Legal action on 'zombie cookies' filed in US court By Daniel Emery

Technology reporter, BBC News Published duration 28 July 2010

image caption Zombies always cause trouble, be they computer, network or cookie

A legal challenge has been launched in the US against a number of websites amid claims that they were engaged in "covert surveillance" of users.

The lawsuit alleges that a number of firms, including Hulu, MTV, and Myspace, used a Quantcast Flash application to restore deleted cookies.

Cookies are text files used by web browsers to store user data.

The lawsuit says that the application was creating so-called "zombie cookies" from deleted files.

Quantcast issued a statement to BBC News saying that it was "aware of the lawsuit" and was in the process of assessing it.

"We have a strong history of leadership on privacy and are reviewing this matter carefully," the statement read.

The term "zombie cookie" was coined after the issue of traditional browser cookies being undeleted by Flash was brought to light in a 2009 paper by US researchers.

The study found that more than half of sites surveyed used flash cookies to store information about the user, with some using it to "respawn or re-instantiate cookies deleted by the user".

"Flash cookies often share the same values as browser cookies, and are even used on government websites to assign unique values to users," the paper read.

Users often purge cookies from their browser to save space or cover up browsing history.

However, while most browsers have simple commands to delete text cookies, Flash cookies are neither listed nor controlled by the browser.

"Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking," read the report.

The issue was caused by a Quantcast system that retrieved deleted user data and re-created the cookie.

Critics said this was a serious breach of privacy, because if a user had made a conscious decision to delete a cookie, it should remain deleted.

After the problem was highlighted, Quantcast released a fix, saying that restoring deleted cookies it was an "unintended consequence of trying to measure web traffic".

Writ

However, the lawsuit, brought about by US privacy activist Joseph Malley, states that the practice of re-creating deleted cookies continues and that users were "victims of unfair, deceptive, and unlawful business practices" and "their privacy, financial interests, and computer security rights were violated".

Graham Cluley, senior technology consultant at the internet security firm Sophos, told BBC News that the source of the trouble was Adobe Flash itself, which he called "one of the weirdest programs on the planet".

"I think it's highly unlikely that these large companies have abused Flash cookies - which are different from browser cookies - with malicious intent," he said.

"I think it's much more likely that the vast majority of users are simply oblivious to the bizarre way in which Adobe allows them to configure the software."

While traditional browser cookies can be deleted from a users computer, either through an automatic purge or manual removal, the security settings for Flash are hosted on Adobe's own website, rather than your own computer.

Mr Cluley said that these settings are changed by logging onto Adobe's website, right-clicking on a Flash object and selecting "Global Settings" and then adjusting the security settings via the "Global Privacy Settings" panel.

"It would be unfair to say that the companies running the websites are at fault, in my opinion," he said.

"Surely if they are guilty then so are the web users who chose to run Flash with these settings, and Adobe themselves who chose such a peculiar and downright odd way to configure their software."