My Interview with Adobe Chief Privacy Officer

Those of you paying close attention to issues regarding consumer privacy on the Internet are probably at least a little familiar by now with Flash Local Shared Objects (also called Flash “Cookies” by some.) I wrote a white paper on the subject Flash objects’s use in web analytics on behalf of BPA Worldwide back in February and had to update the blog post I wrote when I noticed  that Adobe had wisely written a letter to the Federal Trade Commission regarding the use of Flash to reset browser cookies.

After writing that update I got in contact with Adobe’s Chief Privacy Officer, MeMe Rasmussen, who politely agreed to answer a few questions that I had about their letter and Adobe’s position on the use of Flash as a back-up strategy for cookies.  Given that Scout Analytics is now reporting that Flash “Cookies” are increasingly being deleted by privacy-concerned Internet users I figured it was a good time to publish my questions and MeMe’s responses.

The following are my questions (in bold) and Mrs. Rasmussen’s responses verbatim.

Flash Local Shared Objects (LSOs) have been around for a long-time and I have been aware of their use as a “backup” for browser cookies for reset and other calculations for a few years.  What made you write your letter to the FTC now?  Was there a specific event or occurrence?

The topic of respawning browser cookies using Flash local storage was publicized after research conducted by UC Berkeley on the subject was published in August 2009.  The topic was also raised at the FTC’s First Privacy Roundtable in December, so when the FTC announced that its Second Roundtable would focus on Technology and Privacy, we felt it was the appropriate opportunity for Adobe to describe the problem and state our position on the practice.

While I believe the position you outlined in your letter to the FTC is the correct one, you have put many of your customers in an uncomfortable position by condemning an act that they have been using for quite some time — essentially issuing negative guidance where none had been previously issued (to my knowledge.)  What has the response to this been if I may ask?

We have not received any comments or concerns from customers about our Comment Letter to the FTC.  Adobe’s position specifically condemns the practice of using Flash local storage to back up browser cookies for the purpose of restoring them after they have been deleted by the user without the user’s knowledge and express consent.  We believe companies should follow responsible privacy practices for their products and services, regardless of the technologies they choose to use.

On page 8 of your response to the FTC you discuss Adobe’s commitment to research the extent of this (mis)use of Flash LSOs.  Given the extent to which LSOs are being used perhaps “not as designed” and the sheer popularity of Flash on the web this seems quite a task.  Can you describe how you have started going about this effort?

We are currently in the process of defining the research project and are working with a well-respected consumer advocacy group and university professor.  At this time, the specific details of the project have not yet been finalized.

Within the web analytics community many have commented that your position on Flash LSOs may impact some of what Mr. Nayaren and Mr. James have said about the integration of Omniture and Adobe products like Flash.  Specifically some of the commentary suggests a tight integration of Omniture’s tracking and Flash.  Does your position on LSOs as a tracking device change the guidance the company has issued to common customers?

No, the position we outlined in the FTC Comment on condemning the misuse of local storage, was specific to the practice of restoring browser cookies without user knowledge and express consent.  We believe that there are opportunities to provide value to our customers by combining Omniture solutions with Flash technology while honoring consumers’ privacy expectations.

One of the suggestions I made in the white paper with BPA Worldwide that you cited was to use Flash LSO as a back-up tracking mechanism but NOT to use it to re-spawn cookies.  From a measurement perspective there are a handful of good reasons to do this … does Adobe have a position on that strategy that you can outline?

The point we made in our FTC Comment was that we considered the practice of using Flash local storage to respawn HTML cookies without user consent or knowledge to be an inappropriate privacy practice.  In your white paper, you identified some uses of Flash local storage whereby browser cookies are rest but the use is given clear notice and an opportunity to consent.  We believe that technology should be used responsibly and in ways that are consistent with user expectations.  The example you presented in your white paper was an example of a Web site that, by giving notice and control to the user, implemented our technology in what appeared to be a responsible manner.

(Thanks again to MeMe and the team at Adobe for getting these responses back to me! As always I welcome your comments and questions.)