More than half of the sites that you visit will be using Flash cookies to store information about users, according to a study performed by UC Berkely researchers . The report showed that some are using these cookies to regenerate HTTP cookies previously eliminated. Adding insult to injury, privacy policies on these sites rarely disclose the use of these Flash cookies and controls are lacking to protect against it; creating yet another covert invasion into your browsing experience.

“Flash cookies”, officially termed “local shared objects” (LSO) were introduced as a feature of Adobe’s Flash MX technology, now commonly used by popular web-sites. Its primary use was meant for caching and saving settings. However, it is the use as a user tracking mechanism which has opened it upto privacy investigation. Compared with traditional HTTP cookies, flash cookies have the advantages of much larger storage sizes (100+ vs. 4 Kb), no expiration dates by default and inconspicuous storage location. For these reasons, they have become widely used to track user activity for behavioral advertising.

With the growing concern over online consumer privacy, US federal regulators are considering implementing rules focused on users’ ability to avoid tracking. Flash cookies, however, have not yet entered into this discussion. Means to review, control creation or delete these objects are almost as inconspicuous as the cookies themselves. Adobe provides a Flash Player Settings Manager web-page to manage the privacy settings for sites that contain SWF or FLV content or run the Flash Player application. Typical browser settings, which control standard HTTP cookies, do not yet maintain Flash cookies but thankfully add-ons, such as Mozilla Firefox’s BetterPrivacy 1.29, are available to provide a user-friendly interface to manage them. Of important note from the UC Berkley report, the vast majority of sites displayed no functionality issues after third-party Flash content was disabled, however, 9 of the tested sites would not display Flash content.

The UC Berkley study was conducted on the top 100 ranked web-sites to determine whether they were using Flash cookies and the privacy implications associated with their use. Almost a third of the sites utilizing Flash cookies seem to be replicating information in standard HTTP cookies. Interestingly, 14 of 31 sites, which carried the TRUSTe Web Privacy Seal, employed Flash cookies. Meanwhile, only 4 of the sites mentioned the use of Flash in their privacy policy, as a mechanism used to track user habits. In addition, one site when tested for its interaction with the Network Advertising Initiative (NAI) opt-out cookie, regenerated an HTML cookie even after the opt-out cookie was set. It is evident that though there are certainly great benefits gained by using Flash cookie technology, there is currently a lack of accountability, appropriate notification and opt-out mechanisms available to users.