[access-uk] BBC News - Legal action on 'zombie cookies' filed in US court
- From: Colin r. Howard <colin@xxxxxxxxx>
- To: VICUG-L@xxxxxxxxxxxxxxxxxx
- Date: Thu, 29 Jul 2010 10:20:19 +0100
Greetings,
Very interesting, what's the solution?
http://www.bbc.co.uk/news/technology-10787882
Text lifted from site says:
Legal action on 'zombie cookies' filed in US courtBy Daniel Emery
Technology reporter, BBC News
Zombie' s always cause trouble, be they computer, network or cookie A legal
challenge has been launched in the US against a number of websites amid
claims that they were engaged in "covert surveillance" of users.
The lawsuit alleges that a number of firms, including Hulu, MTV, and
Myspace, used a Quantcast Flash application to restore deleted cookies.
Cookies are text files used by web browsers to store user data.
The lawsuit says that the application was creating so-called "zombie
cookies" from deleted files.
Quantcast has not responded to a BBC News request for comment.
The term "zombie cookie" was coined after the issue of traditional browser
cookies being undeleted by Flash was brought to light in a 2009 paper by US
researchers.
The study found that more than half of sites surveyed used flash cookies to
store information about the user, with some using it to "respawn or
re-instantiate cookies deleted by the user".
"Flash cookies often share the same values as browser cookies, and are even
used on government websites to assign unique values to users," the paper
read.
Users often purge cookies from their browser to save space or cover up
browsing history.
However, while most browsers have simple commands to delete text cookies,
Flash cookies are neither listed nor controlled by the browser.
"Privacy policies rarely disclose the presence of Flash cookies, and user
controls for effectuating privacy preferences are lacking," read the report.
The issue was caused by a Quantcast system that retrieved deleted user data
and re-created the cookie.
Critics said this was a serious breach of privacy, because if a user had
made a conscious decision to delete a cookie, it should remain deleted.
After the problem was highlighted, Quantcast released a fix, saying that
restoring deleted cookies it was an "unintended consequence of trying to
measure web traffic".
Writ
However, the lawsuit, brought about by US privacy activist Joseph Malley,
states that the practice of re-creating deleted cookies continues and that
users were "victims of unfair, deceptive, and unlawful business practices"
and "their privacy, financial interests, and computer security rights were
violated".
?
Start Quote
It would be unfair to say that the companies running the websites are at
fault.?
End Quote
Graham Cluley
Sophos
Graham Cluley, senior technology consultant at the internet security firm
Sophos, told BBC News that the source of the trouble was Adobe Flash itself,
which he called "one of the weirdest programs on the planet".
"I think it's highly unlikely that these large companies have abused Flash
cookies - which are different from browser cookies - with malicious intent,"
he said.
"I think it's much more likely that the vast majority of users are simply
oblivious to the bizarre way in which Adobe allows them to configure the
software."
While traditional browser cookies can be deleted from a users computer,
either through an automatic purge or manual removal, the security settings
for Flash are hosted on Adobe's own website, rather than your own computer.
Mr Cluley said that these settings are changed by logging onto Adobe's
website, right-clicking on a Flash object and selecting "Global Settings"
and then adjusting the security settings via the "Global Privacy Settings"
panel.
"It would be unfair to say that the companies running the websites are at
fault, in my opinion," he said.
"Surely if they are guilty then so are the web users who chose to run Flash
with these settings, and Adobe themselves who chose such a peculiar and
downright odd way to configure their software."
This email has been sent to you by Colin Howard, who lives in a small place
about 8 miles east of Southampton in Southern England.
** To leave the list, click on the immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=unsubscribe]
** If this link doesn't work then send a message to:
** access-uk-request@xxxxxxxxxxxxx
** and in the Subject line type
** unsubscribe
** For other list commands such as vacation mode, click on the
** immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=faq]
** or send a message, to
** access-uk-request@xxxxxxxxxxxxx with the Subject:- faq
Other related posts:
- » [access-uk] BBC News - Legal action on 'zombie cookies' filed in US court - Colin r . Howard