Some Web companies are still using Flash cookies to recreate HTTP cookies that users have deleted -- activity that thwarts users' privacy choices -- but the prevalence of this practice might be
declining.
That's according to a study published on Monday by Carnegie Mellon University's Aleecia M. McDonald
and Lorrie Faith Cranor. In July of 2010, they examined practices at the 100 most popular Web sites and at 500 randomly chosen sites. McDonald and Cranor found that two of the top 100 sites used Adobe
Flash Player's local shared objects (known as Flash cookies), to respawn HTTP cookies, but that none of the 500 randomly selected sites did so. The study was partially funded by Adobe.
Those
results show a slight drop in the use of Flash for cookie-recreations from what was reported in a 2009 study out of University
of California Berkeley. That study found that half of the 100 most popular sites stored information about users in Flash cookies, and that four of those sites -- including one member of the Network
Advertising Initiative -- used Flash to create HTTP cookies that people had deleted.
The Berkeley study spurred a wave of criticism by privacy advocates, industry observers and some officials
from the Federal Trade Commission officials. Last year, several class-action lawsuits were filed against companies that allegedly used Flash cookies to recreate deleted HTTP cookies.
Many
consumers who attempt to prevent online tracking by deleting their HTTP cookies don't know about Flash cookies, which are stored in a different location in the browser. Therefore, Web companies can
circumvent users' attempts to avoid tracking by storing data in Flash cookies.
The Carnegie Mellon study was conducted in July of 2010 -- well after the issue had been brought to light, but
before the recent wave of litigation.
Despite the apparent drop in the questionable use of Flash cookies, Carnegie Mellon researchers say that the study can be used to argue that new privacy
laws are needed. That's because two of the most popular companies were still found to be using Flash cookies at the time the study was conducted -- though both subsequently stopped doing so.
"Regulators are likely to reject industry self-regulation if even the most prominent companies will not respect user choice," the report states. "It is difficult to find calls for a purely industry
self-regulation approach to Internet privacy credible when industry demonstrates willingness to violate user intent and privacy as demonstrated by using LSOs [local shared objects] to respawn HTTP
cookies or individually identify computers."