A huge number of Web sites are employing a little-known tracking mechanism to gather information on visitors and are failing to disclose the practice in their privacy policies, according to a new paper from a group of university researchers. The technique employs cookies generated by the Adobe Flash software and the cookies often have the same value as HTTP cookies, the researchers report.
The paper, titled “Flash Cookies and Privacy,” is the work of a small group of researchers from Berkeley, Clemson, Louisiana State and Jacksonville State. One of the authors is Chris Jay Hoofnagle, a lawyer well-known in the security and privacy communities for his work at EPIC and elsewhere on privacy issues. Some of the sites employing the Flash cookie technique include federal government sites, the authors found.
From their abstract:
We find that more than 50% of the sites in our sample are using flash cookies to store information about the user. Some are using it to ‘respawn’ or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.
This is not good news on several different levels. On the most basic level it’s clear evidence that the advertisers, site owners and their affiliates are continuing to look for new, less obvious ways to gather information on site visitors and track their movements around the Web. And, as the authors say in their paper, the Flash cookies in some ways are more effective and insidious than traditional HTTP cookies, which are fairly easy to find and remove.
Flash cookies do not have expiration dates by default, whereas HTTP cookies expire at the end of a session unless programmed to live longer by the domain setting the cookie. Flash cookies are stored in a different location than HTTP cookies,[7] thus users may not know what files to delete in order to eliminate them. Additionally, they are stored so that different browsers and stand-alone Flash widgets installed on a given computer access the same persistent Flash cookies. Flash cookies are not controlled by the browser. Thus erasing HTTP cookies, clearing history, erasing the cache, or choosing a delete private data option within the browser does not affect Flash.
As a part of their research the authors searched the privacy policies of the top 100 Web sites for terms that would indicate the use of Flash cookies and found that only four sites mentioned them. They also discovered that Whitehouse.gov uses Flash to track visitors, and though the site discloses the use of tracking in its privacy policy, it does not mention Flash as the technology.