Top websites using Flash cookies to track user behavior

By on

Users often delete HTTP cookies to enhance their privacy, but some of the most popular websites are circumventing these efforts by utilising little-known Flash cookies, researchers at the University of California have found.

The UC Berkeley research, which was submitted to the federal government for consideration as part of a new  policy on the use of tracking technologies, found that Flash cookies were used on 54 of the top 100 websites. Similar to HTTP cookies, Flash cookies are a mechanism to store information about a user's preferences for websites that use Adobe Flash, a multimedia platform for viewing videos.

Unlike traditional HTTP cookies, Flash cookies are not controlled by the browser, so erasing HTTP cookies does not erase Flash cookies – enabling some websites, particularly advertising networks wishing to track users' browsing habits, to deter users' efforts to avoid being tracked, according to the report.

“Flash cookies are a popular mechanism for storing data on the top-100 websites,” the report states. “Some top-100 websites are circumventing user deletion of HTTP cookies by respawning them using Flash cookies with identical values.”

When users visit a site that is using cookies, they are given a unique identifier, Ashkan Soltani, a UC Berkeley graduate student and lead researcher on the study, told When HTML cookies are deleted, the users would get a new value when visiting the site. But when Flash cookies and HTML cookies are given the same value, as they were on 31 of the top 100 websites, “it will restore the value of your original cookie, and thereby nullifies the deletion of the HTML cookies”, Soltani said.

The most popular Flash cookies were named, “volume”, “userid”, and, less commonly, “computergrid.” The names of the cookies indicate that they are being used to log a user's preferences for music and video players, user identification names, and, less frequently, the user's location.

The UC Berkeley study found that three of the six US government websites they analysed used Flash cookies, including, which collects a “userid” Flash cookie.

Users can delete Flash cookies by going to Adobe's Flash Player settings manager website – but many users are not aware of Flash cookies, the report states.

In general, cookies have many legitimate uses.

“For example, every time you use a 'shopping cart' at an online store, or have a website remember customised settings and preferences, cookies are being used,” according to a July 24 blog post written by US government CIO Vivek Kundra and Michael Fitzpatrick, associate administrator of the OMB Office of Information and Regulatory Affairs. But other cookies enable advertising networks to uniquely identify a user -- by his or her username -- and track that user's browsing behavior to build a profile about him or her, Soltani said. 

The US government is considering whether cookies should be used on government websites, according to Kundra and Fitzpatrick's blog.

“If there's a discussion about regulation and the use of HTML cookies, we are saying technology-specific regulation and policy is a bad idea,” Soltani said.

Soltani said that instead of regulating cookies, the US government should regulate the practice of tracking in general. Soltani said there are other technologies that could potentially enable tracking in a way similar to Adobe Flash, such as Microsoft ActiveX controls or DOM Objects.

See original article on

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?