Flash Cookies and Consumer Privacy
Update: I should apologize to Adobe since I knew they had written to the FTC but didn’t mention it when I originally published this post. If you’re interested in this topic you should definitely download and read Adobe’s letter to the Secretary of the FTC regarding the use of Flash Local Shared Objects to re-spawn cookies. They cite my BPA white paper and do a great job outlining the company’s position on this particular use of their technology. I am writing to Adobe now to see if I can get someone on the phone to discuss in greater depth but if you know anyone there please ask them to email me directly.
A few weeks back we published a white paper with our client BPA Worldwide on the use of Flash Local Shared Objects in web analytics practices. The paper, titled “Flash LSOs: Is Your Privacy at Risk?” is available for download at BPA Worldwide and does require a tiny bit of information (name, company, email.) We wrote the paper with BPA Worldwide because we are seeing a resurgence in the use of Flash LSO as a back-up mechanism for browser cookies and frankly I personally worry about the practice.
Cookie deletion is what it is, and nothing anyone has done in the past five years has seemed to do anything to lessen (or worsen) the rate at which consumers clear cookie and history files. And yes, cookie deletion has a confounding effect on a variety of metrics web analytics professionals consider important, we’ve covered this more or less ad nasuem, although I certainly wonder how comScore’s recent reversal on the value of cookies will play out across combined web analytics + audience measurement efforts.
My concern is that companies are increasingly using cookies to over-ride consumer preferences regarding cookie deletion. Documented by Soltani, et al. in their paper “Flash Cookies and Privacy”, companies are actively using Flash LSO, which are much more difficult to block and delete than their browser-based counterparts, to essentially “reset” browser cookie values and thusly “remember” information that consumers are either implicitly or explicitly asking the web browser to forget.
If you’re doing this, or even considering this, I would encourage you to download the white paper as we provide what I believe to be sound guidance regarding the use of Flash LSO in a measurement practice. You might also want to check out this post over at the Adobe web site which details how Adobe Flash 10.1 will begin to support the “private browsing” feature in most browsers. While I don’t blame Adobe particularly for how companies are using LSO in digital measurement practices, this update is an excellent response from the company and shows their commitment to consumer privacy.
As always your thoughts and feedback are welcome.
Good post! But did you consider Adobes latest akquisition of Omniture and the impact this might have on the other hand side to their privacy policy? As Omniture is constantly propagating the benefits of integrating SiteCatalyst with content related tools like flex, flash and whatever they have in their portfolio, I expect as well that they tend to integrate browser and user recognition by flash LSO in to SiteCatalyst within the next month’s.
So we might get some kind of chimaera at the end?
Axel: Yeah, that is probably the follow-up post. I’m A) waiting to hear back from Adobe and B) considering writing it after Omniture Summit when I’ll have a chance to discuss with a few more people.
Keep reading the blog.
LSO Flash is being abused.
When I was CTO at a behavioral targeting company (name witheld), it was a core part of our tracking mechanism to calculate eCPM in which the retailer pays a fee or share of an order. Without Flash cookies, it was impossible to determine through the social media site and ad networks who drove the buyer to the order page within a defined contract period.
Eric Petersen in his white paper states that 31 or the 100 Quantcast customers use them either as browser cookie overrides or [as part of the beacon scripts – my add]. He is way understating this phenomena.
I know that all video feed sites use them because most videos are played through a flash player. This too goes for flash interactive ads, the largest growing media type on the Web.
The problem is that the browser vendors, including Mozilla do not provide a granular tool for controlling this and Adobe is the passive participant. With Adobe’s acquisition of Omniture, they no longer can stay out of the fray and must provide a browser based mechanism to at least manage Flash cookies.
I leave the beacon issue outside of this discussion but control over such cookies would be the responsibility of multiple stakeholders.
Flash cookies should always be opt-in, not opt-out.
[…] of BPA Worldwide back in February and had to update the blog post I wrote when I noticed that Adobe had wisely written a letter to the Federal Trade Commission regarding the use of Flash to reset browser […]
[…] in partnership with BPA Worldwide, Web Analytics Demystified published a white paper detailing the risks associated with the use of Flash Local Shared Objects (LSOs) in digital measurement. Titled “The Use of Flash Objects in Visitor Tracking: Brilliant Idea or Risky […]
[…] Cookies and Consumer Privacy: Good post that talks about the practice of using Flash LSO cookies to over-ride consumer preferences […]
[…] Cookies and Consumer Privacy: Good post that talks about the practice of using Flash LSO cookies to over-ride consumer preferences […]
[…] you know about "Flash cookies" and consumer privacy? This Demystified blog has an excellent exposé… see […]