February 2, 2011
At the request of Adobe Systems, Dr. Lorrie Cranor, Director of CyLab Usable Privacy and Security (CUPS) and Aleecia McDonald, Carnegie Mellon PhD. student, have conducted “A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies.”
MeMe Jacobs Rasmussen, Adobe's Chief Privacy Officer elaborates.
Adobe commissioned the Carnegie Mellon University research study in 2010 to follow up on the findings about misuses of Flash Player local storage detailed in a research paper released by the University of California at Berkeley in 2009. The Carnegie Mellon University study, performed by Aleecia M. McDonald and Lorrie Faith Cranor with assistance provided by the Center for Democracy and Technology (CDT), was designed to determine the prevalence of the use of Flash Player local storage to respawn browser cookies. The study examined 600 websites based on Quantcast’s ranked list of the million most popular websites visited by United States Internet users—the 100 most popular sites and 500 randomly selected sites.
The study results suggest respawning is not increasing and may be waning. No instances of respawning were found in the randomly-selected group of 500 websites, and only two instances of respawning were found in the 100 most popular websites. The Center for Democracy and Technology (CDT) followed up with the two companies, whose websites showed HTTP cookie respawning using LSOs. Both companies have stopped the practice—one on their own and one as a result of this study. Adobe Featured Blogs: News, Views and Conversations, 1-31-11
Here are the conclusions of Cranor and McDonald, with a link to the full text of their study:
We found that while companies were still respawning HTTP cookies via LSOs as late as July, 2010, the number of companies involved was low. We observed HTTP cookie respawning on the front page of only two of the top 100 websites and none of the randomly selected 500 websites we checked. Further, both companies that were respawning have stopped this practice, one on their own, and one as a result of this study. However, because the sites that had been respawning are very popular, many users may have been affected by even just two companies respawning, though respawning is by no means endemic at this time.
Further, we found sites using LSOs to set unique identiﬁers. While we cannot know deﬁnitively how these identiﬁers are used in practice, we believe some of them identify individual computers. If so, this is functionally equivalent to respawning HTTP cookies. Companies may use LSOs to track users who decline
or delete HTTP cookies, but do not realize they also need to manage LSOs. We observed fairly low rates of LSOs that may be identifying computers, 9% for the most popular 100 websites, and 3.4% of a random selection of 500 websites. However, again, the most popular sites reach a very large number of users so
many people may be affected by these practices. Furthermore, a little over 40% of sites that save LSO data store unique identiﬁers, suggesting that Flash developers may not understand LSOs as a privacy concern.
Finally, we note that the most popular sites are more likely to engage in practices with potential privacy implications. We observed primarily third-party LSOs in the randomly selected 500 websites, which again suggests it is possible to work with a small number of prominent companies to dramatically affect practices, rather than needing to contact a large number of small companies. We have hope that LSO use to circumvent users’ privacy preferences can be reduced, but note that many other technologies exist that will ﬁll the same function. So long as we focus on individual technologies, rather than a larger picture of user privacy and control, we risk an arms race with advertisers changing the technologies they use to identify users, regardless of users’ privacy preferences.
See all CyLab News articles