Flash Cookies Used to Track User Behavior

Unknown to the general public, Adobe Flash uses local cookies to store various types of user sensitive information. This was the conclusion of a study supported by TRUST (Team for Research in Ubiquitous Secure Technologies) and conducted by various US universities.

Most people already know that Internet cookies are used to store personal data after accessing a website, but fewer are aware that Adobe Flash has been doing the same thing as well. Even more dangerous is the fact that Flash cookies seem to resurrect after being deleted, as the study has shown in various tests.

This issue poses a big problem in cases were sensitive data was sent through a Flash interface. In many cases, if Flash cookies are involved, it may be possible that some personal information was left behind, and will continue to linger on the same computer. If the user accesses that same website again, that data may be used without permission or without the user being aware of it.

Thus, many websites could and probably are tracking user behavior, building profiles and accessing sensitive personal data without authorization. In many ways, a simple Flash component displayed on a page could lead to the creation of a Flash cookie on the user's computer.

Unlike HTTP cookies, Flash cookies don't have any expiration date by default, storing 25 times more data than a regular HTTP cookie. To make it more difficult to track them, Flash cookies aren't even stored in the same place as HTTP cookies, and are not integrated into browser security settings.

For those interested in turning Flash cookies off, this can be done from an Adobe settings applet hosted on this page.

The study has also shown that user privacy has already been broken by major websites, since most of them use Flash cookies. From all, advertising companies have been using the most complex and intrusive sets of cookies, storing and building customer profiles.

This kind of information is very important for online advertisers to detect the number of unique visitors of a website that displays a certain ad campaign, since all revenues and payments are done proportionally with the number of unique visitors.

Companies like ClearSpring, Iesnare, InterClick, ScanScout, SpecificClick, QuantCast, VideoEgg and Vizu have been creating and using these kinds of Flash cookies.

More curious is the fact that from the website pool used in the research, only four of them had listed in their privacy policy the usage of Flash to store private content or a tracking mechanism.

Study research team: Lauren Thomas, Ashkan Soltani, Shannon Canty, Quentin Mayo and Chris Jay Hoofnagle.