Users often delete HTTP cookies to enhance their privacy, but some of the most popular websites are circumventing these efforts by using little-known Flash cookies, researchers at the University of California, Berkeley have found.
The UC Berkeley research, which was submitted to the federal government for consideration as part of a new policy on the use of tracking technologies, found that Flash cookies were used on 54 of the top 100 websites. Similar to HTTP cookies, Flash cookies are a mechanism to store information about a user’s preferences for websites that use Adobe Flash, a multimedia platform for viewing videos.
Unlike traditional HTTP cookies, Flash cookies are not controlled by the browser, so erasing HTTP cookies does not erase Flash cookies – enabling some websites, particularly advertising networks wishing to track users’ browsing habits, to deter users’ efforts to avoid being tracked, according to the report.
“Flash cookies are a popular mechanism for storing data on the top 100 websites,” the report states. “Some top 100 websites are circumventing user deletion of HTTP cookies by respawning them using Flash cookies with identical values.”
When users visit a site that is using cookies, they are given a unique identifier, Ashkan Soltani, a UC Berkeley graduate student and lead researcher on the study, told SCMagazineUS.com on Tuesday. When HTML cookies are deleted, the users would get a new value when visiting the site. But when Flash cookies and HTML cookies are given the same value, as they were on 31 of the top 100 websites, “it will restore the value of your original cookie, and thereby nullifies the deletion of the HTML cookies,” Soltani said.
The most popular Flash cookies were named, “volume,” “userid,” and less commonly, “computergrid.” The names of the cookies indicate that they are being used to catalog users’ preferences for music and video players, user identification names and, less frequently, the user’s location, according to the report.
The UC Berkeley study found that three of the six government websites analyzed used Flash cookies, including WhiteHouse.gov, which collects a “userid” Flash cookie.
Users can delete Flash cookies by going to Adobe’s Flash Player settings manager website – but many users are not aware of Flash cookies, the report states.
“We [Adobe] do not have access to the settings you see in the settings manager or to personal information on your computer,” Brad Arkin, director of security and privacy at Adobe, told SCMagazineUS.com on Wednesday in an email.
Arkin added that Adobe has no indication of how many users are aware of Flash Cookies but said they are most often used to enhance the web-browsing experience. He said the privacy implications of Flash cookies are no different than HTTP cookies.
In general, cookies have many legitimate uses.
“For example, every time you use a ‘shopping cart’ at an online store, or have a website remember customized settings and preferences, cookies are being used,” according to a July 24 blog post written by Vivek Kundra, federal CIO, and Michael Fitzpatrick, associate administrator of the OMB Office of Information and Regulatory Affairs. But other cookies enable advertising networks to uniquely identify a user — by their username — and track that user’s browsing behavior to build a profile, Soltani said.
The federal government is considering whether cookies should be used on government websites, according to Kundra and Fitzpatrick’s blog.
“If there’s a discussion about regulation and the use of HTML cookies, we are saying technology-specific regulation and policy is a bad idea,” Soltani said.
Soltani said that instead of regulating cookies, the federal government should regulate the practice of tracking in general, adding that there are other technologies that could potentially enable tracking in a way similar to Adobe Flash, such as Microsoft ActiveX controls or DOM Objects.