14 DAY TRIAL // A complaint filed last week in California alleges that several companies including Disney, Warner Bros. Records, Ustream and others have installed illegal codes on millions of computers with the purpose of tracking the online activity of their owners.
At the center of the suit, which seeks Class action status, are the so-called Flash cookies. Technically known as Local Shared Objects (LSO), these are normally used by Flash-based applications to store preferences, cache files or save state and temp data, all methods of improving user experience.
However, security experts and researchers have warned since a couple of years ago, that this feature can be misused to store tracking cookies and even re-create them if they are intentionally deleted from the browser.
This is exactly what the companies referred to collectively as "Clearspring Flash Cookie Affiliates" in the complaint are accused of doing, thus affecting the visitors of their respective websites.
The defendants are Clearspring Technologies, the company developing Flash-based technologies and its customers, which include Walt Disney Internet Group, Demand Media, Project Playlist, Soapnet, SodaHead, Ustream and Warner Bros. Records.
"Defendants Clearspring Flash Cookie Affiliates acted with Defendant Clearspring, independently of one another, and hacked the computers of millions of consumers' computers to plant rogue, cookie-like tracking code on users' computers. With this tracking code, Defendants circumvented users' browser controls for managing web privacy and security," the complaint (PDF) reads.
Unlike regular cookies, which are governed by the browser's Same-Origin policy, making it possible only for their creator to access them, Flash cookies can be read by any website. This allowed Clearspring to build visitor profiles and sell the data to advertisers.
According to the complaint, the collected information could have been used to determine "users' video viewing choices and personal characteristics such as gender, age, race, number of children, education level, geographic location, and household income, what the web user looked at and what he/she bought, the materials he/she read, details about his/her financial situation, his/her sexual preference, his/her name, home address, e-mail address and telephone number, and even more specific information like health conditions, such as depression."
In an unrelated and older filing to the Federal Trade Commission (FTC), Adobe, the company developing Flash, has condemned the practice of using Local Storage for backing up or restoring cookies without express user consent.