Commentary
Flash Of Criticism At FTC Privacy Roundtable
- by Wendy Davis , Staff Writer @wendyndavis, January 28, 2010
"We are currently examining practices that undermine the tools that consumers can use to opt out of behavioral advertising," Vladeck said this morning at the FTC's roundtable on privacy. "We hope to announce law enforcement actions later this year," he added.
Vladeck didn't elaborate, so it's not yet clear which companies are in the FTC's crosshairs. But one possibility is that he was referring to companies that use Flash cookies to circumvent users' wishes -- something that Vladeck and Commissioner Pamela Jones Harbour have previously criticized.
In fact, Flash was a big focus at the first FTC panel discussion this morning. Berkeley Law's Chris Hoofnagle mentioned that some companies had boasted that Flash cookies can be used for behavioral targeting because most consumers don't know enough to delete such cookies -- stored in a different place than traditional HTTP cookies.
Eric Goldman, director of the High Tech Law Institute at Santa Clara University, pointed out that companies' use of Flash illustrates a longstanding pattern in which technology evolves faster than consumers' knowledge. The result, he says is a "gap created between what technology can do and what consumers want."
At another panel today at the FTC, Chris Conley, technology & civil liberties fellow at the ACLU of Northern California, gave a vivid example of the real-world consequences of Facebook's new privacy settings. Conley reported that two closeted students complained to his organization that they were outed by Facebook's new privacy settings. The students had previously signed up as fans of the LGBT (lesbian, gay, bisexual, transgender) page on Facebook. But the site now classifies all pages people are fans of as "publicly available information" -- which gets published on their profile pages.
Facebook's Tim Sparapani, director of public policy, offered the disingenuous response that the information was always public because the LGBT's page posted the names of fans. That may be true, but there's a big difference between being named on a fan site that also lists 19,000 other Facebook members, and having the information appear on users' own profile pages.
Wendy Davis is a Senior Writer at MediaPost. You can reach Wendy at wdavis@mediapost.com
hi Wendy,
I was listening to the web cast and I heard Tim Sparapani respond to that issue. I was also surprised by what he said. Facebook had been boasting about his privacy credentials when they hired him, but if he is going to bulldoze over the context of sharing and knowing who can see what, then he has a lot to learn about the social component of privacy.
The use of Adobe Flash Player has been instrumental in innovating and forming the Web as we know it today. While the vast majority of Web sites and developers use Local Storage capabilities (often incorrectly referred to as “Flash cookies”) to provide a better user experience, Local Storage is sometimes misused by certain Web site operators or ad networks. Adobe proactively encourages our customers to use all Adobe products in responsible, ethical ways. Adobe does not support the use of our products in ways that intentionally ignore the user’s expressed intentions.
In particular, Adobe condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent. This practice—also referred to as “browser cookie re-spawning”—circumvents the user’s intent to clear browser cookies and should not be used.
So what is Local Storage and why is it necessary?
In every case where rich Internet applications are possible, Local Storage is available (and necessary). Local Storage in Flash Player allows Web sites with applications built to run in Flash Player to store data associated with those applications on the user’s computer for use when the user revisits that site. (This information is stored locally on the user’s computer, and is available only to the domain that stored it.)
Local Storage can improve the browsing experience by eliminating the need for users to reenter information each time they visit a site. See below for a few examples of “good use” scenarios for Local Storage capabilities:
- Application preferences: A user’s choices/settings made/selected while visiting a Web site (e.g. volume preference for the video playback experience; custom dictionary in an online word processor; customized user interface)
- Caching: Many online applications consist of a large number of files and data that need to be downloaded during each visit. By storing this data in Local Storage, the local data can be used instead of requesting it from the server every time the application is loaded.
- Saved data: E.g. online game progress/status, high scores
- Temporary data: Storing temporary data in Local Storage, so that the user can return and continue where he left off, i.e. after accidentally hitting the browser’s “Back” button
Local Storage, by itself, cannot do anything to or with the data on a computer. It is just a container to hold information to help make the user experience easy, intuitive, and consistent with the user’s expectations.
The Local Storage capability in Adobe Flash Player is equivalent in concept to the emerging Local Storage capabilities in i.e. HTML5 and Silverlight. The fact that Local Storage in these technologies is distinct from the existing browser cookie system and treated as such by the browsers today underscores the need for responsible use of Local Storage in modern Web applications.
As one of our initiatives to achieve better transparency for the user, Adobe has approached the major browser companies to determine whether there is an efficient way to provide users the opportunity to control their Flash Local Storage (and all Local Storage for that matter) when they set their browser privacy settings. We will continue to pursue these efforts and encourage browsers companies to work with us to address the needs of our common customers–in particular to ensure that users can set preferences and clear Local Storage (for Adobe Flash Player and other technologies using Local Storage) in the place where they have learned to set their privacy settings. Without this, we could solve the issue for Flash Player and see developers move towards other technologies to accomplish the same type of misuse and abuse that you see with Flash Local Storage today.
We make these points (and more) in the comment we submitted to the FTC in preparation for yesterday’s privacy roundtable discussions. Our comment should be posted soon to the FTC Web site at http://www.ftc.gov/os/publiccomments.shtm.