Flash Cookies Serve Up An Annoying New Trick

When you delete something from your PC, you expect it to stay deleted. Some online services, however, see things differently.A few months ago, I explained how Flash cookies differ from the traditional variety. Today, however, many Web users who understand how regular cookies work still know very little about the Flash variety. They don't realize, for example, that Flash cookies can store far more data, may reside on a host system indefinitely, and usually load without a user's knowledge or permission.

As a result, most users also don't know how to identify and delete unwanted Flash cookies on their PCs. That leaves them open to an annoying, and potentially invasive, trick.

From Wired.com: Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not. Whats even sneakier? Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called re-spawning in homage to video games where zombies come back to life even after being killed, the report found. So even if a user gets rid of a websites tracking cookie, that cookies unique ID will be assigned back to a new cookie again using the Flash data as the backup. One of the services cited in the article, Clearspring, told Wired that its use of Flash cookies to restore deleted standard Web cookies is intended to speed page-load performance.

Hey, that's a relief. We delete cookies from our PCs, and companies like Clearspring go behind our backs to restore them. Fortunately, it's for our own good.

Even Clearspring's customers seem to think the company has a screw loose. A January, 2009 company blog post asked for feedback on its decision to adopt Flash-based tracking technology. Every comment posted gave the idea an unequivocal thumbs-down.

Like I said before, this isn't about whether or not Flash cookie technology represents an immediate security threat. It's about the fact that any application that stores tracking data without a user's knowledge or permission creates an implicit, and pointless, source of risk.

And now, it's about the fact that some companies use the technology to undermine our ability to say "no" to third-party tracking data, even after we deliberately remove it from our PCs.

I think it's a sleazy way to do business, and it makes me wonder whether Flash cookies are simply incapable of serving any legitimate purpose.