Monthly Archives: August 2010

Why Flash Cookies Should Be Banned for Advertising

I posted Why flash cookies should be banned for third party advertising on the Rapleaf blog.   here is a recap:


Why Flash Cookies Should Be Banned for Advertising

The ad industry, with leadership from groups like the IAB and NAI, is working hard to evolve and is gaining momentum by prioritizing transparency and privacyspreading awareness and giving people more choice and control
over how they want to participate.  As we make progress, certain
practices become obvious candidates for change and at the top of the
list today is the use of Local Shared Objects (also known as flash
cookies) for advertising.

How Flash Cookies Are Used

If you frequent sites that use flash like YouTube, you’re probably
already acquainted with flash cookies – they are responsible for storing
things like your volume preferences.

Like regular browser cookies, flash cookies are small data files that
websites create on people’s computers in an attempt to customize user

But one important difference is that flash cookies cannot be managed,
located or removed by browser options. This means that your YouTube
volume settings will remain even after you clear all your browser’s
history and stored data.  This isn’t necessarily a bad thing, but the
problems arise when this capability is used for advertising.

Today, 54% of the top 100 websites
use flash cookies in some way and in the most extreme case, flash
cookies are used to track web browsing behavior or even re-populate
normal advertising cookies that have been deleted.

While people can control regular cookie settings within their
browser, there are only a few obscure options to manage flash cookies,
including the Adobe flash settings sites, from the Flash Cookie Cleaner program, and this Firebox browser plugin.

Troubling Characteristics of Flash cookies

Here’s a more comprehensive list of information. Unlike regular cookies, flash cookies:

  • Never expire
  • Can store 25x as much as a normal browser cookie (100 KB vs 4
    KB) and send data to third-party servers without permission
  • Can re-populate browser cookies that have been deleted
  • Can access and store specific personal and technical information (such as system info, user names, and more)
  • Can exist and store data even without visible flash applications
  • Cannot be easily traced back to their sources, making it
    difficult to find out which sites are actually doing the tracking

What Should Be Done?

Flash cookies need to be banned for advertising, third party
applications, and tracking until some effective package of the following
is achieved (if it can be achieved):

  • Strict guidelines concerning use
  • Transparency about where they’re used and who uses them
  • Effective tools to manage privacy and participation

Regular browser cookies aren’t perfect either – information within
them needs to be properly anonymized.  But we believe regular cookies
are the best way to protect consumers, give them control, and give them a
personalizable experience (that’s why we’re investing engineering time
and money in our anonymizing technology).

A great amount of time, commitment, and money is going into our
industry’s movement towards increased transparency and control for
people. In order for the industry to continue to moving forward, let’s
stop the use of flash cookies quickly.

Related posts:

  1. Why IP Tracking Is A Bad Idea
  2. Why Online Advertising Should Be Regulated

Why IP Tracking Is A Bad Idea

Here is a recent article I wrote for AdExchanger
discussing some of the
privacy issues surrounding the tracking IP addresses, why it should be
regulated, and why using browser cookies is a better alternative. Below
is the full article :

IP addresses are the fabric of the Internet— they are the “To” and
“From” stamps that make delivering messages between computers possible.
While they are necessary to route information from computer to
computer, they can — in many cases — be traced to a human or, at least, a
household. That means they can be used to track people’s online
behavior in a way that eliminates their anonymity online, which bodes
poorly for the future of the internet.

Users should be anonymous when they aren’t logged in

While new technologies that enable content personalization can
provide substantial value, users must also be assured that their
identity is protected for legal, ethical, and safety reasons. Consumers
should have the presumption of anonymity when they are surfing the
Internet and not logged into a site, and they should not be tracked –
either by the government or private sector – in a way that eliminates

To ensure consumer safety and the Internet’s continuing growth, the
presumption of anonymity is paramount. In particular, third-party
services like ad networks, widgets, and off-site platforms like Facebook
Connect, should maintain individual anonymity. They should not be able
to see someone’s cookie, IP address, or browser information and know
exactly who the person is.

IP addresses are
personally identifiable

IP addresses should be thought of as privileged information. From
our tests, IP addresses perfectly identify about 30% of U.S. households.
That means that from IP address, a site can know your exact address.
My home IP address, for instance, has been the same for over four years.
If consumers understand that their exact browsing habits can be tied
to them individually, their wariness will slow their use of the

The EU took an active stance on IP addresses in 2008, declaring IP
addresses as personally identifiable information (PII). This is an
important first step because IP addresses are PII. That said, even the
EU would admit that IP addresses do not always directly correlate to a
given person. Laptop users frequently change IP addresses as they move
from an Internet café to work, for example, and ISPs often dynamically
swap out IP addresses. An IP address can sometimes only give
approximate location, and may be shared across many members in an
office, university, or café.

Many Internet companies use these examples to claim the IP addresses
are not personally identifiable, that they are just broad
representations. But while IP addresses do not always identify
households, they do so in a significant percentage of traffic
(especially in Internet traffic outside work hours).

Of course, there are legitimate and even valuable uses of IP address
tracking. Tracking the IP address of suspicious ad clicking behavior
often helps prevent unsophisticated hackers from committing click fraud.
Using an IP address as an additional piece of identity allows an
efficient way of spotting when a credit card or identity has been
stolen. IP addresses can help understand the country of a user so you
can customize the language displayed. However, in the process of
providing valuable services to its customers, many Internet companies
are needlessly tracking a wide variety of data in their logs correlated
directly to the IP address.

Cookies are safer for consumers

Fortunately, for companies interested in tracking user behavior for
Internet personalization, there is a great consumer-centric alternative –
the cookie. Using cookies to track users and provide valuable services
has several important advantages over using IP addresses:

  • Because cookies sit as plaintext on a user’s browser, they identify
    the party tracking user information clearly.
  • Since cookies are governed by browser security preferences, the user
    has complete control over the amount of tracking and can choose between
    anonymity or personalization. Another benefit is that cookies can be
    cleared easily and at any time (unlike IP addresses).
  • Cookies can only be tied to one browser in one device (unlike an IP
    address, which is tied to all devices in a household). Most
    importantly, third party cookies should not include any personally
    identifiable information. If used properly, cookies allow Internet
    services to improve their products and the consumer experience without
    fear of compromising an individual’s anonymity.

Despite these advantages, awareness of what cookies are and how they
work continues to be a challenge for the average consumer. Nonetheless,
cookies represent the best technical compromise between personalization
and a user’s control over online identity.

The IP address should be considered protected information. As such,
we should agree on a certain limited set of circumstances (e.g. fraud
prevention) in which IP address tracking is necessary. Even for these
circumstances, we should agree that anyone collecting IP addresses
should be held to a higher standard of security and consumer disclosure.
For the vast majority of Internet personalization cases, we should
eliminate tracking of IP addresses and move more to a cookie-centric
world in order to protect Internet users and promote more responsible
growth and innovation.