Web analytics expert warns against ‘risky’ use of Flash cookies
While many web users are au fait with HTTP cookies and how they are used for measuring website traffic, there is little public awareness of Flash cookies, or ‘local shared objects’ (LSOs) as they are technically known, says Eric Peterson.
This lack of awareness means few people know how to manage and delete Flash cookies as they are not stored on a person’s computer in the same place as HTTP cookies.
Peterson, the CEO of consultancy Web Analytics Demystified, says Flash cookies also appear to be “impervious” to the private browsing modes recently deployed by Firefox, Microsoft and Apple.
Though this makes Flash cookies a more reliable means of accurately counting website visitors, Peterson says: “The use of Flash LSOs is unfortunately a risky business. There is strong evidence that more and more companies are using LSOs in direct conflict with consumer preferences and existing systems designed to control access to information and protect a user’s privacy online.”
LSOs first emerged as a way for Adobe’s Flash player to keep track of a user’s personalised settings – audio levels, for instance – across different browser sessions and even different browsers.
Their use as measurement tool has come about as high consumer awareness of HTTP cookies has led to high cookie deletion rates, meaning websites are often placing more than one cookie on each computer – thus inflating unique browser figures.
Peterson says: “While there are many appropriate and beneficial uses for Flash LSOs… it is increasingly clear that in some cases the data contained in the Flash object are being used for consumer tracking purposes.” This in itself wouldn’t be a problem – except Peterson notes that “disclosure about the use of Flash LSO for tracking purposes is rare on the internet today”.
Aside from the disclosure issue, Flash cookies have also been found to be used to re-spawn HTTP cookies where they have been deleted by a web user – clearly going against web users’ wishes not to be tracked.
Peterson says: “With the attention given to consumer privacy on the internet at both individual and government levels, we believe that companies making inappropriate or irresponsible use of the Flash technology are very likely asking for trouble (and potentially putting the rest of the online industry at risk of additional government regulation).”
In a report commissioned by media auditor BPA Worldwide, Peterson recommends that companies do not use Flash to reset browser cookies, that the use of LSOs is properly disclosed and that site visitors are given the option to disable LSOs.

We hope you enjoyed this article.
Research Live is published by MRS.
The Market Research Society (MRS) exists to promote and protect the research sector, showcasing how research delivers impact for businesses and government.
Members of MRS enjoy many benefits including tailoured policy guidance, discounts on training and conferences, and access to member-only content.
For example, there's an archive of winning case studies from over a decade of MRS Awards.
Find out more about the benefits of joining MRS here.
2 Comments
John Grono
15 years ago
While Flash cookies are a more reliable way of using cookies to track usage - at least they are currently - ALL cookies are still fundamentally flawed as an audience measurement tool. For any users which access the Internet in multiple locations - home and work, home and school etc - you STILL get cookie duplication leading to overall audience inflation. In order to track "people counts" more accurately you need a hybrid combination of both client-side panel measurement and server-side cookie tracking. To track "people as individuals" ... well, good luck as the underlying inherent assumption that correlates a cookie to an individual is flawed.
Like Reply Report
Emmy Huang
15 years ago
Hi, Adobe Flash Player 10.1, currently in beta on Adobe Labs (labs.adobe.com/technologies/flashplayer10), does support private browsing mode. For more information, see http://www.adobe.com/devnet/flashplayer/articles/privacy_mode_fp10.1.html Regards, Emmy Huang Group Product Manager, Adobe Flash Player blogs.adobe.com/emmy
Like Reply Report