Flash cookies and behavioral tracking: a proposal

After noticing Quantcast’s use of “Flash cookies,” I did some research on this technology as it relates to online privacy and behavioral tracking.   I’ve come to concur with other commentators that Flash cookies present a difficult challenge to meaningful consumer privacy choice, and would like to suggest a proposal.

Not all cookies are created equal

First, some background.  Flash cookies, known more formally as Local Shared Objects, work in much the same way as traditional browser cookies.  When you visit a website (or Flash application) the content server is able to access and store data in a defined place on your machine.  This data is available to servers from that same domain on future visits.  By placing a unique identifier as a local shared object (such as a long number), a tracking firm can capture and profile your activities across different visits and different websites. (See Wikipedia for a good roundup of the issues and links to other research and commentary on the topic.)

Some things to note:

1.  To see your own machine’s set of Flash cookies, visit this page on the Adobe website.  There you will see an interface like this, which shows which sites have stored Flash cookies, and how much space you are permitting them to use.  Key point:  browser applications do not provide direct access or control over Flash cookies in the way that they do over traditional cookies.  To do this easily, you must install a browser add-on like Objection or Better Privacy for Firefox (highly recommended if you are researching how these things work).

2.  Adobe’s special web page shows you the maximum amount of storage space a site can use, and how much they are using, but it does not show you what is being stored there.  In fact, even if you go into the directory structure yourself through the operating system, you will find files that are not easily opened to view.  In practical “opt out” terms, this means you cannot confirm easily that the text consists only of a non-unique looking opt-out cookie, for example. You would need to use an add-on like Objection to see the actual values of the Flash cookies.

3.  Unlike browser cookies, which keep a separate set of cookies for each different browser, a single Flash storage system serves all of the browsers that you may use on one machine.  This means that even if you use two different browsers, your activities in both can be associated with you as a single user.  So-called “private browsing” modes for browsers — which do not store web history or traditional browser cookies — may well still record behavior in Flash cookies.

Given this technical framework, flash cookies are uniquely valuable for behavioral tracking.  They provide all of the same tracking functionality, but unlike traditional cookies, which are regularly deleted by many users, Flash cookies are rarely deleted because (1) users don’t know they are there and (2) the process for managing permissions is practically unusable.

So, who’s using them?  

In light of the persistence and low profile of Flash cookies, you would expect to see tracking companies using Flash cookies.  A quick survey in the machines in my own home revealed Flash cookies being used by the targeters on the following domains (no doubt an incomplete list):

adap.tv
atdmt.com (Akamai)
clearspring.com
doubleclick.net (Google)
eyewonder.com
gigya.com
interclick.com
quantserve.com (Quantcast)
scanscout.com
specificlick.net (Specific Media)
tattomedia.com
tremormedia.com
videoegg.com
visiblemeasures.com

Many of these companies are familiar because they are included in the privacychoice opt-out wizard.  Most of these companies have privacy policies that mention cookie tracking and provide an opt-out.  However, according to a custom search of all of targeting company privacy policies, none of them mentions “Flash cookies” or “local shared objects” in their privacy policies.  None of them explains how to view, control or delete flash cookies. Nor do they state explicitly whether opting out using traditional opt-out cookie will also serve to opt-out from any tracking via Flash cookies. 

To be fair, we can’t assume that all of these networks are using Flash cookies for tracking purposes, and some of these folks who work in video (like Videoegg) no doubt have non-tracking purposes for Flash cookies (to retain user settings, for example).  But the failure to even mention the use of flash cookies in their privacy policies means they aren’t in compliance with the disclosure rules of  TRUSTe or the Network Advertising Initiative, which requires an explanation of what information is collected about users.  Most likely, many of them are using flash cookies for behavioral tracking, and they just haven’t given much thought to the disclosure and opt-out requirements unique to those methods. 

I’ll be polling them on this question and will update this post with further data.

So now what?

Here’s a conclusion and a proposal:

First, it’s not realistic to suggest that companies simply refrain from using Flash cookies for behavioral tracking. It’s already happening, and thanks to the lousy job Adobe did in implementating flash cookie controls, we’re stuck with a system that is opaque and beyond the average user’s ability to control.

However, any company that does collect any information via Flash cookies (whether for behavioral profiling or otherwise) should update their privacy policies to make this clear, just as they generally do for traditional browser cookies.  This is a another good test of the seriousness of self-regulation in the hands of the NAI and TRUSTe.

Any company that uses flash cookies for behavioral profiling should take one additional step, which is to expressly apply their traditional browser cookie opt-out (already in place with over 70 networks) to also cover the use of flash cookies as well, and to confirm that they are doing so in their privacy policies.  That is to say, any consumer opting out via a traditional browser cookie opt-out should be understood as opting out of all tracking, whether by traditional cookies, Flash cookies, beacons or any other technology that may come down the road.

While this is perhaps not as verifiable (because Flash cookies are difficult to find and read), the fact is that nearly all opt-out cookies require users to trust that the network is honoring the opt-out preference anyway. 

Another possible approach — to create a separate opt-out process that actually writes a Flash version of an opt-out cookie into the local shared objects — is not workable.  Confirmation of the process by viewing a flash cookie is too difficult, and it will be more difficult to aggregate opt-outs for the ease of consumers.  Also, with Silverlight and any number additional browser add-ons that can provide a platform for tracking, it would be unmanageable to support separate opt-out regimes for each.  Rather, a comprehensive, cross-technology opt-out system should build on what has already been put in place with traditional browser cookies.

My suggestion reflects a key underlying philosophy:  Opt-out cookies are nothing more than a statement of the user’s preference, and not a means to actually prevent behavioral targeting. True accountability to honor the user’s preference won’t come through technology, but rather through industry leadership, advertiser oversight and (inevitably) some level of government and legal process.

Gigya adds cookie-based opt-out (but far from best practices)

Gigya, which is a widget distribution network claiming to reach 174 million users, added a reference to an opt-out feature in their privacy policy, which takes you to this opt-out page.

Opt-out processes seem to be coming on fast and furious now, following on Google’s adoption of behavioral targeting together with a robust opt-out process.  What is interesting about Gigya’s adoption is that it is another reminder that behavioral targeting technology inevitably will move beyond what we think of as traditional ad networks.  Any third-party provider that has embedded content or functionality in a primary site will likely be leveraging behavioral profiles, and should provide an opt-out process.

Some questions for Gigya on their process:

1/ I had some mixed results with the opt-out itself.  The first couple of times it didn’t seem to lay any new cookies down at all, but then seemed to work to add four different new cookies (two session cookies, two persistent cookies), none of which was identified in the cookie text as opt-outs and, by all appearances, each of which is a non-unique cookie.  Why would you need to add two persistent cookies when just one — which says “OPT OUT” and is not unique — would do the trick?

As you may know if you are following these issues, non-unique cookies are much less desireable because they provide less assurance to the consumer that they are not being tracked, and cannot be embedded as easily into browser plug-ins to retain the opt-out state.  

Also confusing:  the persistent cookies had different expiration dates, including one that expires in 2 years and one that expires in six months.  Why two different expiration periods and why so short?  It is notable that the cookie Gigya uses normally to track behavior (when you have not opted out) is a ten-year cookie.

2/ Relative to other networks, Gigya does a poor job explaining how the process works, that they are writing a cookie, when the cookie expires (is it six months or two years), or that the process needs to be repeated if cookies are cleared from the user’s computer.  Although any action is commendable, this one looks like a rushed job where the objective is to check-the-box on having an opt-out, rather than truly provide consumers with choice.

3/ Gigya indicates that their sharing feature is not available once you have opted out.  Is that truly a technical requirement — can’t you allow sharing but not store behavioral information?

4/ Gigya should provide a clean URL (not obscured within javascript) to initiate the opt-out process — to better enable aggregated services like our opt-out wizard.  An opt-out process that requires a consumer to visit every widget or ad provider is designed to fail.

5/ Last, but not least, will Gigya provide any reference to their privacy policy or the opt-out process within the widgets themselves as they appear across the Web?  This would be analogous to Google’s promise to include “Ads by Google” in all ads that use behavioral targeting, which would provide at least some clue to the consumer where to find out more about privacy and opting out.

Along the same lines, what steps is Gigya taking to ensure that their publisher network (including the likes of CNET and Disney, according to the site) is adopting privacy policies that reference Gigya’s own policies and opt-out process?  This is a best practice that Google is imposing on their own publisher network.  It would seem even more important for Gigya to take these steps, since in many cases the content the deliver on a distributed basis through other sites is not advertising, and the consumer would probably not have an expectation that their behavior is being tracked by third parties.

I would love to hear from the folks at Gigya on these questions, and would be pleased to publish their answers just as soon as I do.