• United States



The Audacity of Warner Brothers and Re-Spawning Zombie Cookies

Aug 18, 20104 mins
Adobe SystemsData and Information SecurityEnterprise Applications

A lawsuit alleges that companies "steal" private user information. The double standard of Warner Bros...

Have you ever played a first-person shooter (FPS) deathmatch game, where immediately upon death, you instantly are reborn, aka re-spawn? In gaming, I think it’s fun. In regards to privacy, I’d like to take my FPS gun and shoot into cyberspace at zombie cookies. Oh what a tangled, double standard surveillance web they weave, stomping on privacy while they deceive…

A lawsuit in federal court alleges that several companies like Warner Bros. Records, Disney, Ustream and others “hacked the computers” of millions of consumers “to covertly, without consent, and in an unauthorized, deceptive, invasive, and fraudulent manner” implanted “rogue” Flash tracking cookies. The group referred to collectively as “Clearspring Flash Cookie Affiliates” are accused of spying on users, including kids, by intercepting online transmissions with tracking code, that even if the user deleted, would be used to “re-spawn” Flash cookies.

According to the complaint (.pdf), these zombie cookies could be used to collect information to determine “users’ video viewing choices and personal characteristics such as gender, age, race, number of children, education level, geographic location, and household income, what the web user looked at and what he/she bought, the materials he/she read, details about his/her financial situation, his/her sexual preference, his/her name, home address, e-mail address and telephone number, and even more specific information like health conditions, such as depression.

A Berkeley University research team published an academic study titled, “Flash Cookies and Privacy.” According to their research, even if you opt-out from having a Flash cookie set, user’s Flash cookie preference is disregarded “as evidenced within the log activity as retargeting.sol.” This respawning activity happens within five seconds! It’s an interesting read; even showed up in the Flash cookie and tracking report.

The “Clearspring” lawsuit further states, “A millisecond was the time allotted to an online visitor opening a Clearspring Flash Cookie Affiliates’ webpage, before a Flash cookie was embedded within their computer and data collected immediately, without their awareness, knowledge or consent to such actions.” It also points out that the CEO of Clearspring admitted that Flash cookies were a mistake. The company says it no longer uses Flash cookies for tracking. Sometime in the future, however, Clearspring intends to start selling consumer data to advertisers.

According to this report (.pdf), Adobe condemns the practice of Local Storage to back up browser cookies for the purpose of later restoring them without users’ consent or knowledge. Although I emailed with many questions about re-spawning Flash cookies, user settings to control/delete these zombie cookies, and several other questions about Local Shared Objects (LSOs), Adobe did not reply to any of my questions.

You might find that Ccleaner is your friend. I’m not sure how much good it actually will do, since these zombie-cookies-from-hell can re-spawn in five seconds, but delete cookies or change your Flash player storage settings.

There is enough information within the Berkley paper and these .pdfs to write many, many privacy posts. But what really catches my attention today is the audacity of Warner Brothers, of Warner Bros. Records being named in this suit. Really, Warner Brothers? You want to go there? After all the RIAA/MPAA ruckus Warner Brothers has raised about users “stealing” from them, only to discover they were re-spawning Flash cookies and “stealing” users’ personal identifying information?

Warner Bros has been involved in over a dozen MPAA lawsuits, including one against Pirate Bay. Warner Bros Records and the RIAA continue to hunt down users and P2P sites. So I asked Torrent Freak’s Ernesto, what he thought about this suit. He wrote, “This case clearly shows that Warner Bros. and Disney maintain a double standard. They go after people who copy their works without authorization, while they themselves copy privacy sensitive data from Internet users, including kids, without permission.”

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.