More than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash cookies in their privacy policies, UC Berkeley researchers reported Monday.

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

What’s even sneakier?

Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called ‘re-spawning’ in homage to video games where zombies come back to life even after being “killed,” the report found. So even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as the “backup.”

Even the Whitehouse.gov showed up in the report, with researchers reporting they found a Flash cookie with the name “userId.” The site does say in its privacy policy that it uses tracking technology but it does not mention Flash or tell users how to get rid of the Flash cookie.

The report is being submitted Monday as a comment in the government’s proceeding about the use of cookies on federal websites. Federal websites have traditionally been banned from using tracking cookies, despite being common around the web — a situation the Obama administration is proposing to change as part of an attempt to modernize government websites.

But the debate shouldn’t be about allowing browser cookies or not, according Ashkan Soltani, a UC Berkeley graduate student who helped lead the study.

“If users don’t want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,” Soltani said.



The study also comes as Congress and federal regulators are looking at ways of reining in the online tracking and advertising industry, whose attempts at self-regulation have conspicuously failed to make the industry transparent about when, how and why it collects data about internet users.

Websites and advertisers track users closely in order to improve services and to prove to advertisers that an ad has been shown one time to 1 million users, and not 10 times to the same 100,000 people. Ad networks also collect the information in order to segment users into different groups, such as “car fanatic” or “fashionista,” in order to charge advertisers a premium for reaching just the slice of the populace that the company thinks will be most receptive to its ad.

Smelling possible regulation coming, third party ad networks recently agreed to an updated voluntary code of conduct, though it prohibits little and has no enforcement mechanism. For instance, when it comes to sensitive health information, the networks are free to collect as much information as they like, so long as it does not involve an actual prescription.

Soltani led a summer research team at Berkeley, under the direction of Chris Hoofnagle, the Director of Information Privacy Programs at the Berkeley Center for Law and Technology. The team tested the top 100 sites to see what their privacy policies said, what their tracking technology actually does and what happens if a user blocks the Flash cookie.

The study found that 54 of the top 100 set Flash cookies, which vary from simply setting audio preferences to tracking users by a unique identifier. Wired.com, for instance, placed on this writer’s work computer to set the volume of a video player.

Adobe’s Flash software is installed on an estimate 98 percent of personal computers, and has been a key component in the explosion of online video, powering video players for sites such as YouTube and Hulu.

Websites can store up to 100K of information in the plug-in, 25 times what a browser cookie can hold. Sites like Pandora.com also use Flash’s storage capability to preload portions of songs or videos to ensure smooth playback.

All modern browsers now include fine-grained controls to let users decide what cookies to accept and which to get rid of, but Flash cookies are handled differently. These are fixed through a web page on Adobe’s site, where the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it is the control, not just a tutorial on how to use the control.

This so-called behavioral targeting is coming under scrutiny, in part since Google bought one of the largest practitioners — DoubleClick — and recently announced it would start using its troves of user data to deliver targeted ads. Its main money makers, the small text ads next to search results and on websites across the net, simply rely on the words in a search or on a webpage to place ads, a tactic known as contextual ads.

Defenders of behavioral ads say that privacy shouldn’t be a concern since cookies really identify a browser, not a person. Moreover, they argue that users would prefer to have relevant ads. Targeted Behavioral Ads could also help save online journalism. Under this theory, Google text ads don’t work on a news story about the governor raising the sales tax, since there’s no product that goes with that context. But if the site knew the reader was in the market for a car, it could show an ad for the new Lexus and earn much more.

The report names two companies, Clearspring and QuantCast, as companies whose technologies reinstate cookies for other websites.

Clearspring, the makers of the popular AddThis tool that lets users share a link by e-mail or on social networking sites, used its Flash cookie to reinstated deleted browser cookies for AOL.com, Answers.com and Mapquest.com, according to the report.

The company defends its behavior, saying everyone uses Flash cookies these days, that it discloses its use of Flash in its privacy policy and that the copying of data back into cookies is a simply way to speed up pages by transferring data into HTML cookies, which browsers read faster.

Clearspring’s AddThis tool is used by more than 300,000 publishers and the company collects data on some 525 million unique internet users monthly, according to Clearspring CEO Hooman Radfar. The data will soon be used to personalize the AddThis widget, making it so that a user who has previously shared a story by Twitter and Friendfeed will see those options first, rather than social networks he doesn’t use.

“We have the president, the pope and the queen of England using us,” Hooman told Wired.com in an interview a few weeks ago. “If they can trust us, then you can.”

Tools:

Users who want to control or investigate Flash cookies have several options, according to reader Brian Carpenter:

Windows:

* Better Privacy extension for Firefox –

https://addons.mozilla.org/en-US/firefox/addon/6623

* Ccleaner – http://www.ccleaner.com/

Mac OS X:

http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x/

Where to find these flash cookies:

* Windows: LSO files are stored typically with a “.SOL” extension, within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.

* Mac OS X: For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys

* GNU-Linux: ~/.macromedia

UpdateL 8/11/2009 – This story was updated to include more statistics on Flash cookies and to note that Wired.com uses one.

Photo: Fake Zombies attacking an innocent driver. Andy330/Flickr

See Also: