Browser Cookie Respawning

This article describes a summary of the study on browser cookie respawning that was conducted by Dr. Lorrie Cranor, an associate professsor at Carnegie Mellon University and the director of the CyLab Usable Privacy and Security Laboratory  (CUPS), and Aleecia McDonald, a PhD student at CMU. This study was conducted in 2010 at the request of Adobe Systems.

About Browser Cookie Respawning

Adobe Flash is popular software used to create multimedia applications such as interactive games, video content and animations. These applications are usually available to users when they browse web pages of certain websites. The Flash applications are available to the user on the web browser by the use of a browser plug-in provided by Adobe. According to Adobe , an estimated 99 percent of the web browsers have the free Flash player plug-in enabled.

Similar to HTTP browser cookies--which are used to store information about a user on a local computer--Adobe's Flash player allows website developers to store information on users' disks using files called "Local Shared Objects" (LSO) or flash cookies.

Some websites can re-create HTTP browser cookies even if they are deleted by the user by looking at information stored in flash cookies. This process is called as "browser cookie respawning."

Summary of Respawning Study

This study was intended to be a follow-up to a previous study on the same topic, which was conducted by a research group at University of California, Berkeley. The researchers found that flash cookies could be misused by some websites to recreate cookie information. This led to concerns about the privacy of user information.

The study conducted by CMU, with the assistance of Center for Democracy and Technology (CDT) , tried to explore the use of browser cookie respawning by several websites. The study included 600 websites. Of those websites, 100 were obtained by Quantcast's  "Top 100 Most Popular Websites List." The other 500 websites were randomly selected.

The study found that the practice of browser cookie respawning may not be on the rise, and many companies have stopped this practice. Out of the 600 websites tested, only two were found to use the respawning technique. Before the end of the study, one company voluntarily stopped the practice and the other company stopped using spawning after being informed about the CMU study.

Conclusions and Findings of the Study

The number of companies using respawning of HTTP cookies from flash cookies in July 2010 was very low. Only two companies, which were popular sites, were using the respawning process. Because the process was followed by two large websites, multiple users' privacy could have been affected. Companies could track the list of files that were previously viewed by the user and could find other information about the user. Even though a large number of users could have been affected, the study concluded that the respawning process was not widespread.

Some of the websites used unique numbers to identify flash cookies. While the exact use of flash cookies could not be identified, some of them were believed to be used for identifying individual computers. Such a use of unique identifiers makes flash cookies behave in the same way as browser cookies. Even if the user may have disabled the storing of cookies, flash cookies may still be active on the users' computers. Most of the users are not aware of the presence of flash cookies. This can create privacy issues to the user. The study observed that around nine percent of the top 100 websites may be using flash cookies to identify the users' computers. Among the 500 randomly selected web sites, the number was under four percent. Because some of these websites have a very large number of users, the actual number of users affected could be very high, even though the percentage of websites using respawning is low.

Forty percent of the websites used unique identifiers in flash cookies. Since websites using the respawning process is lower than 40 percent, it can be inferred that even the software developers may not be aware of the privacy concerns with the respawning process.

Finally, the study noted that the most popular websites were more likely to use the respawning process with potential privacy implications. The smaller websites typically used the respawning services of larger websites. This also showed that it was possible to work with larger websites to prevent them from using the respawning processes to mitigate the privacy concerns of the users. The study also mentioned several other technologies performed the same function as respawning. A focus on the prevention of privacy concerns in one area could lead to an arms race with advertisers, as they could always look towards other technologies to gather user information, regardless of the privacy settings of the user.