Study: Adobe Flash cookies pose vexing privacy questions

Users can still be tracked even if they delete their HTTP cookies since Adobe's Flash plug-in stores data

Adobe's Flash program is being used on heavily trafficked Web sites to collect information on how people navigate those sites even if people believe they've restricted the data collection, according to a new study.

The study comes as the U.S. government is evaluating how it uses cookies on its own Web sites.

A cookie is a small piece of data that can record how a person has used the site. The information can be used to track, for example, how many times an advertisement has been viewed, allow someone to stay logged into a Web site or track the items in an online shopping cart.

Cookies don't identify individual users, but many users choose to restrict cookies through their Web browser preferences. Although cookie data is anonymous, some users worry about third-party advertising networks, for example, collecting data and building profiles.

Adobe's Flash program plug-in, which is used to view multimedia content and is installed on millions of computers worldwide, also stores cookies for user preferences such as the volume level of a video, wrote the researchers.

Many Web sites will use both HTTP and Flash cookies. Of six government Web sites studied, three used Flash cookies, including

The U.S. government requires a "compelling need" to use so-called persistent cookies -- which either must be deleted or expire to disappear -- on its Web sites, the researchers wrote.

But if a user deletes the HTTP cookies, the Flash cookie in some cases will recreate, or "respawn" those cookies, jeopardizing the privacy the user had attempted to preserve. Many of the top 100 Web sites will respawn HTTP cookies, the researchers wrote.

"That means that privacy-sensitive consumers who 'toss' their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies," according to the study.

Many Web sites do not disclose their use of Flash in their privacy policies, they wrote. "Since users do not know about Flash cookies, it stands to reason that users lack knowledge to properly manage them," the paper said.

Flash cookies can hang around longer, too. They have no expiration date by default, they're stored in a different location than HTTP cookies and can contain up to 100KB of information, whereas HTTP cookies can only have 4KB.

"These differences make Flash cookies a more resilient technology for tracking than HTTP cookies and creates an area of uncertainty for user privacy control," the researchers wrote.

Online advertising companies, however, have embraced Flash cookies since many people regularly delete HTTP cookies. Since those cookies are used to detect repeat visitors to Web site, they're important to getting accurate traffic counts. False traffic counts -- or the counting of repeat visitors as unique visitors -- results in advertisers overpaying.

The study found that companies and platforms such as ClearSpring, Iesnare, InterClick, ScanScout, SpecificClick, QuantCast, VideoEgg and Vizu will set both third-party HTTP and Flash cookies.

Flash cookies can't be managed through Web browsers, but Adobe has a set up a Web page with an applet where people can delete Flash cookies and set preferences, such as not allowing the storage of third-party Flash content.

Still, the researchers argue that the Adobe's process is "not consonant with user expectations of private browsing and deleting cookies" and should be integrated closer into browser tools.

The study was written by Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas and Chris Jay Hoofnagle.

Join the CSO newsletter!

Error: Please check your email address.

Tags cookiesadobeadobe flashflashprivacy

More about Adobe Systems

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts