[Infowarrior] - Beware Flash Cookies
Richard Forno
rforno at infowarrior.org
Mon Aug 17 17:28:36 UTC 2009
Epicenter The Business of Tech
You Deleted Your Cookies? Think Again
* By Ryan Singel Email Author
* August 10, 2009 |
* 7:39 pm |
* Categories: Advertising
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/
More than half of the internet’s top websites use a little known
capability of Adobe’s Flash plug-in to track users and store
information about them, but only four of them mention the so-called
Flash Cookies in their privacy policies, UC Berkeley researchers
reported Monday.
Unlike traditional browser cookies, Flash cookies are relatively
unknown to web users, and they are not controlled through the cookie
privacy controls in a browser. That means even if a user thinks they
have cleared their computer of tracking objects, they most likely have
not.
What’s even sneakier?
Several services even use the surreptitious data storage to reinstate
traditional cookies that a user deleted, which is called ‘re-spawning’
in homage to video games where zombies come back to life even after
being “killed,” the report found. So even if a user gets rid of a
website’s tracking cookie, that cookie’s unique ID will be assigned
back to a new cookie again using the Flash data as the “backup.”
Even the Whitehouse.gov showed up in the report, with researchers
reporting they found a Flash cookie with the name “userId.” The site
does say in its privacy policy that it uses tracking technology but it
does not mention Flash or tell users how to get rid of the Flash cookie.
The report is being submitted Monday as a comment in the government’s
proceeding about the use of cookies on federal websites. Federal
websites have traditionally been banned from using tracking cookies,
despite being common around the web — a situation the Obama
administration is proposing to change as part of an attempt to
modernize government websites.
But the debate shouldn’t be about allowing browser cookies or not,
according Ashkan Soltani, a UC Berkeley graduate student who helped
lead the study.
“If users don’t want to be tracked and there is a problem with
tracking, then we should regulate tracking, not regulate cookies,”
Soltani said.
The study also comes as Congress and federal regulators are looking at
ways of reining in the online tracking and advertising industry, whose
attempts at self-regulation have conspicuously failed to make the
industry transparent about when, how and why it collects data about
internet users.
Websites and advertisers track users closely in order to improve
services and to prove to advertisers that an ad has been shown one
time to 1 million users, and not 10 times to the same 100,000 people.
Ad networks also collect the information in order to segment users
into different groups, such as “car fanatic” or “fashionista,” in
order to charge advertisers a premium for reaching just the slice of
the populace that the company thinks will be most receptive to its ad.
Smelling possible regulation coming, third party ad networks recently
agreed to an updated voluntary code of conduct, though it prohibits
little and has no enforcement mechanism. For instance, when it comes
to sensitive health information, the networks are free to collect as
much information as they like, so long as it does not involve an
actual prescription.
Soltani led a summer research team at Berkeley, under the direction of
Chris Hoofnagle, the Director of Information Privacy Programs at the
Berkeley Center for Law and Technology. The team tested the top 100
sites to see what their privacy policies said, what their tracking
technology actually does and what happens if a user blocks the Flash
cookie.
The study found that 54 of the top 100 set Flash cookies, which vary
from simply setting audio preferences to tracking users by a unique
identifier. Wired.com, for instance, placed on this writer’s work
computer to set the volume of a video player.
Adobe’s Flash software is installed on an estimate 98 percent of
personal computers, and has been a key component in the explosion of
online video, powering video players for sites such as YouTube and Hulu.
Websites can store up to 100K of information in the plug-in, 25 times
what a browser cookie can hold. Sites like Pandora.com also use
Flash’s storage capability to preload portions of songs or videos to
ensure smooth playback.
All modern browsers now include fine-grained controls to let users
decide what cookies to accept and which to get rid of, but Flash
cookies are handled differently. These are fixed through a web page on
Adobe’s site, where the controls are not easily understood (There is a
panel for Global Privacy Settings and another for Website Privacy
Settings — the difference is unclear). In fact, the controls are so
odd, the page has to tell you that it is the control, not just a
tutorial on how to use the control.
This so-called behavioral targeting is coming under scrutiny, in part
since Google bought one of the largest practitioners — DoubleClick —
and recently announced it would start using its troves of user data to
deliver targeted ads. Its main money makers, the small text ads next
to search results and on websites across the net, simply rely on the
words in a search or on a webpage to place ads, a tactic known as
contextual ads.
Defenders of behavioral ads say that privacy shouldn’t be a concern
since cookies really identify a browser, not a person. Moreover, they
argue that users would prefer to have relevant ads. Targeted
Behavioral Ads could also help save online journalism. Under this
theory, Google text ads don’t work on a news story about the governor
raising the sales tax, since there’s no product that goes with that
context. But if the site knew the reader was in the market for a car,
it could show an ad for the new Lexus and earn much more.
The report names two companies, Clearspring and QuantCast, as
companies whose technologies reinstate cookies for other websites.
Clearspring, the makers of the popular AddThis tool that lets users
share a link by e-mail or on social networking sites, used its Flash
cookie to reinstated deleted browser cookies for AOL.com, Answers.com
and Mapquest.com, according to the report.
The company defends its behavior, saying everyone uses Flash cookies
these days, that it discloses its use of Flash in its privacy policy
and that the copying of data back into cookies is a simply way to
speed up pages by transferring data into HTML cookies, which browsers
read faster.
Clearspring’s AddThis tool is used by more than 300,000 publishers and
the company collects data on some 525 million unique internet users
monthly, according to Clearspring CEO Hooman Radfar. The data will
soon be used to personalize the AddThis widget, making it so that a
user who has previously shared a story by Twitter and Friendfeed will
see those options first, rather than social networks he doesn’t use.
“We have the president, the pope and the queen of England using us,”
Hooman told Wired.com in an interview a few weeks ago. “If they can
trust us, then you can.”
Tools:
Users who want to control or investigate Flash cookies have several
options, according to reader Brian Carpenter:
Windows:
* Better Privacy extension for Firefox -
https://addons.mozilla.org/en-US/firefox/addon/6623
* Ccleaner - http://www.ccleaner.com/
Mac OS X:
http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x/
Where to find these flash cookies:
* Windows: LSO files are stored typically with a “.SOL” extension,
within each user’s Application Data directory, under Macromedia
\FlashPlayer\#SharedObjects.
* Mac OS X: For Web sites, ~/Library/Preferences/Macromedia/
FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name
(ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/
macromedia.com/Support/flashplayer/sys
* GNU-Linux: ~/.macromedia
UpdateL 8/11/2009 - This story was updated to include more statistics
on Flash cookies and to note that Wired.com uses one.
Photo: Fake Zombies attacking an innocent driver. Andy330/Flickr
More information about the Infowarrior
mailing list