Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies

Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies

Post by c۞g » Sun Aug 15, 2010 2:12 pm

Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies

A wide swath of the net’s top websites, including MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd, were sued in federal court Friday on the grounds they violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users.

At issue is technology from Quantcast, also targeted in the lawsuit. Quantcast created Flash cookies that track users across the web, and used them to re-create traditional browser cookies that users deleted from their computers. These “zombie” cookies came to light last year, after researchers at UC Berkeley documented deleted browser cookies returning to life. Quantcast quickly fixed the issue, calling it an unintended consequence of trying to measure web traffic accurately.

Flash cookies are used by many of the net’s top websites for a variety of purposes, from setting default volume levels on video players to assigning a unique ID to users that tracks them no matter what browser they use. (Disclosure: The last time we reported on this issue, we found that used one to set video preferences.)

The lawsuit (.pdf), filed in U.S. district court in San FranciscoCentral California, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws. The lawsuit alleges a “pattern of covert online surveillance” and seeks status as a class action lawsuit. The lawsuit was filed by Joseph Malley, a privacy activist lawyer who also played key roles in other high profile privacy lawsuits, including a $9.5 million settlement earlier this year from Facebook over its ill-fated Beacon program and a settlement with Netflix after the company gave imperfectly anonymized data to contestants in a movie recommendation contest.

“The objective of this scheme was the online harvesting of consumers’ personal information for Defendants’ use in online marketing activities,” wrote Malley, who called the technique “as simple as it was deceptive and devious.”

Scribd, Hulu, and ESPN both declined to comment, saying they had not yet been served with the lawsuit.

Quantcast and MTV’s parent company, Viacom, did not respond to requests for comment.

The case number is 10-CV-5484, U.S. District Court for the Northern District of California.

Read More

Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

Browser Fingerprints Threaten Privacy

Post by c۞g » Sun Aug 15, 2010 6:39 pm

Browser Fingerprints Threaten Privacy
The ongoing contest between Web users' privacy and behavior-tracking browser applications has moved from cookies to fingerprints. By gathering seemingly insignificant bits of information, such as a browser's version number and plug-ins, websites can uniquely identify ("fingerprint") a browser and, in extreme cases, its user. Browser fingerprints track users more accurately than cookies. They're also harder to detect and erase than predecessor technologies — including supercookies such as Flash local stored objects (LSOs). Moreover, their presence and sophistication are growing — not least because the technology has useful applications in detecting fraudulent online bank and merchant transactions.

And right now, websites can implement browser fingerprinting without user consent or knowledge, said Seth Schoen, staff technologist at the Electronic Frontier Foundation (EFF).

"We might not object to a financial site using these techniques to reduce fraud," Schoen said, "but that doesn't necessarily mean the technique should exist or that browsers shouldn't take measures to reduce distinctiveness. It's a problem when people can be tracked without their knowledge in a way that doesn't let them take measures to control tracking."

Read more:

Browser Fingerprints aka: "browser-level tracking"
For example: hxxp://

Do you use cookies?

In order to identify browser-level behavior such as new versus repeat visitors to a website or page, we may drop cookies in support of our market research efforts. To opt-out of this browser-level tracking you can click here. If you choose to opt-out, a cookie will be placed on your computer instructing us to disable our ability to browser-level track of your website visitation while on a website with a Full Circle Studies beacon installed. However, if your browser does not accept cookies, or if you delete all of your cookies, then this browser-level tracking may occur. Additionally, this opt-out is only effective when you are using the Internet browser you were using when you opted-out.
  • Parents
  • Children
    more ...

Some of these domains promote: Gift Programs: promotions | offers | surveys | rewards | coupons

Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

A Primer on Information Theory and Privacy

Post by c۞g » Sun Aug 15, 2010 6:42 pm

A Primer on Information Theory and Privacy
If we ask whether a fact about a person identifies that person, it turns out that the answer isn't simply yes or no. If all I know about a person is their ZIP code, I don't know who they are. If all I know is their date of birth, I don't know who they are. If all I know is their gender, I don't know who they are. But it turns out that if I know these three things about a person, I could probably deduce their identity! Each of the facts is partially identifying.

There is a mathematical quantity which allows us to measure how close a fact comes to revealing somebody's identity uniquely. That quantity is called entropy, and it's often measured in bits. Intuitively you can think of entropy being generalization of the number of different possibilities there are for a random variable: if there are two possibilities, there is 1 bit of entropy; if there are four possibilities, there are 2 bits of entropy, etc. Adding one more bit of entropy doubles the number of possibilities.1

Because there are around 7 billion humans on the planet, the identity of a random, unknown person contains just under 33 bits of entropy (two to the power of 33 is 8 billion). When we learn a new fact about a person, that fact reduces the entropy of their identity by a certain amount. There is a formula to say how much:

ΔS = - log2 Pr(X=x)

read more:

Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

Flash Cookies and Privacy

Post by c۞g » Sun Aug 15, 2010 7:19 pm

From the Social Science Research Network ( - PDF's available.
Flash Cookies and Privacy
August 10, 2009
Keywords: Privacy, tracking, flash, cookies, local stored objects, usability, online advertising, behavioral targeting, self-help

This is a pilot study of the use of 'Flash cookies' by popular websites. We find that more than 50% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.
Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning
July 29, 2011
Keywords: privacy, tracking, flash, cookies, local shared object, local stored object, online advertising, behavioral targeting, self-help, persistent identification element

In this followup study, we reassess the Flash cookies landscape and examine a new tracking vector, HTML5 local storage and Cache-Cookies via ETags.
The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and “Private Browsing Mode” is enabled.


What's your conclusion?

Post by Guest » Mon Aug 16, 2010 6:01 pm

Haven't read the articles yet, but is this a "Super Super Cookie" that one needs to know the method of eliminating?

As I said, haven't read the articles yet, so I'm just asking your opinion on these things.

Posts: 7295
Joined: Fri Oct 17, 2008 4:20 pm

Re: "method of eliminating"

Post by Jazspeak » Mon Aug 16, 2010 6:15 pm

I would have thought that the BetterPrivacy plugin can be set up to block these types of LSO's. Running the browser in a sandbox would also be an effective defence, especially if the sandbox is set up to delete its contents at the end of each browsing session.


~Music is not just for the Masses~

Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

re: LSO

Post by c۞g » Mon Aug 16, 2010 9:55 pm

Newer technology requires no LSO; though the one article mentions how LSO are used to "backup" cookie data so they can be re-spawned after deletion.

The one post references "browser-level" tracking, no cookies required ;-)

I placed these articles in this thread for linking from the WOT Wiki Privacy Policy page I "tweaked" a bit.

Posts: 2
Joined: Sat Oct 04, 2014 10:17 pm

RE: Flash Cookies and Privacy

Post by AlchanyIncorperated » Sat Oct 04, 2014 10:17 pm

You quite literally took your own material for a source on the website review ... =rw-viewsc .No words to describe how evil you are...

Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

RE: Flash Cookies and Privacy

Post by c۞g » Sun Oct 05, 2014 2:40 am

<quote user="alchanyincorperated">You quite literally took your own material for a source on the website review
No words to describe how evil you are...[/quote]
You must be a tracker.
Read my scorecard comment
Drops LSO's [Flash cookies] for user tracking - check your USER\Application Data\Macromedia directory.
note: LSO's are dropped whether or not you've:
* directly visited youTube
* watched a video on another website

See the evidence:
[url='' t='_blank']Image[/url]

I did change one thing.
In WOT 1.0 the comment category originally used was: Adware / spyware
In WOT 2.0 this was automatically changed to the rating category: Malware / viruses
I changed the rating category to the more appropriate tag: Online tracking

Posts: 507
Joined: Fri Apr 06, 2012 11:32 pm

RE: Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies

Post by nova7 » Tue Oct 07, 2014 3:03 am

This seems a bit similar to credit reporting businesses (agencies) collecting all forms information to uniquely identify people.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest