Attack of the Flash cookie zombies

Adobe Flash cookies are at the heart of three federal lawsuits alleging they violate your privacy and help advertisers track you across the Web

Don't look now, but the Flash zombies are after you.

This week, privacy attorney Joseph Malley filed his third lawsuit against major media sites and their ad firms, accusing them of using Flash cookies to illegally collect information about visitors to their websites.

[ Get the spin on key tech news that you'll find nowhere else at InfoWorld's Tech Watch blog. | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. ]

Malley's defendants aren't exactly Joe Blows -- they're deep-pocketed media companies like ABC, NBC, Disney, and MTV, as well as their respective advertising partners (Quantcast, Clearspring, Specificmedia). All of them use a feature built into Adobe Flash that can set cookies when you load a Flash media file into your browser, which, these days, happens almost any time you view a page with a video ad.

Unlike normal cookies, Flash cookies can "respawn," even after you think you've cleared a website's cookies from your machine. That's why they're called "zombies" -- they come back from the dead to eat brains.

Per's Ryan Singel:

Unlike traditional browser cookies, Flash cookies are relatively unknown to Web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not....

QuantCast was using the same user ID in its HTML and Flash cookies, and when a user got rid of the former, Quantcast would reach into the Flash storage bin, retrieve the user's old number and reapply it so the customer's browsing history around the net would not be cut off.

After Berkeley researcher Ashkan Soltani published a report detailing the use of Flash cookies on the world's biggest websites, Quantcast says it discontinued the use of them, though that wasn't enough to keep it from getting sued.

Unlike normal browser cookies, which max out at 4K, flash cookies can store up to 100K of information. That's enough for about 30 pages of single-spaced plain text.

Most of the time, Flash cookies contain extremely basic info -- like an ID number that tells a website you've been there before, or your preferred volume settings for a video. Sometimes they can store a lot more, like cached media or information that can be used to track you as you go from site to site across the InterWebs.

And that's where Malley's suit comes in. He's accusing these sites of illegally storing information without informing consumers they were doing so.

What's wrong with tracking people across the Web? Nothing -- if you ask advertisers.

The advertisers say that they a) collect this data anonymously and b) can use it to deliver more targeted (and thus more "interesting") ads. If you're shopping for a car on, say,, and you visit another site that uses the same ad network, it can show you ads for cars there, too, even if the site has nothing to do with automobiles, because it knows where you've been and what you've done. Ad companies can also attach other values to your cookie -- like, you're interested in sports, or you buy a lot of flowers, or you really like watching videos of cats singing opera.

Of course, to many people, the idea of anything following you across the Web, even anonymously, is just creepy.

Imagine a tiny man in a trenchcoat and a porkpie hat following you as you spend a busy day -- going to the bank, getting a haircut, wandering through the mall, stopping by your local for a cold one, and so on. The little man doesn't say a word, but every time you reach someplace new he takes out a stubby little pencil and jots down the address in his notebook.

Of course, he doesn't know your name, so everything's OK, right? Later you get coupons for haircuts and beer in the mail.

You can control Flash cookies, kinda/sorta. Adobe provides a Web page that uses a Flash plug-in (naturally) where you can turn these cookies on or off, control how much storage they use, and delete specific cookies. Good luck figuring out how to use it.

Just what we needed: Another Internet privacy threat to worry about. I guess this must be the year for them.

Do you worry about Flash cookies? What privacy threats really bother you? Post your hopes and fears below or email me:

This article, "Attack of the Flash cookie zombies," was originally published at Follow the crazy twists and turns of the tech industry with Robert X. Cringeley's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.

Copyright © 2010 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!