Web analytics expert warns against ‘risky’ use of Flash cookies

While many web users are au fait with HTTP cookies and how they are used for measuring website traffic, there is little public awareness of Flash cookies, or ‘local shared objects’ (LSOs) as they are technically known, says Eric Peterson.

This lack of awareness means few people know how to manage and delete Flash cookies as they are not stored on a person’s computer in the same place as HTTP cookies.

Peterson, the CEO of consultancy Web Analytics Demystified, says Flash cookies also appear to be “impervious” to the private browsing modes recently deployed by Firefox, Microsoft and Apple.

Though this makes Flash cookies a more reliable means of accurately counting website visitors, Peterson says: “The use of Flash LSOs is unfortunately a risky business. There is strong evidence that more and more companies are using LSOs in direct conflict with consumer preferences and existing systems designed to control access to information and protect a user’s privacy online.”

LSOs first emerged as a way for Adobe’s Flash player to keep track of a user’s personalised settings – audio levels, for instance – across different browser sessions and even different browsers.

Their use as measurement tool has come about as high consumer awareness of HTTP cookies has led to high cookie deletion rates, meaning websites are often placing more than one cookie on each computer – thus inflating unique browser figures.

Peterson says: “While there are many appropriate and beneficial uses for Flash LSOs… it is increasingly clear that in some cases the data contained in the Flash object are being used for consumer tracking purposes.” This in itself wouldn’t be a problem – except Peterson notes that “disclosure about the use of Flash LSO for tracking purposes is rare on the internet today”.

Aside from the disclosure issue, Flash cookies have also been found to be used to re-spawn HTTP cookies where they have been deleted by a web user – clearly going against web users’ wishes not to be tracked.

Peterson says: “With the attention given to consumer privacy on the internet at both individual and government levels, we believe that companies making inappropriate or irresponsible use of the Flash technology are very likely asking for trouble (and potentially putting the rest of the online industry at risk of additional government regulation).”

In a report commissioned by media auditor BPA Worldwide, Peterson recommends that companies do not use Flash to reset browser cookies, that the use of LSOs is properly disclosed and that site visitors are given the option to disable LSOs.