Got Cookies? Web users suing over the use of little known “Flash Cookies”

The New York Times reports on the increasing number of federal lawsuits against tech and media companies utilizing “Flash cookies” to store information on their online behavior. At issue is that these companies used Adobe Flash, which is used to embed animations and movies on Web pages, to store and share information about users, including the videos they watched and Web sites they visited. This information was recorded despite the fact that the users thought they had restricted the use of cookies in their browsers.

How did they get around these browser privacy settings? It is important to note that Flash, as well as any other “plug-in” or “object”: is actually a self-contained program running mostly independently within its own container within a Web page. Thus, Flash doesn’t follow the Web browser’s privacy restrictions, rather it has to be set within a Flash itself. According to a Wired article last month, these companies took advantage of this lack of knowledge to circumvent browser cookie restrictions.

So, how do you go about setting privacy in Flash? Adobe has a Web site which renders the “Settings Manager” for your Flash player, including the “Website Storage Settings” which will show which sites are currently storing data. You can change “Global Storage Settings” to restrict third party content as well as deny storage to sites you haven’t visited. Keep in mind, most of the cookies stored on your computer, even Flash cookies, are innocuous, such as volume and playback preferences. Also, changing these settings may negatively impact Flash performance, depending on the site in question.

I would expect that in light of these lawsuits, Adobe will update Flash to include more obvious and gradated privacy settings sometime in the future. Cookies are an important tool for Web developers in authentication and e-commerce. Those who use them to leverage marketing over privacy risk a backlash to conducting business over the Web as a whole.