Flash Cookies Track Even Privacy-conscious Surfers, Study Finds

Flash cookies placed by many of the most popular Web sites are being used to track site visitors, even going so far as to re-create http tracking cookies after they're deleted by privacy-conscious surfers.

A new study released by researchers at the University of California, Berkeley, and other universites found that the Flash cookies, or local shared objects, are used on 54 of the top 100 Web sites, as ranked by Quantcast. The Flash cookies are stored in a different location than regular http cookies, and are not removed if you delete cookies from within your browser. Per the report, "even the ‘Private Browsing' mode recently added to most browsers such as Internet Explorer 8 and Firefox 3 still allows Flash cookies to operate fully and track the user."

As with http cookies, Flash cookies often provide some useful, legit purpose such as storing user preferences. The study mentions two examples, such as saving a volume preference for Flash video or caching a music file for better playback over a shaky network connection.

But the study, which analyzed the privacy policies and cookie (both Flash and http) usage on the top 100 Web sites, found that many sites are using Flash cookies in a decidedly underhanded way. Flash cookies can be used to store the same unique identifier used by an http cookie to track visitors, according to the study. And in some cases, Flash cookies that store the same unique ID as an http tracking cookie are used to re-create the http cookie if it's deleted.

That sneaky step, which the study found was typically performed by third-party advertising on a site rather than the site itself, allows for tracking privacy-minded surfers who delete http cookies in an attempt to remain anonymous and avoid tracking.

While standard cookie-clearing methods don't get rid of Flash cookies, the report mentions a free Firefox add-on called Better Privacy that can easily nix them. I've been using the add-on myself since talking previously with Ashkan Soltani, one of the report's authors (Shannon Canty, Quentin Mayo, Lauren Thomas and Chris Jay Hoofnagle are the other authors), and currently have it set to automatically delete Flash cookies when I close Firefox.

You can also access Flash privacy settings by heading to an Adobe Web site which displays your various Flash settings embedded on the Web page. Per the report, turning off the "Allow third-party Flash content" option didn't cause any problems with 84 out of the 100 tested Web sites, but nine of the sites would no longer display Flash content.

Subscribe to the Security Watch Newsletter

Comments