Web Browsers can be configured to reject third party cookies (cookies that are not from the web server offering the pages you read). Third party cookies have several uses, commonly:
- individually tracking users across multiple sites
- anonymised web analytics
Some users have configured their browsers to reject all cookies, including cookies from the web site that they are visiting. So, of course, advertisers have solved that problem… The “Flash Cookie” is a less used option for companies to store information on your machines, especially when first and third party cookies are being rejected.
Here’s Adobe’s Overview of Flash Cookies and the page on which you can find who has set a Flash Cookie. They also offer an outline of programming Flash Cookies.
Inspecting the Flash Cookies found on our machines suggests that they are mostly used to store unique user ID’s (the field contains consistent information after authentication) and probably date information (clearing the cookie shows that the fields appear to increase with each new cookie and increase at a speed that suggests some sort of second based clock).
The potential for abuse of a Flash Cookie is just the same as that of an ordinary cookie. Reputable businesses will take care to avoid storing confidential user information such as Credit Card details or balances in the Flash Cookie. Disreputable businesses will ignore all the lessons of privacy learned over the last decade… so it’s up to users to safeguard their own information.
Lack of integration with web server log files makes analysing the data a difficult and separate exercise. A first party cookie can be recorded in the web server log file. The popular web server Apache, for example, offers “mod_usertrack” that delivers a first party cookie, and a minor edit to the configuration file allows recording the cookie. This really helps web server log file analysis… but the Flash Cookie data has to be separately stored and later recombined with the web server log files. Analysing web server log files is already pretty intricate. Analysing them with an extra data source, well, it’s just that little bit harder.
Why Post Now?
We’ve known about Flash Cookies for a year or so, but today was the first time my browser has stored a significant count of Flash Cookies. The usage is increasing and this is now an interesting topic rather than another also-ran technology.
What kind of sites are storing Flash Cookies?
My machine mostly holds Flash Cookies for news, video sharing and viewing services:
Asking around, I’ve found all sorts of other services are storing data, including child oriented games servers, such as NeoPets. If this isn’t on your radar, both to consider using and to consider implications for security, it’s probably time to start getting interested.
Click Fraud, Google AdWords and gclid | Merjis Search Marketing Blog wrote,
[…] You can use the gclid as a proxy for a cookie. If your advertising includes the gclid, and the gclid is unique for each impression, then you can spot returning users from bookmarks - though you may pick up some bookmarks from social networking sites. You can therefore extract two more measurements… The number of times that a page is referenced in social networks (that referer_info field), and the ratios of bookmark using users with cookies versus those who have deleted the cookie. So you can infer the additional success of your programs that depend on cookies for measurement; while it is still an exercise in stats, it is at least a numerically based exercise, with your own data, rather than that of an industry pundit or terrifying percentage estimation from a commercial vested interest who wants to flog you an authentication based service, or a flash cookie service. […]
Link | July 19th, 2007 at 11:47 am
Anatomy of a Web Spam Attack | Merjis Internet Marketing Blog wrote,
[…] You might want to consider restrictions on users coming from free webmail services and using anonymising services or open proxies. What you can usefully do and what you can legitimately do, will depend on the environment, but this analysis suggests that teams work on spamming, or at least multiple browsers. Simple cookie tracking, or even Flash Cookie tracking aren’t going to be enough. The spammer may well come from a different address than the person that first identified the site. If you can. you want to head them off, early… but beware that making signup into an onerous burden may put off the customer. We’ve dealt with organisations that took the better part of a year to get SSL certificates, because that process was too onerous… if you make the validation sufficiently difficult that you’d trust a financial transaction, *before* you allow access, then you won’t see much access. […]
Link | September 9th, 2007 at 11:44 am
Michael Borgs Media weblog » Blog Archive » Cookie hier, Cookie daar… wrote,
[…] Flash Cookies (oftewel Flash Local Shared Objects) worden sinds eind 2005 tijd gebruikt, door onder andere BBC, YouTube, Google Adwords Video Ads en Yahoo Images. Belangrijke eigenschappen van het cookie zijn: […]
Link | October 19th, 2007 at 12:18 am