Have Web Sites Cut Back On Flash Cookies?
That's according to a study published on Monday by Carnegie Mellon University's Aleecia M. McDonald and Lorrie Faith Cranor. In July of 2010, they examined practices at the 100 most popular Web sites and at 500 randomly chosen sites. McDonald and Cranor found that two of the top 100 sites used Adobe Flash Player's local shared objects (known as Flash cookies), to respawn HTTP cookies, but that none of the 500 randomly selected sites did so. The study was partially funded by Adobe.
Those results show a slight drop in the use of Flash for cookie-recreations from what was reported in a 2009 study out of University of California Berkeley. That study found that half of the 100 most popular sites stored information about users in Flash cookies, and that four of those sites -- including one member of the Network Advertising Initiative -- used Flash to create HTTP cookies that people had deleted.
The Berkeley study spurred a wave of criticism by privacy advocates, industry observers and some officials from the Federal Trade Commission officials. Last year, several class-action lawsuits were filed against companies that allegedly used Flash cookies to recreate deleted HTTP cookies.
Many consumers who attempt to prevent online tracking by deleting their HTTP cookies don't know about Flash cookies, which are stored in a different location in the browser. Therefore, Web companies can circumvent users' attempts to avoid tracking by storing data in Flash cookies.
The Carnegie Mellon study was conducted in July of 2010 -- well after the issue had been brought to light, but before the recent wave of litigation.
Despite the apparent drop in the questionable use of Flash cookies, Carnegie Mellon researchers say that the study can be used to argue that new privacy laws are needed. That's because two of the most popular companies were still found to be using Flash cookies at the time the study was conducted -- though both subsequently stopped doing so.
"Regulators are likely to reject industry self-regulation if even the most prominent companies will not respect user choice," the report states. "It is difficult to find calls for a purely industry self-regulation approach to Internet privacy credible when industry demonstrates willingness to violate user intent and privacy as demonstrated by using LSOs [local shared objects] to respawn HTTP cookies or individually identify computers."