Feeds

Disney sued for spying on kids with 'zombie cookies'

Snooping with 'little available redress for users'

5 things you didn’t know about cloud backup

Walt Disney's internet subsidiary and several of its partners have been sued for allegedly using cookies based on Adobe's Flash Player to track highly personal information about their users, many of whom were minors.

The LSOs, or locally shared objects are better known as Flash Cookies, and their ability to gather detailed user information over long periods of time without a trace has been understood since at least 2007. Now, attorneys representing people who browsed websites that employed the technology claim it was used to track them in ways that violate the sites' privacy policies.

For instance, the habits of one individual who browsed articles on depression, were uniquely tracked across a network of partners, according to the complaint.

The suit was filed in US District Court in Los Angeles against Walt Disney Internet Group, Clearspring Technologies, Warner Bros. Records, and several other companies that shared the cookies. The affiliates fail to adequately warn users about the information-sharing arrangement, which according to the complaint, allows “zombie cookies” to be restored even after a user has gone through the trouble of deleting them.

“Using Flash cookies to re-identify users overrides this control, with little available redress for users,” the complaint, which seeks class-action status, states. “Although users may arguably protect themselves by periodically deleting their Flash cookies as well, the means for doing so are extremely obscure and difficult even for savvy consumers to use. Flash specifically attempts to obfuscate data within each LSO by controlling the format and forcing a binary serialization of any stored data, thus bypassing the web browser's same-origin security policy, allowing an application hosted on one domain to read data or code hosted on another.”

A research paper (abstract here) released last year by UC Berkeley researchers famously exposed the ability of Flash cookies to surreptitiously “respawn” deleted cookies. It served as a wakeup call about the uncanny persistence of the tracking files. What's more, Flash cookies can store up to 100 KB of data, 25 times more than normal cookies.

The suit alleges the companies violated a raft of laws, including the federal Computer Fraud and Abuse Act, the California Computer Crime Law, the California Invasion of Privacy Act and trespass and personal property statutes. The complaint is here. ®

Bootnote

To Adobe's defense, company officials have stated in comments (PDF) submitted to the FTC that their policy “condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent.” That's a great first step. Now the company should release a free consumer tool that makes it easy to manage and delete the new-fangled cookies.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.