Specificmedia, one of the net's largest ad-serving and tracking companies, has been hit with a federal lawsuit accusing the company of violating computer intrusion laws by secretly re-creating cookies deleted by users.

The lawsuit (.pdf), filed in California's Central District federal court last Wednesday, is the third such suit filed this month by privacy attorney Joseph Malley. The first "zombie" cookie suit targeted sites ranging from MTV to Scribd that used technology from a company called Quantcast, while the second suit went after Disney and Demand Media for their use of similar tech from Clearspring Technologies.

At issue is the use of Adobe Flash to keep copies of a user's browser cookies in order to re-spawn cookies after users clear them. The lawsuits allege that the companies did not explain to users how they were using Flash and that using the storage capabilities of Flash for this purpose violates federal privacy and computer security laws.

The practice first came to light a year ago after privacy researchers at Berkeley produced a report showing that 54 of the top 100 websites used Flash cookies, some of which were used to track users, while others simply set the default volume for streaming videos.

The suit seeks class action status and upwards of $5 million in damages. Malley has a privacy track record that includes suits against online spying company NebuAd and a $9.5 million settlement with Facebook over its ill-received Beacon advertising program.

Specificmedia, which is the largest online ad network not owned by a giant such as Microsoft or Google, did not respond to an e-mail seeking comment, and attempts to reach the company by phone were unsuccessful.

Adobe’s Flash software is installed on an estimate 98 percent of personal computers, and has been a key part of the explosion of online video, powering video players for sites such as YouTube and Hulu.

Websites can store up to 100K of information in the plug-in, 25 times what a browser cookie can hold. Sites like Pandora.com also use Flash’s storage capability to pre-load portions of songs or videos to ensure smooth playback.

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

What's even sneakier?

Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called ‘re-spawning’ in homage to video games where players come back to life even after being "killed," the report found. So even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as the “backup.”

All modern browsers now include fine-grained controls to let users decide what cookies to accept and which to get rid of, but Flash cookies are handled differently. These are fixed through a web page on Adobe’s site, where the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it is the control, not just a tutorial on how to use the control.

Those who are looking to have more control over their cookies in all forms can find some help in two add-ons for Firefox: BetterPrivacy and from Abine.

Photo:JGarber/Flickr

Follow us for disruptive tech news: Ryan Singel and Epicenter on Twitter.

See Also: