Posts Tagged ‘flash cookies’

Online Behavioral Advertising Checklist: Seeking Input

June 11, 2010

After compiling the PrivacyChoice Index and interacting with dozens of ad networks and data companies about consumer privacy, it seemed like it would be useful to publish a checklist of practices and policies applicable to companies engaged in online behavioral advertising. No doubt this is incomplete, and some of the recommendations may be controversial, but it’s a start.

Your input will be appreciated, either in the comments here or privately by email. I’m particularly interested in input from data practitioners who are on the front line implementing privacy processes. If you believe in the self-regulatory effort, I hope you agree that sharing best practices will work to benefit all players, including ad networks, data companies, advertisers and more informed and capable consumers.

View this document on Scribd

Nice link inside Google Chrome

March 31, 2010

True integration of Flash cookie management would be better of course (since Adobe’s interface is terrible), but every browser company should at least do this.

PrivacyChoice Reloaded: more info + more choices

February 3, 2010

Today we have completed a significant upgrade to PrivacyChoice, where consumers can learn about behavioral advertising and their privacy options. In addition to a cleaner, more compact interface, here the highlights of this release:

  1. More summary information. On our homepage you now see a more meaningful summary of the ad-delivery practices for each website, including the total number of companies collecting information, how many of them are industry-accountable (through the Network Advertising Initiative) and how many have policy terms that raise questions (usually lack of published policies on deletion or handling of sensitive information). When users view privacy policy excerpts for any company, terms with questions are now highlighted.
  2. More choices. Obviously, PrivacyChoice is only one of many ways that users can manage their privacy when it comes to ad targeting. Other options include the NAI’s site, the TACO Firefox add-on and a host of more direct tools to change browser settings or block advertising altogether. Now we present all of those choices together with some advice about why users might pick one over another.
  3. Flash-cookie control. When users opt-out of tracking by an ad-delivery company, the PrivacyChoice Opt-out add-on for Firefox now also automatically deletes known Flash cookies (local stored objects) for that network (and keeps them deleted), without affecting beneficial Flash cookies that may be in use for other sites.
  4. PrivacyChoice preferences tab. We now provide a separate tab for users who have made any opt-outs through PrivacyChoice, which for add-on users is also accessible through the Tools menu in Firefox. Users can always come to this page to see their detailed status across all networks, and their rules-based setting (complete, selective or no rule).
  5. PrivacyChoice Index integration. Users now have direct links to the PrivacyChoice Index of tracking companies, which provides detailed information on privacy practices, policies and accountability.

As always, your continued feedback is invaluable as we continue to refine and extend this service. Thanks!

Good trend beginning? interCLICK kills their Flash cookies

October 26, 2009

interCLICK confirmed this morning they are no longer using Flash cookies for ad targeting, and have conformed their privacy policy accordingly. It sounds like this is part of the NAI’s efforts to rein in the use of this technology among NAI members; even with disclosure, use of Flash cookies just doesn’t line up with consumer expectations about their ability to control ad targeting.

With our own Flash-cookie monitoring underway, we will keep an eye on which networks continue to use them. As a matter of disclosure, ad networks continuing to write Flash cookies for any purpose should make a statement either way as to whether they are used for ad targeting purposes.

Doubleclick’s Flash cookies

October 25, 2009

Since the next version of the privacychoice opt-out tool will incorporate integrated control of Flash cookies, we’ve developed internal tools to start monitoring the incidence of use of Flash cookies by tracking companies. It’s not news that use of Flash cookies has been widely embraced by ad networks; what is surprising is how few of them explain this in their privacy disclosures, or provide any guidance on how to delete or control them.

The most notable example of missing Flash-cookie disclosure comes from the biggest dog of all: Google’s DoubleClick subsidiary. We’re seeing their Flash cookie,, on multiple test machines, which raises questions:

  1. Is DoubleClick’s Flash cookie used to gather interest information? This is not confirmed one way or another in the privacy policy, but should be. (In fact, a search of DoubleClick’s site reveals no mention of Flash cookies.)
  2. If I expressly opt out using the regular DoubleClick browser cookie, and then that opt-out cookie is deleted for any reason, does DoubleClick reconnect my profile with the surviving Flash cookie? Why doesn’t Google just delete the Flash cookie as part of the normal opt-out process?
  3. Better yet, if Google is using Flash cookies to enhance the ad serving experience, why not set the user’s opt-out preference with a durable Flash cookie?

My guess is that DoubleClick’s Flash cookies are not used for interest gathering or ad targeting, but in the absence of a clear statement as to how they are used, consumers are left to wonder.

More on AddThis — looking at the GSA contract

August 31, 2009

A quick follow up on last week’s post outlining questions about the privacy practices of AddThis when installed on government websites. As a result of a FOIA request by the Electronic Privacy Information Center, the General Services Administration has now released its contract with AddThis. As EPIC points out, this contract is one of the few disclosed contracts to provide that persistent cookies will not be used on .gov sites.

clearspring flash cookiesHere’s the problem: As you can see from the screen grab, as of the time of this post, AddThis is indeed writing cookies — Flash cookies no less — on, doing so upon interaction with the AddThis widget. (Note: Clearspring is the parent company of AddThis and the formal party to the GSA contract.)

Hopefully AddThis will move quickly to resolve this issue and also to shore up their relatively weak privacy disclosures and opt-out processes.

Two notable privacy policy updates

August 17, 2009

In the last week, we saw two interesting changes to privacy policies  that we track (and these are now updated in our database):

Fetchback formerly had no deletion requirement for user information, and now deletes all information after 1 year. It seems like there’s a lot of momentum around 1 year as the maximum retention period, at least among the minority of tracking companies that have any kind of deletion policy. See the prior post on this topic.

interclick now includes a reference to their use of Flash cookies (acknowledging that these are not deleted through normal browser privacy processes). At least their statement promises (or at least implies) that if you follow their normal process (regular cookies) you will be opted out of all tracking, including Flash cookies. (See the prior post on this important topic.)

Flash cookies and behavioral tracking: a proposal

April 29, 2009

After noticing Quantcast’s use of “Flash cookies,” I did some research on this technology as it relates to online privacy and behavioral tracking.   I’ve come to concur with other commentators that Flash cookies present a difficult challenge to meaningful consumer privacy choice, and would like to suggest a proposal.

Not all cookies are created equal

First, some background.  Flash cookies, known more formally as Local Shared Objects, work in much the same way as traditional browser cookies.  When you visit a website (or Flash application) the content server is able to access and store data in a defined place on your machine.  This data is available to servers from that same domain on future visits.  By placing a unique identifier as a local shared object (such as a long number), a tracking firm can capture and profile your activities across different visits and different websites. (See Wikipedia for a good roundup of the issues and links to other research and commentary on the topic.)

Some things to note:

1.  To see your own machine’s set of Flash cookies, visit this page on the Adobe website.  There you will see an interface like this, which shows which sites have stored Flash cookies, and how much space you are permitting them to use.  Key point:  browser applications do not provide direct access or control over Flash cookies in the way that they do over traditional cookies.  To do this easily, you must install a browser add-on like Objection or Better Privacy for Firefox (highly recommended if you are researching how these things work).


2.  Adobe’s special web page shows you the maximum amount of storage space a site can use, and how much they are using, but it does not show you what is being stored there.  In fact, even if you go into the directory structure yourself through the operating system, you will find files that are not easily opened to view.  In practical “opt out” terms, this means you cannot confirm easily that the text consists only of a non-unique looking opt-out cookie, for example. You would need to use an add-on like Objection to see the actual values of the Flash cookies.

3.  Unlike browser cookies, which keep a separate set of cookies for each different browser, a single Flash storage system serves all of the browsers that you may use on one machine.  This means that even if you use two different browsers, your activities in both can be associated with you as a single user.  So-called “private browsing” modes for browsers — which do not store web history or traditional browser cookies — may well still record behavior in Flash cookies.

Given this technical framework, flash cookies are uniquely valuable for behavioral tracking.  They provide all of the same tracking functionality, but unlike traditional cookies, which are regularly deleted by many users, Flash cookies are rarely deleted because (1) users don’t know they are there and (2) the process for managing permissions is practically unusable.

So, who’s using them?  

In light of the persistence and low profile of Flash cookies, you would expect to see tracking companies using Flash cookies.  A quick survey in the machines in my own home revealed Flash cookies being used by the targeters on the following domains (no doubt an incomplete list): (Akamai) (Google) (Quantcast) (Specific Media)

Many of these companies are familiar because they are included in the privacychoice opt-out wizard.  Most of these companies have privacy policies that mention cookie tracking and provide an opt-out.  However, according to a custom search of all of targeting company privacy policiesnone of them mentions “Flash cookies” or “local shared objects” in their privacy policies.  None of them explains how to view, control or delete flash cookies. Nor do they state explicitly whether opting out using traditional opt-out cookie will also serve to opt-out from any tracking via Flash cookies. 

To be fair, we can’t assume that all of these networks are using Flash cookies for tracking purposes, and some of these folks who work in video (like Videoegg) no doubt have non-tracking purposes for Flash cookies (to retain user settings, for example).  But the failure to even mention the use of flash cookies in their privacy policies means they aren’t in compliance with the disclosure rules of  TRUSTe or the Network Advertising Initiative, which requires an explanation of what information is collected about users.  Most likely, many of them are using flash cookies for behavioral tracking, and they just haven’t given much thought to the disclosure and opt-out requirements unique to those methods. 

I’ll be polling them on this question and will update this post with further data.

So now what?

Here’s a conclusion and a proposal:

First, it’s not realistic to suggest that companies simply refrain from using Flash cookies for behavioral tracking. It’s already happening, and thanks to the lousy job Adobe did in implementating flash cookie controls, we’re stuck with a system that is opaque and beyond the average user’s ability to control.

However, any company that does collect any information via Flash cookies (whether for behavioral profiling or otherwise) should update their privacy policies to make this clear, just as they generally do for traditional browser cookies.  This is a another good test of the seriousness of self-regulation in the hands of the NAI and TRUSTe.

Any company that uses flash cookies for behavioral profiling should take one additional step, which is to expressly apply their traditional browser cookie opt-out (already in place with over 70 networks) to also cover the use of flash cookies as well, and to confirm that they are doing so in their privacy policies.  That is to say, any consumer opting out via a traditional browser cookie opt-out should be understood as opting out of all tracking, whether by traditional cookies, Flash cookies, beacons or any other technology that may come down the road.

While this is perhaps not as verifiable (because Flash cookies are difficult to find and read), the fact is that nearly all opt-out cookies require users to trust that the network is honoring the opt-out preference anyway. 

Another possible approach — to create a separate opt-out process that actually writes a Flash version of an opt-out cookie into the local shared objects — is not workable.  Confirmation of the process by viewing a flash cookie is too difficult, and it will be more difficult to aggregate opt-outs for the ease of consumers.  Also, with Silverlight and any number additional browser add-ons that can provide a platform for tracking, it would be unmanageable to support separate opt-out regimes for each.  Rather, a comprehensive, cross-technology opt-out system should build on what has already been put in place with traditional browser cookies.

My suggestion reflects a key underlying philosophy:  Opt-out cookies are nothing more than a statement of the user’s preference, and not a means to actually prevent behavioral targeting. True accountability to honor the user’s preference won’t come through technology, but rather through industry leadership, advertiser oversight and (inevitably) some level of government and legal process.

Quantcast joins the NAI? Uses flash cookies?

April 29, 2009

quantcastlogoQuantcast‘s analytics service has grown rapidly, giving them a footprint (and cookie access) across thousands of websites and 6 billion impressions per day.  They recently launched Quantcast Marketer, which promises advertisers “valuable demographic and interest-based insights about their customers as they are exposed to advertising and/or interact with content or functionality on brand sites.” (emphasis mine)

When I checked for an opt-out on Quantcast’s site earlier this year, I could not find one (even though Omniture and Nielsen offered them), so it was interesting to see that one is now available through their privacy policy page.  

quantcastmenuThe presentation of this opt-out is unusual. The first reference to an opt-out appears on the privacy policy page in a menu on the left, although on the same page there’s no mention of an opt-out in a long paragraph about cookies.  In that text, the only recommendation they offer is to manage cookies through your browser settings.  Also, the label “Opt-out of Quantcast Delivery” is strange (what’s being delivered?). When you click on the link, you get to a pretty standard looking opt-out console.

quantcastnaiIn fact, it looks just like all of the implementations that are collected at the NAI site, although Quantcast is not currently listed as an NAI member.

If I had to guess, I’d say that as Quantcast has moved from simple analytics and into more direct involvement in ad targeting, it has become logical to join the NAI.  To be in the NAI, you must offer an opt-out.  I suspect that this is still in testing, and the rest of the privacy disclosures are just a step behind. Here’s hoping that those are brought in line quicky and that Quantcast puts a prominent opt-out button on the top page of their site, in the true spirit of the NAI.

Now the critique:

First, the cookie itself does not have a name or text content that clearly identifies it as an opt-out cookie, so it’s hard for the user or researcher to feel assured that the opt-out has been effective. I am guessing that the operative cookie is on the quantserve domain and is called “qoo”, but I can’t be sure.

Second, based on trying this on two different machines, it looks like Quantcast is providing unique cookie text for each opt-out, in the form of a long number.  This is poor form, particularly since all the big players (like Google) have moved toward non-unique cookies that, due to their very non-uniqueness, cannot be used for tracking.

One last question for the folks at Quantcast:  tonight I also happened to find a Local Shared Object (flash cookie) on my machine from the domain.  Are you are using these for tracking or targeting purposes?  Will my opt-out be effective for the flash cookie as well?

In my humble opinion, it would be aggressive for Quantcast to use flash cookies for tracking, since consumers don’t understand them and they are difficult to find or remove (perhaps that’s the point). In any case, they aren’t mentioned in the Quantcast privacy policy, whereas browser cookies are discussed extensively.  Since the NAI principles are clear that flash cookies need to be explained as part of “clear and conspicuous” disclosure, we trust that this has already been considered by Charles Curran and his team in Quantcast’s NAI application process, and that appropriate disclosures are on the way.