Carnegie Mellon University Study Suggests Browser Cookie Respawning May be Waning

Today, Carnegie Mellon University published a research study titled “A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies.” I referenced this study in a blog post in December on the topic of the Federal Trade Commission’s preliminary privacy report released on December 1, 2010.

Some Background Behind the Study

Let me provide some background: Over the last 18 months, there have been a number of discussions around the alleged misuse of Adobe Flash Player local storage (or local shared objects, LSOs, in the public often referred to as “Flash cookies”) and the potential impact of this misuse on consumer privacy. The allegations have been that certain websites or ad networks use LSOs to restore browser cookies after users have chosen to clear their cookies (a process referred to as “browser cookie respawning”).

Adobe has actively participated in industry discussions on the topic and submitted an official comment to the Federal Trade Commission in preparation for the second FTC roundtable discussion on privacy last year, clearly stating our position on this misuse of local storage and the steps Adobe is taking to provide better privacy protection for consumers. In the comment to the FTC, we also confirmed our commitment to supporting research into the types and extent of the misuse of local storage. The Carnegie Mellon University study released today reflects that commitment.

About the Carnegie Mellon University Study

Adobe commissioned the Carnegie Mellon University research study in 2010 to follow up on the findings about misuses of Flash Player local storage detailed in a research paper released by the University of California at Berkeley in 2009. The Carnegie Mellon University study, performed by Aleecia M. McDonald and Lorrie Faith Cranor with assistance provided by the Center for Democracy and Technology (CDT), was designed to determine the prevalence of the use of Flash Player local storage to respawn browser cookies. The study examined 600 websites based on Quantcast’s ranked list of the million most popular websites visited by United States Internet users—the 100 most popular sites and 500 randomly selected sites.

Study Results: Browser Cookie Respawning May be Waning

The study results suggest respawning is not increasing and may be waning. No instances of respawning were found in the randomly-selected group of 500 websites, and only two instances of respawning were found in the 100 most popular websites. The Center for Democracy and Technology (CDT) followed up with the two companies, whose websites showed HTTP cookie respawning using LSOs. Both companies have stopped the practice—one on their own and one as a result of this study.

This is good news! Adobe proactively encourages our customers to use all Adobe products in responsible, ethical ways. While the nature of providing tools for an open platform means that we cannot, in practice and on principle, control how developers and content producers use our products, these results demonstrate that the vast majority of websites, developers and content producers use local storage capabilities for their intended purpose—to provide a better user experience.

The study found LSOs with unique content and made the assumption that it could be storing user IDs; however, it notes that not all unique content is used for identifying computers. Unique content could be benign, for example, uniquely identifying where a user paused a specific animation or music clip. Tracking users is of concern from a privacy perspective, but further insight would be needed to understand the extent to which local storage is used for the purpose of uniquely identifying and tracking computers or individuals. The study does conclude that even assuming a pessimistic worst case scenario in which all websites showing LSOs with unique content were using it to track users, the absolute number of websites doing so would be small and the overall percentage of all sites studied using LSOs to track users would be low.

Stakeholder Recommendations

The Carnegie Mellon University study also examines which steps stakeholders—Adobe included—might be able to take to further reduce privacy-sensitive practices. Privacy has become an increasingly significant topic. It’s important to recognize that privacy is not a static concept. As technology and the way we engage with it evolve, the privacy discussion will evolve. Adobe is committed to the consumer’s right to privacy, and we have taken and will continue to take appropriate steps with regards to safeguarding user privacy in our tools and policies. Our goal is to put consumers in control by enabling informed choices. The recently introduced privacy-related enhancements in Adobe Flash Player demonstrate that commitment.

Adobe Initiatives to Improve Privacy Options for Users of Adobe Flash Flayer

In June 2010, we released Adobe Flash Player 10.1 with support for the private browsing feature found in many Web browsers. When users activate private browsing in their browser, Flash Player will not save any of their information from that session.

Adobe has also been working with major browser vendors to develop effective approaches that allow users to control local storage in Flash Player directly from their browser privacy settings. Today, Google Chrome already provides access to Flash Player local storage settings from within the browser’s privacy controls. Our collaboration with representatives from several key companies—including Mozilla and Google—to define a new browser API for clearing local data takes this effort a step further: A new API for clearing local data (NPAPI ClearSiteData) was approved for implementation on January 5, 2011. Any browser that implements the API will be able to clear local storage for any plugin that also implements the API. The capability to clear Adobe Flash Player local storage from within the Google Chrome browser should be available on the Google Chrome dev channel in the coming weeks. Similar controls for other browsers should be available in the coming months. Once the browsers have included this feature in their settings, users will be able to control the clearing of their HTTP cookies and their plugin local storage in one place. This should also discourage the use of LSOs to respawn or to track users.

Additionally, we are currently working on aredesign of the Flash Player Settings Manager, which is expected to be available in the first half of the year. This redesign will make it simpler for users to understand and manage their Flash Player settings and privacy preferences. In addition, we will enable users to more easily find the Flash Player Settings Manager by providing access to it directly from the computer’s Control Panels or System Preferences on Windows, Mac and Linux.

For details on these upcoming privacy enhancements in Adobe Flash Player, see a recent blog post by Emmy Huang, group product manager for Flash Player, titled “On Improving Privacy: Managing Local Storage in Flash Player.”

The Carnegie Mellon University study released today recognizes some of our initiatives and introduces additional suggestions, which we will carefully evaluate. Privacy is an important topic. We are dedicated to including privacy controls in our products and services. And we look forward to continuing to play an active role in the privacy discussion as it evolves.

MeMe Jacobs Rasmussen
Chief Privacy Officer
Adobe Systems Incorporated