Flash zombie cookies, AddThis, and the danger of third party widgets
It’s fairly common knowledge that our daily activities online (and off) are tracked, analyzed, and sold — to an extent that would make most of us blush if we really knew all the details.
But as Wired.com reported last week, researchers at the University of California, Berkeley have found a particular nasty practice by Flash cookies, a piece of technology becoming widespread in ads, videos and widgets around the Web.
First of all, Flash cookies — unlike the more ubiquitous and better-known HTML variety — cannot be regulated or deleted through Web browsers’ privacy settings. They can only be controlled by the end user through an obscure, downright confusing page on Adobe’s web site. (And Flash cookies can hold up to 100Kb of data, dwarfing HTML cookies which are usually limited by browsers to 4Kb.)
More dubiously, Flash can “re-spawn” traditional cookies that the user has already deleted, creating a new cookie using the original’s unique ID and filling it in with other data captured by Flash. That’s right, it brings them back from the dead. Thus: ZOMBIE cookies!
Third-party advertisers are the worst offenders found by UC Berkley researchers. Also named is Clearspring, makers of the popular AddThis widget. The AddThis button (pictured) makes it easy for publishers to add many social bookmarking links to any page or post. Apparently it also was found to resintate deleted cookies from AOL.com, Answers.com, and Mapquest.com.
Clearspring did not deny the practice when contacted by Wired, saying it speeds up surfing and is disclosed in their privacy policy. It’s still a shady move, however; Web editors who use AddThis should strongly consider discontinuing it.
Furthermore, all publishers should be reminded that many great copy & paste third party widgets like AddThis — from video and feed embeds to bookmarking and analytics — may be free, but that does not mean they do not come without a cost. In exchange for expedience, you’re allowing outside companies to run code through your site and on the computers of your visitors. While their intentions may not be nefarious, you should at least know what they’re doing. Are you comfortable with all that happens? If your readers knew, would they be comfortable too?
The same suspicions apply especially to outside advertising.
Few college news sites have their own formal, written privacy policy. That’s understandable; they’re a very small cog in the very big machine of behavior tracking. We all implicitly accept a little loss of privacy for the conveniences of the modern Web, and your college rag is hardly a big reason why Google knows you better than your mother.
However, journalists must be worthy of their readers’ trust, not only in reporting but in the technology that they use to deliver it. Thinking through how you treat your readers’ privacy is essential.
You can read the full UC Berkley report here. (It’s only 4 pages long). Their methodology is simple enough that you could repeat the tests on your site to find out what all those little Flash buggers are really up to.
Huh. I knew flash was a pain, requires load screens, crashes my browser all the time, but this is just plain evil. Thanks for bringing this up Kevin!
Hi, my name is Justin Thorp. I’m the Community Manager for AddThis. I hear your concerns about our use of Flash cookies. Just wanted to add a few things that weren’t mentioned in the Wired piece.
In addition to disclosing the practice in our privacy policy, we wrote a blog post about that actively solicited feedback from the community about this back in January 2009.
http://www.addthis.com/blog/2009/01/05/the-addthis-flash-cookie-we-need-your-feedback/
In the post we talk about how we use the flash cookies to give our publishers better analytics and allow us to do the forthcoming feature of menu personalization.
We also talk about our use of flash cookies in our FAQ.
http://www.addthis.com/help/faq#flash_cookies
In terms of what data is collected, we also go into detail about that in our FAQ.
http://www.addthis.com/help/faq#datacollection
If a publisher isn’t comfortable with our use of flash cookies and doesn’t mind the loss of some analytics and forthcoming features, we provide a way for our publishers to disable the flash cookie via our api.
http://www.addthis.com/help/api-spec#configuration-ui
What other information can we provide about our use of this practice which would ease your concerns? Feel free to e-mail me personally – justin@addthis.com
Note: I apologies if this comment came through twice. Tried posting it earlier but it didn’t seem to come through.
@Justin: AddThis has been forthright and candid about your use of Flash cookies, unlike most users of the technology. That’s laudable, perhaps I should have stated that more clearly.
But that doesn’t change the fact that you may be actively counteracting user actions without their knowledge.
Personally, I lean towards rolling-your-own solutions, avoiding 3rd party cookies whenever possible, and wouldn’t use AddThis. I’m not going as far to say that no one should use AddThis ever: Others may reach a different conclusion in different circumstances. They may not mind, or choose to disable Flash via the API. But this matter demands consideration, here and whenever 3rd party software is used.
After searching for a way to disable this annoying little feature, I found this.
In the browser menu, select Tools, Internet Options
Click on the Security tab
Selected the Restricted Sites zone
Click the Sites button
In the Add this website to the zone field, replace the default value with http://s7.addthis.com
Click the Add button, then Close everything
Refresh the page; the button and the pop up window should disappear
Perhaps the folks at Addthis could Add this to their little Widget so people could disable it if they choose.