Commentary

Privacy Snafu As Web Sites Bypass Cookie-Blockers

Last year, researchers at UC Berkeley documented that some Web companies appeared to be circumventing users' privacy settings by using Flash cookies to recreate deleted HTTP cookies. Now, a new report by Carnegie Mellon indicates that Web sites are thwarting users' privacy choices by providing erroneous information to Microsoft's Internet Explorer.

Like other browsers, Explorer allows users to automatically reject certain cookies, including tracking cookies. In order to honor users' preferences, Explorer and other browsers rely on Web site operators to create accurate "compact policies" or CPs -- described by researchers as "a collection of three-character and four-character tokens that summarize a website's privacy policy pertaining to cookies."

The problem is that a great many sites aren't doing so. "We collected CPs from 33,139 websites and detected errors in 11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites," researchers state in a summary of their report. The authors add that thousands of sites were using identical invalid compact policies "that had been recommended as workarounds" to stop Explorer from blocking cookies.

"It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective," the summary says. "Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies."

The Federal Trade Commission has already indicated it's interested in Flash cookies; meanwhile, consumers' class-action attorneys have filed at least three lawsuits to date against companies who allegedly used Flash to recreate deleted HTTP cookies, including an action against Specific Media.

Putting out misinformation in order to get around users' privacy preferences certainly seems comparable to using Flash cookies to recreate deleted HTTP cookies. It also seems like the type of activity that's almost guaranteed to result in new scrutiny by regulators, while fueling calls for new privacy legislation.

1 comment about "Privacy Snafu As Web Sites Bypass Cookie-Blockers".
Check to receive email when comments are posted.
  1. Craig Mcdaniel from Sweepstakes Today LLC, September 10, 2010 at 7:16 p.m.

    Interesting, I have found what I think are flash cookies being used in Google Adsense ads. I have test my beliefs out on several different computers to see what ads come up different. There were a handful and email Google about a dozen times. Their responsonse... "Our engineers are working on it..."

    As a publisher, I have the right and responsiblity to protect my members who total in the 6 figures. I also have the right to protect by site from unwanted ads. However Flash Cookies can get around these rights.

    I ask Google to prohibit flash cookies but no word back on this. In my opinion, Google should do everything to protect us the publishers as well as their own interest.

Next story loading loading..