Way back in a 2008 column, I spotlighted one of the most insidious and least-known features on the Internet: Adobe Flash cookies that were not subject to the usual cookie rules.
Almost two years later, these special Flash cookies are still living in our PCs, and enterprising privacy-busters now use them to create zombie cookies — regular cookies that come back from the dead.
My Oct. 23, 2008, column, “Flash cookies are putting your privacy at risk,” described how data stored by Adobe’s Flash Player is beyond your browser’s control and how it could store more personal data than you’d suspect.
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!
Flash cookies have now landed their manipulators in troubled waters. Last week, two well-known privacy attorneys, Dallas-based Joseph Malley and California-based David Parisi, filed a lawsuit in U.S. District Court for the Central District of California against Quantcast, a Web page–ranking and audience-statistics firm. (A July 27 Wired Threat Level story on the lawsuit includes a link to a PDF copy of the filed court documents.)
The lawsuit claims class action status and lists additional defendants — a Who’s Who of online players including MySpace, ABC, ESPN, Hulu, JibJab, MTV, NBC Universal, and Scribd.
In the class action complaint, Quantcast “and websites affiliated individually with Quantcast, referred collectively to as, ‘Quantcast Flash Cookie Affiliates,'” are accused of “setting [F]lash cookies on their user’s computers to use as local storage within the [F]lash media player to back up browser cookies for the purposes of restoring them later.”
The complaint goes on to accuse the defendants of setting online tracking devices that let them access and disclose personal information. But while the complaint is complex, the technology that spawned it is surprisingly straightforward.
Flash cookies are the all-pervasive app
In order to understand zombie cookies (yes, that’s the technical name), you need to know about Flash’s Local Shared Objects, or LSOs — the formal name for Flash cookies. My 2008 column goes into detail about LSOs, but the upshot is this: Adobe Flash Player LSOs work much like the cookies maintained by our browsers — they are files that live in our computers and are updated and read by Web pages that we visit.
Since Flash Player runs on more computers than even Windows (!), Flash Cookies are as close to universal as anything on the Internet. Steve Jobs won’t let Flash run on iPads and iPhones, but for just about everything else, there’s a version of Flash.
Like standard cookies, LSOs usually fly under the radar. But they can store significantly more data than the usual cookie. Regular old browser cookies are limited to 4KB in size; LSOs can go up to 100KB. Regular cookies are completely controlled by your browser — you can use your browser to turn them on or off, to delete them, to block them. Not so LSOs. They are controlled by Adobe’s Flash Player, and it’s notoriously difficult to get at them.
While you may not have easy access to Flash LSOs, Web sites do. If you have Adobe Flash installed on your computer, Web pages can set and read Flash cookies — whether the page you’re viewing has a visible Flash animation or not. So while you think you’ve blocked a site’s cookies, it’s entirely possible for the site to use an LSO for the same purpose.
And it’s all hidden under the covers and difficult to turn off unless you run a Flash Cookie blocker (more about which later) or jump through some major hoops.
Cookies that return from the cookie-crusher
Most PC users know the basics of Web cookies. Most have their computers set up to block cookies, block third-party cookies, or delete all cookies when they end a browsing session. It’s all based on your level of paranoia. You may have a spyware scanner that looks for and deletes various types of cookies, particularly from marketing companies such as Doubleclick. Even those of us who allow cookies free rein still delete them from time to time, if only to clear out the cobwebs.
Here’s how zombie cookies reappear.
When you visit Web sites, they often plant cookies on your computer, if they can. But some sites will also stick duplicate cookies into the Flash LSO. When you go back to these sites, they check whether you have their standard cookies stored in your browser. If none are found, they then check whether there’s any doppelgänger cookies in the Flash LSO. And if they find any, the sites reconstruct their original cookies and stick them back into your PC. Very clever.
Zombie cookies are scary because they provide online companies with a secret way to keep tabs on people and their Web-surfing proclivities. Unless you check your browser’s list of cookies regularly, you may never know that these resurrected tracking cookies are back in business.
Where companies like Quantcast come into play
Data-gathering companies such as Quantcast make money selling information about people who visit Web sites. According to Quantcast’s own site, “Millions of Web site owners, including two-thirds of the Online Publisher’s Association, use Quantcast’s measurement service to create demographic, geographic, and affinity-based audience profiles.” And the cookies placed on your PC can be used as sophisticated monitoring tools.
Curious about what’s gathered? You can take a free ride with the Quantcast demo.
I ran a Quantcast analysis for U.S.-based visitors to our site, windowssecrets.com, in May of this year. The results appear in Figure 1. You should take the results with a grain of salt, of course.
Figure 1. According to Quantcast, 86% of those who visit the Windows Secrets site have no kids under 18; 19% make more than $100,00 per year; and 17% at least walked through part of grad school.
It’s in the best interest of these companies to continually gather data about Web-site visitors. Cookies, as already mentioned, are a key part of that process. Zombie cookies undoubtedly contribute to keeping these tracking cookies alive for as long as possible.
Take control of Flash cookies with PC cleaners
Controlling Flash LSOs, and thus eliminating zombie cookies, is a pain in the neck if you use the Adobe method, which involves futzing around with a very unfriendly Web site. I talk about the official method in my October 2008 article.
For Firefox users, an add-in can now help. To control Flash cookies, just download (page) and install the BetterPrivacy add-in for Firefox.
For cleaning Internet Explorer, there are two products — both free — you can try: CCleaner, available for download on Piriform’s home page, and Flash Cookies Cleaner 1.2, offered as a free download on Softpedia’s site.
Certainly, the zombie cookie approach to subverting a user’s direct commands — reinstating a cookie after the user has explicitly deleted it — constitutes some sort of privacy invasion. Whether it’s actionable in court is anybody’s guess.
Should be quite interesting.
| Have more info on this subject? Post your tip in the WS Columns forum.|
Woody Leonhard‘s latest books — Windows 7 All-In-One For Dummies and Green Home Computing For Dummies — deliver the straight story in a way that won’t put you to sleep.