When Flash cookies (also known as a “Local Shared Objects”) were first flagged as a privacy issue back in 2005, a few savvy companies added a disclosure about Flash cookies into their web site privacy policies. Since then, we have not heard the issue raised again. Now this sleeper issue seems to have been awakened by a recent report by researchers at the University of California, Berkeley, entitled Flash Cookies and Privacy

Flash cookies, which utilize a little-known capability of Adobe’s Flash plug-in, are a method to store information about a user’s preferences. (Estimates suggest that Adobe’s Flash software is installed on some 98 percent of personal computers.) Flash cookies may be used to provide better functionality to the user by, for example, storing the user’s preferences about sound volume or caching a music file for smoother play-back over an unreliable network connection. Flash cookies may also be used as unique identifiers that enable advertisers to track user preferences and circumvent deletion of HTTP cookies. Because Flash cookies are stored in a different location than HTTP cookies on one’s personal computer, simply erasing HTTP cookies, clearing browser history, or deleting the cache does not remove Flash cookies.

The Flash Cookies and Privacy report found that 54 of the top 100 websites utilized Flash cookies. Some of the Flash cookies found by the researchers were used for function-improving purposes, while others were found to store unique identifiers, which could be used to track the user. Moreover, some of the Flash cookies that stored unique identifiers were used to recreate an HTTP cookie after its affirmative removal by the user (so-called “respawning”). Research also revealed that privacy policies of the top 100 websites surveyed generally did not mention the use of Flash as a tracking mechanism – indeed, only 4 polices reviewed by the study included such a disclosure.

The report is already making some waves: QuantCast, a company that measures web destinations and internet use, has said that it stopped its practice of using Flash cookies to respawn HTTP cookies after the report, which specifically named QuantCast, was released. And the timing of the report coincides with Congress and federal regulators examining behavioral advertising. 

Computer users should be aware of the presence of Flash cookies and, if desired, visit Adobe’s website to learn how to disable Flash cookies. Website operators should, as a best practice, disclose their use of Flash cookies in their privacy policies, including information about how Flash cookies are used and how users can opt out or remove them.