The tracking uses of so-called “Flash cookies,” the data packets stored in the computers of users of Adobe (NSDQ: ADBE) Flash Player, started getting a lot more attention last year, when they were the focus of an article about online privacy in the Wall Street Journal, as well as several lawsuits. They were also mentioned as a privacy problem last month by the Federal Trade Commission.
The results from a new study suggest that “re-spawning,” one of the more troublesome practices around Flash cookies, is declining. But the same study showed that about 10 percent of the most-popular web sites may still be using Flash cookies to track users — and none of the companies that run those web sites would discuss what they’re using the cookies for. There is a lot of debate about just how widespread Flash cookies are, and this study helps fill in some numbers around that question.
The study, conducted by researchers at Carnegie Mellon University, tested all of the 100 most popular websites as well as 500 randomly selected websites. Adobe commissioned the study as a follow-up to the widely read 2009 UC Berkeley study that broke the news about Flash cookie tracking in the first place; the CMU researcher in charge of the study assured me that Adobe had no influence in determining the methodology or results of the study.
Adobe has condemned the use of Flash cookies, which it calls Local Storage Objects, for tracking purposes, and recently rolled out changes that will simplify Flash’s privacy options for users. Adobe has estimated that Flash Player is installed on 98 percent of internet-connected computers.
Here’s the study’s most important findings-
» “Re-spawning” of cookies is on the way out. Both HTTP cookies and Flash cookies can be used to track an internet user’s browsing behavior and other factors. But whereas it’s relatively straightforward to delete all the HTTP cookies from a web browser, clearing out the data stored by Adobe Flash Player is, for now, still a much more complicated process-and few users know that Flash cookies exist to begin with. In the past, at least some ad networks engaged in a process called “re-spawning,” which is when a publisher or ad network actually uses a Flash cookie to re-create the information in an HTTP cookie-after a user deletes his or her HTTP cookies. Re-spawning is considered a privacy problem because it’s presumed the user might be deleting HTTP cookies to protect privacy in the first place.
The study found that none of the 500 random sites engaged in re-spawning, and only two of the 100 most-popular sites engaged in re-spawning. Contacted by the Center for Democracy and Technology (CDT), a privacy advocacy group that helped with the study, one of the re-spawners stopped the practice after an internal review. The second re-spawner didn’t respond to CDT’s inquiry but stopped the practice on its own. The study doesn’t name the web-sites that engaged in re-spawning.
When UC Berkeley flash cookie study came out in 2009, it found that four out of the 100 websites it studied used Flash cookies to engage in re-spawning. That study used a somewhat different methodology, so it’s not an apples-to-apples comparison, but it does suggest that the re-spawning problem is decreasing. A post on Adobe’s corporate blog referencing the CMU study focuses on this aspect of the study, which is good news from a user-privacy perspective.
» A significant group of web publishers still won’t say if they’re using Flash cookies for tracking. Out of the 100 popular websites, 11 websites used Local Storage Objects to collect what the study authors called “unique identifiers,” and 17 of the 500 randomly selected websites engaged in the practice; all but one through third-parties (typically ad networks). LSOs with unique identifiers can be used for benign purposes, such as keeping track of someone’s score in a game that uses Flash-but they could also be used as a powerful form of tracking users. “Without visibility into back-end databases, it is difficult to determine how unique identifiers are used,” write the authors.
But here’s an interesting fact about the study: the Center for Democracy and Technology contacted all of the companies whose websites use LSOs with unique identifiers, as well as some related sites, hoping to learn more about their use. They contacted companies connected to 28 sites in all asking about how they were using Flash cookies, and not one was willing to say anything. That shows what a hot topic online tracking has become, and it suggests that at least some of those websites are partnering with ad networks or analytics companies that are using those Flash cookies for tracking.
“It’s troubling that websites are trying to find ways of thwarting users who are purposefully deleting their cookies, and trying to find ways of tracking them anyway,” says Lorrie Cranor, an Associate Professor of Computer Science at CMU who authored the study. The full study is available on CMU’s website.
Update: Privacy researcher Chris Soghoian has a more critical view of this study, and shared some of his thoughts today in an open letter to Adobe, published on his blog.