NPR Interviews Zuckerberg About Facebook Privacy
FTC Postpones Red Flag Enforcement Date (Again)

Tracking Your Online Habits and Privacy: Huge Problems Persist

While much attention during the last few weeks has focused on Facebook and privacy, there is a far bigger privacy issue facing consumers online. It involves a technology that many websites use and few consumers are aware of.

Many websites try to present relevant advertisements based on pages you have viewed in that site, or your past purchases. Perhaps you have noticed this. My wife said she noticed more ads for flowers online after she has just bought some flowers online. She knows intuitively that something is going on behind the scenes; that her information is being shared somehow. The specific technology is a mystery to her and to many consumers.

Maybe you like relevant ads; maybe you don't. How do websites present relevant ads? One method is your sign-in credentials. When you visit a site and enter your ID and password to sign in, the website knows it's you and can track your movements within its site. That's fine and dandy. If you don't want to be tracked, don't sign in to that site.

Some websites serve up relevant ads without requiring you to sign in. How do they do this? One method is a technology called web browser cookie files or "HTTP cookies." An HTTP cookie file is a small amount of text saved in a file located on the hard drive in your computer; in a folder with your web browser software (e.g., Firefox, Safari, Internet Explorer, etc.). Many websites use HTTP cookies because it's a way to identify you; to save in an HTTP cookie file an identifier so the website can tell if you are a new or returning visitor; and to track your online movements within their website to present relevant ads based on the pages you viewed within their site.

So if you visit a clothing site online and shop for shoes, it may save a code to the HTTP cookies file indicating when you first visited the website and the shoes site section viewed, so the website can present to you more shoe ads while you view other site sections with pants, coats, boots, or whatever. Some consumers like for the websites they visit to present relevant ads. Some consumers don't.

I have worked in the website design industry since 1997 primarily as a user experience and information architecture professional. I've built, as part of a design team, both large and small websites. Whenever we were building a website that included personalization, the topic of HTTP cookies versus sign-in credentials always came up. The method we used -- sign-in credentials, HTTP cookies, or something else (hint: keep reading and you'll learn what that is) was always a balance between the website design goals, users' needs, the client's budget, the preferences of the web developers, and the technological capabilities of the client's Information Technology' department.

In 2007, a study found that about 30% of consumers regularly delete the HTTP cookies on their computers. These consumers value their privacy and prefer to retain as much control as possible of their personal information. Why consumers take the time and effort to delete HTTP cookie files:

  • Some websites use "session-based" HTTP cookies: information about you is stored in the HTTP cookie only for the time period while you visit the website. When you leave that website, the information stored in the HTTP cookies is deleted.
  • Some sites uses "persistent" HTTP cookies: the site edits the HTTP cookie so it retains information for later use tomorrow, next week, next month, next year or whenever you return to that site.
  • Some companies buy and sell the information saved in HTTP cookies at "behavioral exchanges."

You can use your web browser software to delete HTTP cookies manually or set it to automatically delete HTTP cookies at a predetermined schedule. For example, in the Internet Explorer menu bar select:  Tools --> Internet Options --> Browsing History Delete to view the automatic and manual options.

Equifax logo In May 2009, I performed an informal analysis of the HTTP cookies files used by Experian and Equifax: two of the three major credit reporting agencies. In that analysis both credit reporting agencies and their advertisers saved information to HTTP cookies on my computer as soon as I visited each web site's home page. Why? To track my online movements within each site, to determine if I was a first-time or returning user, and which ads I had viewed. Based on that knowledge, they could charge their ad clients based on a more accurate measurement of online usage by me and all other consumers visiting each site.

What I found disturbing from that analysis was that both credit reporting sites started tracking my online usage before I had a chance to read each website's Terms of Conditions and Privacy policies to learn how each web site and its advertisers track my online movements. So consumers should know that tracking via HTTP cookies starts immediately when you go online.

The recent concerns about privacy at Facebook is that Facebook wants to, a) make public personal information many consumers want to keep private, and b) track your online movements and serve up relevant ads when you visit other websites; not only at the Facebook site. This is part of a trend online today.

Since that study showed that a significant number of consumers delete the HTTP cookies on their computer monthly, advertisers have sought a more reliable tracking method that wasn't vulnerable to deletion by consumers. It seems that they have found a solution with the Adobe Flash Player software which creates its own cookie files, commonly referred to as "Flash cookies" or "Local Shared Objects" (LSO).

Download Adobe Flash Player Adobe Flash is the technology many websites use to deliver an interactive, animated website experience, content and ads. Adobe Flash Player is the free software installed with your web browser software so you can view content at websites that use Adobe Flash. Perhaps you have seen the Adobe Flash player image on the right. Adobe is the company that owns the technology and distributes the Flash player software.

You don't have to install Adobe Flash Player on your computer, but most people do because it provides a better online experience at websites that present content with Adobe Flash -- a popular technology among website designers. The Adobe Flash player software stores a "Flash cookie" file on your computer in a different file folder location which web browser and online-ad-blocking software don't access and delete.

One benefit to advertisers is that they can set Flash cookies to never expire. Another appeal is that they can store a lot more information. An HTTP cookie stores a maximum of about 1,024 bytes of information; compared to about 5 megabytes maximum for a Flash cookie. You don't need to be a rocket scientist to see which is better at collecting massive amounts of consumers' personal data and Internet habits.

Like any other technology, some websites use Flash cookies responsibly, while other sites abuse consumers' privacy with it. The problem is:

  1. Few consumers know about Adobe Flash,
  2. Even fewer consumers know about Flash cookies,
  3. Few to no websites inform users that their websites use Adobe Flash cookies,
  4. It's the wild west on the Internet and their are no rules or regulations about this, and
  5. Some websites use Flash cookies to permanently store information about consumers to avoid HTTP cookie deletion by consumers.

The problem is not new. In July 2009, I first wrote about privacy concerns with Flash cookies. To control the information Flash cookies store about you and your online habits, at that time I advised consumers to use the "Flash Privacy and Settings Control Panel" tool available at the Adobe website. I have since learned that advice is only a partial solution.

In a study last year, researchers at the University of California Berkeley analyzed the use of Flash cookies at the top 100 web sites. The researchers found:

  • 98 % of the websites analyzed use HTTP cookies; 54 % use Flash cookies
  • Of the websites using HTTP cookies, each site uses on average 36 different HTTP cookies
  • Of the websites using Flash cookies, each site uses on average 5 individual Flash cookies
  • The websites using Flash cookies included the private sector and government
  • A significant percentage of sites used Flash cookies to store the same information as HTTP cookies
  • The content in Flash cookies is stored by both the organization that operates the website and third-party organizations (e.g., advertisers, website measurement firms)
  • Some websites use Flash cookies to programatically recreate HTTP cookies that the consumer has previously deleted
  • Many websites that use Adobe Flash are TRUSTe certified
  • The "Private Browsing" mode in Internet Explorer version 8 and Firefox version 3 doesn't delete Flash cookies
  • The researchers called Flash cookies a "Persistent Identification Element" (PIE)
  • Consumers with a computer running the Windows operating system can view Flash cookie files in this folder: \Documents and Settings\[username]\Application Data\Macromedia\Flash Player
  • Consumers with a computer running the Apple operating system can view Flash cookie files in this folder: /users/[username]/Library/Preferences/macromedia/Flash Player/
  • The "Clear Private Data" option in the Firefox web browser will not delete Flash cookies
  • Some sites use Flash cookies that actively counter the opt-out mechanism from the Network Advertising Iniative (NAI), which enables consumers to opt out of behavioral advertising programs

I am concerned about consumer privacy issues with Flash cookies given the above findings, plus:

The use of Flash cookies is one technology among several used by websites to perform "behavioral advertising" (or "targeted advertising" or "behavioral targeting"). Several Internet Service Providers (ISPs) engaged in behavioral advertising, collected information about their subscribers, and didn't obtain their subscribers consent first. Advertisers and companies in a variety of Industries seem to be rushing headfirst down a similar path with Flash cookies.

When a company collects consumers' data and share it with other companies, the responsible thing to do is to inform its customers (and prospective customers) and then gain their express consent. Today, almost no companies (and government agencies) are disclosing their Flash cookies policies or activities.

Will this situation with Flash cookies improve? I believe that it will take some legal action for change to occur. Awareness among consumers is too low and the pursuit of profits by companies and advertisers is great.

Meanwhile, what can consumers do to protect themselves? Assuming you want to surf the web with as much privacy as possible:

  1. Set your web browser to automatically delete HTTP cookies,
  2. Firefox web browser users should install the BetterPrivacy add-on to review and delete Flash cookies,
  3. Maxa Research offers a software product to help consumers review and delete both HTTP cookies and Flash cookies,
  4. Visit the "Flash Privacy and Settings Control Panel" tool at the Adobe website to control what information Flash cookies saves about you, or
  5. Surf the web with an iPad or device that doesn't use Adobe Flash.

If you discover any more tools to manage Flash cookies information, please share them in the comments section below.


Feed You can follow this conversation by subscribing to the comment feed for this post.

Rick Cabral

Very interesting article. As an "in the industry" guy, I can add that the signal-to-noise ratio is about to get worse. Even SMB-sized Content Management Systems are now shipping with their own internal behavior analysis and content targeting tools. This means that virtually any site (not just some fortune 1000 company) has the capacity to perform the monitoring described above. The SMB market is also a market that is likely to either intentionally or unintentionally violate laws regarding internet privacy either through lack of knowledge or the fact that they're simply too small to track down.

Joan Selon

Thanks for pointing me to MAXA Cookie Manager - found it to be a very effective software to manage all types of cookies.

joe malley

The PRIVACY CRUSADER is not happy!

Charles Jeter

George, thanks for diving deeply into an issue I was only beginning to research. The EFF has an article about browser based identification which is very complementary to your detailed post in that it goes further to the side of reporting their survey results.

@ Rick C - thanks for the update about the market and analysis on where this is heading concerning the SMB market.


Charles, Joan, and Rick:

Thanks for your comments. This is the first of several articles about Flash cookies. I expect this topic to heat up during the summer and fall as consumer awareness increases. Pass the word!

Joe: thanks for the link to the Superman video, which was excellent. We sure could use a Superman in the Gulf to fix the oil leak.


The comments to this entry are closed.