Lawsuit Hits Companies Using 'Zombie' Flash Cookies

A privacy activist has filed a lawsuit targeting eight corporate users of Quantcast's "zombie" Flash cookies, in addition to Quantcast itself. The suit alleges that MTV, ESPN, MySpace, Hulu, ABC, Scribd, and others used Quancast's Flash-based cookies to recreate browser tracking cookies that users had taken the trouble to delete. "At issue is technology from Quantcast, also targeted in the lawsuit. Quantcast created Flash cookies that track users across the web, and used them to re-create traditional browser cookies that users deleted from their computers. These 'zombie' cookies came to light last year, after researchers at UC Berkeley documented deleted browser cookies returning to life. Quantcast quickly fixed the issue, calling it an unintended consequence of trying to measure web traffic accurately. ... The lawsuit (PDF)... asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws. The lawsuit alleges a 'pattern of covert online surveillance' and seeks status as a class action lawsuit."

primo

I hate how Slashdot uses zombie flash cookies to try to keep from getting what the Italians call il primo post.

Re:primo

[aaaaaaargh!]

Well, at least zombie flash cookies are better than zombie flesh cookies...I guess

And here I thought I must have been drunk.

[JDmetro]

And forgot to delete those cookies from that porn site I didn't go to.

Re:And here I thought I must have been drunk.

I have more bad news. It is a website now.

Re:And here I thought I must have been drunk.

[Tubal-Cain]

What kind of fetish involves raping a man's barbecue?

Re:And here I thought I must have been drunk.

[nacturation]

Damn, that's the funniest thing I've read in a month.

Re:And here I thought I must have been drunk.

[Thing+1]

These haikus are not
Accurate though, because they
don't mention seasons!

Re:And here I thought I must have been drunk.

[prionic6]

Doesn't it count
that the GP was reminiscent
of spring time?

Re:And here I thought I must have been drunk.

[KrimZon]

Yes:

A proper haiku
Has to mention a season.
Nothing springs to mind :(

Re:And here I thought I must have been drunk.

[Dekker3D]

i have read your post
and i see what you did there
fall down some stairs please

Re:And here I thought I must have been drunk.

[Smekarn]

At risk of having my e-peen shrunk to negative volume: I don't get it, but I wish I did.

Re:And here I thought I must have been drunk.

[Tubal-Cain]

Did you read the AC's post?

Re:And here I thought I must have been drunk.

[karnal]

Don't worry about it now
Summer harder than others
just have to think hard

Re:And here I thought I must have been drunk.

[Tubal-Cain]

Well, if you still don't get it:
He used "grill" to mean "teeth". I chose to not interpret it that way.

Re:And here I thought I must have been drunk.

[Smekarn]

No, sir. I did not.

Thank you.

Now that I have a choice, I don't interpret it that way either.

*shudder*

Save games

[Dwedit]

Flash Sharedobjects aren't the same as cookies. They are often used as save files for Flash games. Then we have badly behaving programs like CCleaner which aggressively try to delete them all until you notice that it's about to delete all your save files, and stop it before it wipes them away.

Re:Save games

[Runaway1956]

CCleaner behaves badly? I beg to differ. CCleaner cleans trash. It ASKS you if you want to clean trash, then it TELLS you about the trash it finds, then ASKS again if you want to delete the trash.

Those who are to stupid to follow directions and/or to examine the results before taking out the trash deserve what they get.

As for those flash game files - big deal if all of them are deleted. The wife plays online flash games. Her files have been deleted by one or another privacy software. She logs back in to the site, and all her "important" saved stuff is loaded back onto her computer. Geez - that's a real burden isnt' it?

After the first time, she learned how to delete those super cookies without deleting the files she wanted saved.

Terrible learning curve, that. It took her all of 30 seconds of cussing and bitching, plus another 90 seconds of reading, and then ten more seconds to change the settings.

Meanwhile, Better Privacy routinely deletes all the asshattery of flash cookies that she didn't specifically authorize on her machine, and everyone is happy. Except the asshats, of course.

As for the lawsuit - yes, Super Cookies are a hack, and should be subject to hacking laws that are meant to protect the average user. Burn Quantcast for developing and using it, and burn everyone who has bought the damned thing. I don't care WHAT business you are in - you have no right to track people unless they specifically opt-in to a tracking program, with full knowledge and understanding of what they are doing.

Re:Save games

[Runaway1956]

SuperDuperCrapCleaner has found potential malware on your computer: NTOSKRNL Delete? y/n $

Re:Save games

[BrokenHalo]

Meanwhile, Better Privacy routinely deletes all the asshattery of flash cookies that she didn't specifically authorize on her machine, and everyone is happy. Except the asshats, of course.

This, folks, is the important bit. Better Privacy is as essential as adblock and flashblock.

Re:Save games

SuperDuperCrapCleaner has found potential malware on your computer: NTOSKRNL Delete? y/n $

$ y
$ System liberation successful

And the other big Flash problem...

You can't change the !@#$%^& Flash settings on your own computer. You have to go to a Flash website. And you can't manage your flash cookies without going to some obscure website.

It would be the easiest programming thing in the world to let people manage all the Flash settings and cookies right on the computer (no internet).

But noooo... that isn't the way the snoopy Flash people want things to be.

Re:And the other big Flash problem...

[John+Hasler]

> It would be the easiest programming thing in the world to let people manage
> all the Flash settings and cookies right on the computer (no internet).

It's your computer. You are free to program it to do whatever you want it to do.

How ironic...

[SOULFLAYER]

Does anybody else see the irony in the -government- slapping the hands of businesses who -spy- on us?

Re:How ironic...

[MobileTatsu-NJG]

Does anybody else see the irony in the -government- slapping the hands of businesses who -spy- on us?

No but that's probably because if I spied on somebody the Gov't is who I imagine would bust me. Now if Google slapped the hands of businesses collecting data...

Re:How ironic...

[The_mad_linguist]

Not really. Monopolies always try to smack down their competitors.

On LInux:

[hkz]

sudo chown root::root ~yourusername/.adobe/Flash_Player
sudo chmod 0000 ~yourusername/.adobe/Flash_Player

Re:On LInux:

[hkz]

You're right, I mistakenly assumed that ~ would be aliased to /root when sudo'ing, but the shell expands the tilde, not sudo. So:

sudo chown root::root ~/.adobe/Flash_Player
sudo chmod 0000 ~/.adobe/Flash_Player

I did this and it sort of broke Flash for me on a lot of sites, so YMMV.

Re:On LInux:

[radicalpi]

~/.adobe/Flash_Player ?

If you're running the command as root, you'll want to select your non-root account home directory.

Re:On LInux:

[hkz]

Actually, my original command would have worked, but the above is cleaner.

Re:On LInux:

[0123456]

Better yet, use Apparmor or SELinux to stop it accessing anything it shouldn't access. When I created an Apparmor profile for Flash player I was amazed by all the places it tries to read from and write to.

Re:On LInux:

[0123456]

In my case there's nothing in .adobe/Flash_Player anyway, it's all in .macromedia/Flash_Player.

Re:On LInux:

[John+Hasler]

rm -rf ~/.adobe/Flash_Player/* ~/.macromedia/Flash_Player/*
ln -s /dev/null ~/.adobe/Flash_Player/AssetCache
ln -s /dev/null ~/.macromedia/Flash_Player/#SharedObjects
ln -s /dev/null ~/.macromedia/Flash_Player/macromedia.com

Or just get rid of Adobe Flash entirely.

Re:On LInux:

[izomiac]

On Windows, in an elevated command prompt:
icacls "%APPDATA%\Macromedia\Flash Player" /setowner SYSTEM
icacls "%APPDATA%\Macromedia\Flash Player" /inheritance:r /deny everyone:F

Though I'd recommend a simple:
icacls "%APPDATA%\Macromedia\Flash Player" /inheritance:d /deny everyone:(WD,AD)

Use better privacy

Use Better privacy.

I whitelist all the flash LSOs I want to keep, and have better privacy delete the others when I quit firefox.

Flashblock can also help.

I find noscript annoying.

I also accept all normal cookies for session only, and whitelist sites I want to stay logged in on using Cookie monster.

Re:Use better privacy

[muckracer]

> and have better privacy delete the others when I quit firefox.

I still can't believe, the Mozilla Devs removed the fabulous Clear History Popup window on exit. That was one of the best features of the browser, IMHO (friends and family agree)!!

(Yes, I know about askforsanitize...it works but looks very ugly.)

Zombie Flash Cookies

[Anne_Nonymous]

Zombie Flash Cookies. I'm sure they're bad for you, but you have to admit they sound like they'd be tasty.

Re:Zombie Flash Cookies

[radicalpi]

In my mind, they're undead cookies that flash me. That doesn't sound appetizing at all. Plus, if I did eat them, they're not dead, they're in my stomach plotting on how to get to my brain and eat it.

Re:Zombie Flash Cookies

[Minwee]

Keep in mind that these are different from naked female zombies. We need to pass different laws for them.

Re:Zombie Flash Cookies

[Anne_Nonymous]

And there's some aspect of this experience that doesn't sound both tasty and exhilarating?

Re:Zombie Flash Cookies

[Nikker]

Kinda hit close to home huh?

Re:Zombie Flash Cookies

[lorg]

Do they taste like chicken?

Re:Zombie Flash Cookies

[ctchristmas]

Well I thought flashbang grenades sounded awesome, but its not what you think...

DMCA

[giorgist]

Doesn't this fall under the unticircumvention law.
I protect my privacy
You circumvent it

Can we not use their own laws against them ?

Re:DMCA

[radicalpi]

Tattoo this to your forehead and go from there "© 2010 Me"

Re:DMCA

[nacturation]

If your theory holds, the French could sue the Germans under the DMCA for circumventing the Maginot line. Here's a pro tip: there are some circumventions which have jack all to do with copyright law.

Re:DMCA

[muckracer]

> If your theory holds, the French could sue the Germans under the DMCA for circumventing the Maginot line.

Ohh...zis is a most wundervoll idea!! We will implement zis immediately!

Re:DMCA

[ThatsNotPudding]

...circumventing the Maginot line.

In France's defense: who could have predicted that Germany knew about Belgium?

Re:DMCA

[V+for+Vendetta]

In France's defense: who could have predicted that Germany knew about Belgium?

Well, the French could, as this is what Germany already did to them in WW I.

Re:DMCA

[nacturation]

Troubles with that are two-fold:

1) You can't prosecute for a crime that was not a crime at the time of commission (DMCA was passed after WWII).
2) France != USA and doesn't have the DMCA

I know it's called an analogy, but please don't take those four characters so literally.

Re:

[SOULFLAYER]

Sounds like someone didn't get any zombie flash cookies for dessert tonight

BetterPrivacy plug-in

[sphealey]

At least for the Flash cookies on Wintel, the BetterPrivacy plug-in seems to be doing a good job of deleting them for me.

sPh

Re:BetterPrivacy plug-in

[mlts]

+1 on BetterPrivacy. Install that as an add-on, and it works on Windows and OS X. No more worries about Flash shared objects because it can be set to zap them at very short time intervals, as well as when you open or close the browser.

Firefox + BetterPrivacy + AdBlock + NoScript probably do as much for keeping a Windows machine clear of malicious software as most AV programs.

Re:BetterPrivacy plug-in

[purpledinoz]

I also use Cookie Monster for managing cookies. The only problem with NoScript is that it causes a lot of problems for people who aren't techies, like the date-picker not working, some submits not working, etc, since they don't know when to add a site to the white list. So I tend to install only AdBlock and BetterPrivacy for the non-techies.

Re:BetterPrivacy plug-in

[Matt+Perry]

BetterPrivacy also works great for me on Ubuntu.

Here is the shitty site

[psyclone]

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

Noscript users must temporarily allow adobe.com as well. (But at least you don't need to allow real cookies for either domain.)

You can set the flash plugin to not store any data, but it sure gets annoying on some sites when the volume controls don't work. You can also set it to ask, but it's even more annoying to try and hit the "cancel" button 15 times with choppy video behind it.

Re:Here is the shitty site

[Animats]

Yes. If you tighten up the privacy controls enough on Flash, many video sites won't play, and some play badly. YouTube's player, for example, will display the "Press ESC to exit full screen mode" for the duration of play. There's absolutely no reason why that feature should depend on storing persistent information. It would be interesting to subpoena the developer and the documentation during development to determine if that was willfully put in to discourage users from using strict privacy settings.

Re:Here is the shitty site

[Charliemopps]

Adobe sucks. If I have one more company send me a form in PDF format I'm going to scream.

Re:Here is the shitty site

[6031769]

Standard-conformant XHTML 1.1 would be fine, thanks (and use less bandwidth, and be easier to fill in, and work on a character-cell terminal).

Re:Here is the shitty site

[imakemusic]

Good luck making a program that can export that format reliably from pretty much any given program in the way that pdfs can be. And when you're done, can you explain to the people I work with why it's better having an xhtml file and all the separate image files rather than one combined, portable file? Don't get wrong, I hate them too but there's a reason that they're so popular.

Re:Here is the shitty site

[noidentity]

Yeah, I wish there were a way to deal with all the crappy aspects of Flash. I mean, besides just deleting the POS. Hmmm, that's not such a bad idea...

Re:Here is the shitty site

[cynyr]

most of my youtube viewing now shows "html5 ${spinner}" in the middle now. Granted I don't use FF anymore really.

Re:Not Quantcast's fault

Don't blame Quantcast. They're using the technology as Macromedia intended

You logic is flawed. If I kill a human with a Samurai sword, would you blame the maker of the sword?

Flash comes with every version of Windows since at least XP

Do you mean Dell computers with Windows? Maybe, but no version of Windows ever came with Flash.

Re:Not Quantcast's fault

[PopeRatzo]

Don't blame Quantcast

You're kidding, right?

Re:Flash users

[B4light]

Ok, Agreed. No copyright laws either though. It's a free-for-all.

Re:Not Quantcast's fault

Windows XP did. It's what they used to display the "Welcome to Windows XP" intro (the big one) when you installed it. But that was a while back.

Lawsuit for *this*?

[epp_b]

This isn't worthy of a lawsuit, this is worthy of a browser extension or plug-in, in-built browser function to manage flash cookies or simply an addition to the flash settings panel.

Oh, wait, this is the US... never mind.

Re:Lawsuit for *this*?

[wealthychef]

Yes, lawyers are interested in getting money. It's not about justice, or consumer rights, or privacy. It's about greedy lawyers always and forever.

Re:Lawsuit for *this*?

[mlts]

I agree with you though. This is a problem solved by a technological solution (BetterPrivacy, a shell script that runs and zaps the Flash directory, or something along those lines), than having it be litigated.

Litigation may even backfire, and a judge might rule that removing Flash cookies is considered circumventing DRM on Flash objects, and may make it even more difficult for utilities like BetterPrivacy or CCleaner to even exist.

Re:Lawsuit for *this*?

[jesset77]

Oh, fuck that. This is worthy of some serious competition to Adobe in the form of Flash Player Replacement options. SVG and Canvas are nice and all, but there must be alternate ways to view the same content similar to competing web browsers for viewing the same HTML.

Re:Lawsuit for *this*?

[John+Hasler]

> Litigation may even backfire, and a judge might rule that removing Flash
> cookies is considered circumventing DRM on Flash objects,

That's an "amazing" interpretation of the DMCA even for Slashdot.

Re:Lawsuit for *this*?

[mlts]

This isn't far fetched. Anyone remember a few years back, a verdict against a P2P site where they were ordered to log every single change that happened even in RAM on a machine?

I can see a defendant arguing that the "DRM" for a flash game is the Flash shared objects, and if the judge isn't aware about issues, he or she might render a very punishing verdict which would take millions of dollars to appeal.

Re:Not Quantcast's fault

[dissy]

Don't blame Quantcast. They're using the technology as Macromedia intended - to violate your privacy.

So, as you say they are purposely using software designed to violate your privacy. Why exactly shouldn't we blame them for that again?

OS X can use this program to delete flash cookies

[qwertyatwork]

OS X can use this program to delete flash cookies http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x/

deleted browser cookies returning to life?

[AHuxley]

Could be interesting for a passive law enforcement tracking id?
You flush them out, they seem like ads?

Re:OS X can use this program to delete flash cooki

[BearRanger]

No program necessary to do this. Just remove ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects. Set up a cron job or an Automator script to do it hourly.

Re:OS X can use this program to delete flash cooki

[qwertyatwork]

Holy sudos, quick robin to the bat terminal!

Winter Snowfall

Your father unzips
Hot semen blankets your face
Like winter snowfall

(now that's how you write a Haiku, you other anonymous coward retards)

habbo

[Lehk228]

flash cookies are old news, at least as old as the habbo hotel raids

Hello World, er Apple

[AnAdventurer]

Are we on Apple's side again for being anti-Flash? (I lose track so easily)

Re:Hello World, er Apple

[BearRanger]

Well, this sort of thing is the reason why so many content providers are reluctant to move to HTML5 and away from Flash. When they talk about the additional capabilities that Flash has, this is what they mean. The ability to track your usage and gather information about you. (and the back room deals Adobe cuts along the way to deliver this data) Yet people clamor for Flash on their mobile phones.

Say what you will about Apple, in this case they're absolutely right. Perhaps not for the right reasons, but still. The enemy of my enemy is my friend and all that.

Re:Hello World, er Apple

[tehcyder]

Are we on Apple's side again for being anti-Flash? (I lose track so easily)

It's now Wednesday, so yes.

Re:Hello World, er Apple

[Pteraspidomorphi]

The ability to track your usage and gather information about you.

Web browsers also support cookies natively, and it is possible to use these with html5 without explicitly requiring Flash to 'track your usage and gather information about you', and many, many advertising and other such companies do so. Flash sharedobjects are just a piece of technology. They aren't any more evil or suspicious than normal cookies. All this company does is store a copy of your cookies in a flash cookie so if you delete the one, they can restore it from the other.

Re:Hello World, er Apple

[selven]

Again? We've always been at war with Adobe.

Re:Hello World, er Apple

[KDR_11k]

Say what you will about Apple, in this case they're absolutely right. Perhaps not for the right reasons, but still. The enemy of my enemy is my friend and all that.

The enemy of my enemy is my enemy's enemy. No more, no less.

Re:Hello World, er Apple

[24-bit+Voxel]

For many of us non-programmers (but techies anyways) Flash is a glorified codec. I use flash for:

A) Watching video online
and
B) Nothing else.

Hell, if a site has a flash splash page I close it instantly, no matter what's behind it. Flash based slideshow? Close window. Flash based games? You kidding me? What am I... nine? Close window.

I very much look forward to the day that I don't have to use Flash anymore to watch videos, I'll uninstall it at that point and never look back.

Adobe is in a backwards slide currently. Flash is the icon/mascot for what Adobe is becoming. HTML 5 may have problems from a web programmer standpoint, but for the rest of us as long as it plays video it's far superior to what I have to use now, at least for my purposes.

Re:Not Quantcast's fault

[Tacvek]

Actually this is not a troll. Take a look in the C:\windows\help\tours\mmtour folder of a new windows XP 32-bit installation and you will find that the tour is SWF based.

Among other dlls pre-installed on the system is a flash 3 or flash 4, or some similar early version dll (I forget the version or exact file name, but a search for 'flash' or 'swf' in file names on a brand new XP install (you might need to run the tour first to have it appear) should probably find it. I don't believe the browser plug-in ever came pre-installed, but the core DLL most definitely did.

Manage Flash Cookies the easy way

Place this code into your crontab to run every day.

      rm -rf ${HOME}/.macromedia/*

Flash cookies are handled perfectly. You may need to use ${LOGNAME} instead. I've added these lines to the beginning of my daily backup job. Simple. Effective.

Adobe AIR probably does something similar, so check for that crap in a similar manner, if you still have AIR installed. I removed it after 7 days of use. Take about crap. It is slower than Java and bloated even more than iTunes + Outlook + Java, IMHO.

What I don't understand...

[mcgrew]

From TFA:
The lawsuit (.pdf), filed in U.S. district court in San Francisco, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws.

Why hasn't anyone been led away in handcuffs? Are all the broken laws misdemeanors with a small fine, or what? Is it that no rich and powerful man goes to prison unless a richer and more powerful man wants him there? It sure seems so; Sony's XCP, the mine disaster several months ago where there had been repeated fines for the safety violations that ultimately led to two dozen deaths? Someone should have been charged with negligent manslaughter, and from what I've read, so should someone from BP.

Are we back to feudalism?

Re:What I don't understand...

[FakeStreet123]

"Are we back to feudalism?" I think you misunderstood the term feudalism. That's the period where knights fought for their kingdoms and princess got stuck in towers. Not the period where offshore oil platform exploded killing eleven people. The more you know...

Re:What I don't understand...

[aunt+edna]

From TFA:
The lawsuit (.pdf), filed in U.S. district court in San Francisco, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws.

Why hasn't anyone been led away in handcuffs? Are all the broken laws misdemeanors with a small fine, or what? Is it that no rich and powerful man goes to prison unless a richer and more powerful man wants him there? It sure seems so; Sony's XCP, the mine disaster several months ago where there had been repeated fines for the safety violations that ultimately led to two dozen deaths? Someone should have been charged with negligent manslaughter, and from what I've read, so should someone from BP.

Are we back to feudalism?

Please expand on & explain "back to" in this context.

Re:What I don't understand...

[mcgrew]

You may be right; feudalism may have never died.

Re:OS X can use this program to delete flash cooki

[selven]

Or, as an above poster suggested, substitute the folder with a link to /dev/null.

USE A RAMDISK!

[Joe+U]

This needs repeating.

USE A RAMDISK and learn about MKLink. Use it for any temp data you can get away with.

I run Windows 7 x64, I have 4GB of memory and I dedicate 512MB to a RAMDisk. I point Flash, IE and Chrome temp directories to the disk.

I've found that unless I'm running multiple VM's I can give up the memory with no negative side effects. In fact, browsing is slightly quicker.

Serious note (with experiment!)

[GameboyRMH]

On a serious note, I wonder if browsers with private browsing modes sandbox flash cookies? When you go back to normal browsing mode, will the flash cookies from tentaclerapecentral.com still be mixed in with your other flash cookies? Let's find out!

I'm going to clear my flash cookies, disable BetterPrivacy, then mess around in the Adobe Flash settings page in private browsing mode. This will cause my browser to pick up flash cookies.

Then I'll go back into normal browsing mode and look in my flash cookie folder and see what's there.

Results: Flash cookies that were created in Private Browsing mode still exist! DUN DUN DUN!!!!

(Done in Iceweasel 3.5 with Flash 9.x)

iPhone/iPad are unaffected

[intheshelter]

Maybe there are some good reasons to not allow Flash on your platform?

Re:OS X can use this program to delete flash cooki

[mdielmann]

I think it would have been funnier if you had said "bash terminal".

Re:OS X can use this program to delete flash cooki

[qwertyatwork]

I dun goofed :(

Internet Users

[seanonymous]

People who use the Internet surely are asking for this kind of thing.

Aw just recreate cookies you never had.

[niftymitch]

This is sort of a backup and restore activity but there is no way to control what is restored.

A cookie could be inserted that you never had.

I can see the defense in court -- the Keebler Elves made me do it. They kept giving me those cookies and now I am 5000# and in jail.