Feeds

Disney sued for spying on kids with 'zombie cookies'

Snooping with 'little available redress for users'

Remote control for virtualized desktops

Walt Disney's internet subsidiary and several of its partners have been sued for allegedly using cookies based on Adobe's Flash Player to track highly personal information about their users, many of whom were minors.

The LSOs, or locally shared objects are better known as Flash Cookies, and their ability to gather detailed user information over long periods of time without a trace has been understood since at least 2007. Now, attorneys representing people who browsed websites that employed the technology claim it was used to track them in ways that violate the sites' privacy policies.

For instance, the habits of one individual who browsed articles on depression, were uniquely tracked across a network of partners, according to the complaint.

The suit was filed in US District Court in Los Angeles against Walt Disney Internet Group, Clearspring Technologies, Warner Bros. Records, and several other companies that shared the cookies. The affiliates fail to adequately warn users about the information-sharing arrangement, which according to the complaint, allows “zombie cookies” to be restored even after a user has gone through the trouble of deleting them.

“Using Flash cookies to re-identify users overrides this control, with little available redress for users,” the complaint, which seeks class-action status, states. “Although users may arguably protect themselves by periodically deleting their Flash cookies as well, the means for doing so are extremely obscure and difficult even for savvy consumers to use. Flash specifically attempts to obfuscate data within each LSO by controlling the format and forcing a binary serialization of any stored data, thus bypassing the web browser's same-origin security policy, allowing an application hosted on one domain to read data or code hosted on another.”

A research paper (abstract here) released last year by UC Berkeley researchers famously exposed the ability of Flash cookies to surreptitiously “respawn” deleted cookies. It served as a wakeup call about the uncanny persistence of the tracking files. What's more, Flash cookies can store up to 100 KB of data, 25 times more than normal cookies.

The suit alleges the companies violated a raft of laws, including the federal Computer Fraud and Abuse Act, the California Computer Crime Law, the California Invasion of Privacy Act and trespass and personal property statutes. The complaint is here. ®

Bootnote

To Adobe's defense, company officials have stated in comments (PDF) submitted to the FTC that their policy “condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent.” That's a great first step. Now the company should release a free consumer tool that makes it easy to manage and delete the new-fangled cookies.

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.