Web users sue companies claiming use of Flash cookies is a hack

Out-Law News | 19 Aug 2010 | 9:06 am | 1 min. read

Content sharing service Clearspring and some of its customers, including a Walt Disney subsidiary and Warner Brothers, are being sued over the alleged use of Flash cookies to track the actions of children.

The companies are being sued in a class action suit which claims that the technology is being used to track their web usage without proper notice and in a way that side-stepped the users' management of their online privacy.

Regular cookies, also known as HTTP cookies, are files stored in internet browsers which can be used to remember a person's online activities and identify them as a repeat visitor to websites or adverts. They can be controlled through a browser's settings and their use is normally flagged in a website's privacy policy.

Media playing software Flash, which was created by Adobe, also has some cookie-like functions that are less well known.

Researchers at the University of California, Berkeley reported last year that Flash cookies, also known as Locally Shared Objects (LSOs), can report what users are doing online even when they have disabled HTTP cookies.

"This means that privacy-sensitive consumers who 'toss' their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies," said the researchers in a report on flash cookies. "Few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe."

The lawsuit, filed in the US District Court for the Central District of California, said that Flash cookies are 'tracking codes' which are planted by Clearspring in co-operation with affiliate websites, such as those operated by Walt Disney Internet Group, Warner Bros and others.

The suit said that the Flash cookies allowed the companies to "track Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates websites by having their online transmissions intercepted, without notice or consent".

"[The companies] perpetrated this exploit so they could obtain personal identifying information, monitor users, and to sell users' data," said the complaint.

The suit also claims that the Flash cookies can be used to 're-spawn' HTTP cookies, meaning that users who had deleted cookies in their browser would then find that their browsers were re-identifying them.

This capability was also pointed out in the University of California research paper.

The case claimed that the companies knowingly tracked users in a way that was not disclosed in its terms of service or privacy policy. It said that they "hacked the computers of millions of consumers' computers to plant rogue, cookie-like tracking code on users' computers".