Disney Sued For Spying With Flash Cookies

We all love our web browsing and the internet has become a part of our daily existence. Unfortunately, the internet has also become a great tool for the invasion of our privacy by “marketing” companies who are doing everything they can to “stand out” and be “ahead of the curve”. This means sometimes engaging in what may be called nefarious activities through cookie tracking. Cookie tracking works like a GPS system for the content provider. It is why when you visit a news website for example, they immediately serve content that is local – Austin, Georgetown, Round Rock, San Antonio etc. They know where you live because they track the IP address of your computer and tie it to the provider and the region assigned.

Well, Disney is in hot water right now for something similar but far more disturbing – Flash Cookies. Flash cookies are a new way of tracing your movement and storing a lot more information about you than with normal cookies and you can’t locate them in your browser. They are not shown in the list of cookies that you can see when you take a look at the cookies that are currently saved in your web browser. Even more disturbing is the fact that while normal web browser or HTTP cookies cannot save more than 4 Kilobyte of data, Flash cookies can save up to a whopping 100 Kilobyte.

That is a lot of storage space for snooped personal information through the use of LSOs, or locally shared objects with the ability to gather detailed user information over long periods of time without a trace. To make it worse, a recent paper by UC Berkeley researchers exposed the ability of Flash cookies to “re-spawn” themselves. This means that even if the user deleted the cookies, they automatically re-generated, like a virus.

This is not a new development as the dangers of Flash cookies were exposed way back in 2007.
The Disney case involves the use of Flash cookies to track highly personal information about their users, many of whom were minors by the company and its subsidiaries. Specifically, it is the “re-spawning” aspect of the suit that should concern “ordinary” users who do not have enough time or interest to dig into the inner workings of the more technical aspects of web browsing.

According to the suit filed in US District Court in Los Angeles against Walt Disney Internet Group, Clearspring Technologies, Warner Bros. Records, and several other companies that shared the cookies, the affiliates engaged in “covert online survellance” by failing to adequately warn users about the information-sharing arrangement. They are also alleged to have allowed “zombie cookies” to be restored even after a user had gone through the trouble of deleting them. In one stated instance, the “re-spawning” allowed Disney affiliates to track the habits of one individual who researched articles on depression.

The companies are alleged to have violated several laws, including the federal Computer Fraud and Abuse Act, the California Computer Crime Law, the California Invasion of Privacy Act and trespass and personal property statutes by:

  • “…hack(ing) the computers of millions of consumers’ computers to plant rogue, cookie-like tracking code on users’ computers” which could not be easily detected, managed or deleted without notice or consent;
  • “circumventing the users’ browser controls for managing web privacy and security”
  • scheming to “obtain personal identifying information, monitor users, and to sell users’ data and to use the hacked profiles to track users’ across numerous websites;
  • Spotting and tracking users when they accessed the internet from different computers, at home and at work.

There is a laundry list of information collected which, even though we know this stuff goes on, is a little troubling:

  • viewing choices
  • Gender, age, race, number of children
  • Educational level, geographic location, household income
  • What the user looked at, what the user bought, the materials the user read
  • Details about financial situation, sexual preference, name, home address, email address, telephone number, health conditions etc.

So what can you do to protect yourself?

  • Adobe Flash has a “Settings Manager” that can be used to control how Flash cookies work on your computer, but the tool is buried on the company’s website and is not readily available through the controls on your web browser. You can access the tool here. Go through the settings and make “deny” the default for everything. You can also set the allowable storage to 0. The setting can always be adjusted if necessary.
  • In addition, get into the habit of using other web browsers than Internet Explorer that give you more granular control over what your web browser can do and you do not have to dig through hidden menus and locations to adjust them as is the case with Internet Explorer.
    Firefox, Opera and Chrome for example, have add-ons that can help you fight the invasion of privacy that is being driven by the need to gather more information about your browsing habits so companies can better target what to advertise to you.
  • You can also try not using your real name for your computer account. Use a nickname instead. Encrypt personal data with tools like Truecrypt and Axcrypt. If you are using Internet Explorer 7 and above, Opera or Firefox, there is an option for private browsing where cookies are not saved. It is not perfect, but it can reduce the amount of trash content providers leave on your computer.
  • Use spy-ware scanning tools like Spybot Search and Destroy, MalwareBytes etc. By occasionally scanning your computer for spy-ware, you may be able to detect some irregular files dropped on your computer by a content provider.

Sadly, many computer users take the issue of privacy and safe computing for granted, until something terrible happens.