Over half of the most popular 100 websites use secret behaviour-tracking software to monitor users, mostly without their knowledge, and in several cases the software recovers information the user has chosen to delete, according to researchers at the University of California, Berkeley and reported at the Out-Law.com website.
Small pieces of identifying code hidden in Adobe’s near-ubiquitous Flash media player can be used to track users’ behaviour, the website reported. The pieces of code behave similarly to ‘standard’ cookies and are known as Flash cookies.
Researchers have discovered that Flash cookies can measure and report the behaviour of users even when those users have disabled or deleted standard, or HTTP, cookies. It found that several of the most popular 100 websites have Flash cookies which ‘respawn’ HTTP cookies, meaning they store information and write it into HTTP cookies on a person’s revisit to that site, even if that person has told their computer to delete HTML cookies.
“This means that privacy-sensitive consumers who toss their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies,” said the researchers in a report on flash cookies. “Few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.”
Cookies are well understood by legislators and authorities who have taken account of them when writing and enforcing privacy laws. Flash cookies are almost unheard of, though, and the report said that this means that users are unable to protect their privacy as much as they might want.
The research found that 54 of the 100 most popular sites used Flash cookies, but that only four sites mention them in their privacy policies.
“Given the different storage characteristics of Flash cookies, without disclosure of Flash cookies in a privacy policy, it is unclear how the average user would even know of the technology,” said the researchers. “This would make privacy self-help impossible except for sophisticated users.”
The report found that on many sites Flash cookies are performing the same functions as HTTP cookies but are less well understood and combated by users. It found that they did this even for users who had opted out of HTTP cookie tracking.
“Some top 100 websites are circumventing user deletion of HTTP cookies by respawning them using Flash cookies with identical values,” said the report. “Even when a user obtains a NAI opt-out cookie, Flash cookies are employed for unique user tracking. These experiences are not consonant with user expectations of private browsing and deleting cookies.”
Struan Robertson, a technology lawyer with Pinsent Masons, the law firm which publishes the Out-Law.com website, said that the widespread use of Flash cookies is a worry.
“The concern here is stealth tracking,” he said. “Even people who go out of their way to control their use of cookies don’t know this is happening and can't control Flash cookies in their browsers. That is not compatible with the transparency and fairness that Europe's data protection laws expect.”
Robertson noted that website operators in Europe “will break the law if they put Flash cookies on visitors’ machines without disclosing what they're doing in their website privacy policies and without giving the user the opportunity to opt-out.”
Seth Schoen of the Electronic Frontier Foundation, a digital rights group, told Out-Law.com that Adobe itself could fix the problem. “Browser developers should do more to let users understand and control how they’re being tracked,” he said. “Unfortunately, Adobe has made that extremely difficult with regard to Flash cookies, since they’re stored outside of the browser’s control, and since the official Flash plug-in isn’t open source, users can’t easily fix this for themselves. Adobe could help by ensuring their cookie system follows the browser’s privacy setting.”