Third party Flash cookies

Flash CookieYou’ve probably heard about browser cookies (HTTP cookies) before. Web sites can use them to temporarily or permanently store information on your computer. Permanent cookies can therefore be used by advertising networks like Google’s Doubleclick to keep track of the sites you visit. Actually they track your web browser, not you personally. I don’t mind being tracked anonymously. However, it is technically possible to link anonymous profiling data to a person. Let me explain one such possibility.

Suppose that after I logged in with my user name and password, a web site adds my personal data as a “query string” to the target URLs of some links on a page:

http://www.unsafe-site.com/program.php?name=Soldierer&

firstname=Walter&city=Goch&country=Germany&phone=12345

Why is this bad practice? Simply because when I click this link, the URL will be sent to any 3rd party server that adds an object to the page requested. So if unsafe-site.com uses Doubleclick as a way to generate advertising revenue, the banner image or Flash file request to Doubleclick’s server would send them my personal data. In tech speak, the data is part of the request’s “HTTP referrer”. So if they wanted to, Doubleclick could use the referrer URL to link my personally identifiable data to the anonymous tracking cookie profile that they have been collecting for a long time.

I’m not saying that any of the ad networks does this, or implements other methods to merge anonymous and personal data. They could though, and that’s why I protect my privacy by blocking all third party cookies in Internet Explorer and Firefox.

Last week’s episode of Security Now drew my attention to Flash cookies. Adobe doesn’t call it a cookie but Flash can also be used to permanently store information on your computer, too, up to 100 kb by default. This information cannot be accessed through the web browser’s privacy menu. Only by using Adobe’s own Settings Manager tool on their web site you can see who has stored Flash cookies on your machine. I was surprised to see how many of them were present on my computer.

Fortunately the Settings Manager has a box that can be unchecked to block third party Flash cookies:

Flash Storage Settings in Settings Manager

From an online marketing point of view third party cookies are a useful technology to help ad networks to better target their ads. The user should benefit from this, too. You get less irrelevant ads after all. However, as long as it is technically possible to abuse the cookie to violate privacy there will always be users who block them. Also, the online advertising industry is not particularly open about third party cookies and what they are used for, leading to suspicion and distrust among users. Recent develpments on the web have shown that online advertising works much better if the advertisers are open and honest about what they do and put users in control of what information they want to share with them. Technology barriers, hard to understand privacy policies, and hidden opt-out forms will not generate the level of trust needed.