NEWS17 August 2009

Quantcast fixes cookie resurrection loophole

North America Privacy Technology Trends

US— Online measurement firm Quantcast has fixed a loophole in its system whereby cookies could be “re-spawned” after a user had deleted them, allowing behaviourial tracking to continue.

The discovery, by researchers at the University of California, Berkeley, raised concerns that “privacy-sensitive consumers who ‘toss’ their cookies to prevent tracking or remain anonymous are still being uniquely identified online”.

Researchers discovered the re-spawning behaviour in instances where two different types of cookies were in use, HTTP and Flash cookies.

HTTP is the more common type of cookie and is easily deleted by users. Flash cookies, on the other hand, are stored in a different location within a computer and are designed to be used by multiple browsers.

As such, the researchers said, “Erasing HTTP cookies, clearing history, erasing the cache, or choosing a ‘delete private data’ option within the browser does not affect Flash cookies.”

This alone “creates an area for uncertainty for user privacy control”, the researchers said. But more troubling was when they witnessed deleted HTTP cookies being rewritten in instances where their Flash counterparts had the same stored values.

Quantcast cookies were among those being re-spawned. The company uses Flash cookies to measure audiences for videos, widgets, music and other Flash content hosted on websites.

In a blog post following publication of the Berkeley paper, the company said: “As we’ve introduced new capabilities such as Flash measurement we’ve attempted to keep our measurement processes synchronised and as accurate as possible.

“One side effect of this synchronisation is that a deleted browser cookie could be set to match the [Flash cookie], resulting in the reinstatement of a previously deleted cookie value.”

Quantcast said it took immediate steps to “remedy the behaviour” and has confirmed with the Berkeley researchers that the restoration behaviour no longer occurs.

Meawhile, the study’s authors have called for a wider debate on the subject of Flash cookies and have urged websites to be more transparent about their use of the tags, how they are employed and how web users can exert more control over their use.