this for themselves … Adobe could help by ensuring their cookie system follows the browser's privacy setting."

Want to know more? OUT-LAW is running free seminars in October on Behavioural advertising and the law. Flash cookies will be addressed. The events take place in London, Birmingham, Manchester, Leeds, Edinburgh and Glasgow.

See:

• The report (8-page / 3MB PDF)
• BetterPrivacy – a plugin for users of the Firefox browser that controls Flash cookies
• Cookie law, an OUT-LAW guide
• AboutCookies.org (OUT-LAW's sister site)

See also:

• Please kill this cookie monster to save Europe's websites, OUT-LAW News, 18/05/2009
• Industry’s behavioural ad guidelines criticised by digital rights group, OUT-LAW News, 05/03/2009

Feedback | Printer-friendly page | Latest news | | All news feeds | Ask a lawyer