Web users are not yet
deleting Flash cookies as often as they shed more traditional cookies, but that doesn't mean it's a good idea to use Flash technology to track consumers online. That's according to a new report
commissioned by media audit company BPA Worldwide.
The report, authored by analytics expert Eric Peterson, warns that the use of Flash cookies, also called "local shared objects," to
override consumers' choices could invite new privacy laws. "With the attention given to consumer privacy on the Internet at both individual and governmental levels, we believe that companies making
inappropriate or irresponsible use of the Flash technology are very likely asking for trouble, (and potentially putting the rest of the online industry at risk of additional government regulation),"
writes Peterson, CEO and principal consultant at Web Analytics Demystified.
Several years ago, Peterson shook up the online ad industry with a report that around 40% of Web users deleted their
cookies at least monthly. Before that research was published, many industry observers assumed that relatively few people trashed cookies.
Peterson's study about cookie deletions helped fuel
searches for new tracking technologies that would prove more permanent than traditional cookies. Some companies began hailing Flash cookies -- which were initially developed to store users'
preferences for Flash-based applications like online video players -- as a potential tracking tool.
Flash cookies are not stored in the same place as HTTP cookies, which means that users who
tell their browsers to delete cookies aren't getting rid of Flash cookies. Users can erase Flash cookies through other means, including at Adobe's online controls. But at this point, few people appear
to be aware that Flash cookies even exist.
The use of Flash cookies appears to have grown in recent years. Researchers at UC Berkeley reported last summer that 54 of the top 100 sites set Flash
cookies, while 31 of them stored similar information on Flash cookies as on HTTP cookies. At those sites, even if users delete their HTTP cookies, they can be reconstructed based on information on the
Flash cookies. What's more, Berkeley researchers found that at least one company was using a Flash cookie even when users had opted out of tracking through the Network Advertising Initiative's opt-out
cookie.
Peterson recommends that Web sites that use Flash cookies disclose their existence in privacy policies, make sure consumers can easily opt out of tracking via Flash cookies, and also
refrain from using such cookies to override consumers' preferences.
Jules Polonetsky, director of the think tank Future of Privacy Forum, says he supports Peterson's recommendations, but would
go one step further. He says that companies also should refrain from using Flash cookies for tracking, given that most consumers don't know about the technology. "To use a mechanism that most users
are unaware of to track them is extremely poor privacy behavior," Polonetsky says.
Erica Newland, a policy analyst at the watchdog group Center for Democracy & Technology, agrees. "Right now
the use of local shared objects do not align well with consumer expectations," she says. "No matter how they're implemented, we think these pose additional privacy concerns."