Adobe Flash cookies pose vexing privacy questions

Users can still be tracked even if they delete their HTTP cookies since Adobe's Flash plug-in stores data

Adobe's Flash program is being used on heavily trafficked Web sites to collect information on how people navigate those sites even if people believe they've restricted the data collection, according to a new study.

The study comes as the U.S. government is evaluating how it uses cookies on its own Web sites. A cookie is a small piece of data that can record how a person has used the site. The information can be used to track, for example, how many times an advertisement has been viewed, allow someone to stay logged into a Web site or track the items in an online shopping cart.

[ Discover what's new in business applications with InfoWorld's Technology: Applications newsletter and Killer Apps blog. ]

Cookies don't identify individual users, but many users choose to restrict cookies through their Web browser preferences. Although cookie data is anonymous, some users worry about third-party advertising networks, for example, collecting data and building profiles.

Adobe's Flash program plug-in, which is used to view multimedia content and is installed on millions of computers worldwide, also stores cookies for user preferences such as the volume level of a video, wrote the researchers.

Many Web sites will use both HTTP and Flash cookies. Of six government Web sites studied, three used Flash cookies, including whitehouse.gov. The U.S. government requires a "compelling need" to use so-called persistent cookies -- which either must be deleted or expire to disappear -- on its Web sites, the researchers wrote.

But if a user deletes the HTTP cookies, the Flash cookie in some cases will recreate, or "respawn" those cookies, jeopardizing the privacy the user had attempted to preserve. Many of the top 100 Web sites will respawn HTTP cookies, the researchers wrote.

"That means that privacy-sensitive consumers who 'toss' their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies," according to the study.

Many Web sites do not disclose their use of Flash in their privacy policies, they wrote. "Since users do not know about Flash cookies, it stands to reason that users lack knowledge to properly manage them," the paper said.

Flash cookies can hang around longer, too. They have no expiration date by default, they're stored in a different location than HTTP cookies and can contain up to 100KB of information, whereas HTTP cookies can only have 4KB.

"These differences make Flash cookies a more resilient technology for tracking than HTTP cookies and creates an area of uncertainty for user privacy control," the researchers wrote.

Online advertising companies, however, have embraced Flash cookies since many people regularly delete HTTP cookies. Since those cookies are used to detect repeat visitors to Web site, they're important to getting accurate traffic counts. False traffic counts -- or the counting of repeat visitors as unique visitors -- results in advertisers overpaying.

The study found that companies and platforms such as ClearSpring, Iesnare, InterClick, ScanScout, SpecificClick, QuantCast, VideoEgg and Vizu will set both third-party HTTP and Flash cookies.

Flash cookies can't be managed through Web browsers, but Adobe has a set up a Web page with an applet where people can delete Flash cookies and set preferences, such as not allowing the storage of third-party Flash content.

Still, the researchers argue that the Adobe's process is "not consonant with user expectations of private browsing and deleting cookies" and should be integrated closer into browser tools.

The study was written by Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle.