Feeds

Disney sued for spying on kids with 'zombie cookies'

Snooping with 'little available redress for users'

Choosing a cloud hosting partner with confidence

Walt Disney's internet subsidiary and several of its partners have been sued for allegedly using cookies based on Adobe's Flash Player to track highly personal information about their users, many of whom were minors.

The LSOs, or locally shared objects are better known as Flash Cookies, and their ability to gather detailed user information over long periods of time without a trace has been understood since at least 2007. Now, attorneys representing people who browsed websites that employed the technology claim it was used to track them in ways that violate the sites' privacy policies.

For instance, the habits of one individual who browsed articles on depression, were uniquely tracked across a network of partners, according to the complaint.

The suit was filed in US District Court in Los Angeles against Walt Disney Internet Group, Clearspring Technologies, Warner Bros. Records, and several other companies that shared the cookies. The affiliates fail to adequately warn users about the information-sharing arrangement, which according to the complaint, allows “zombie cookies” to be restored even after a user has gone through the trouble of deleting them.

“Using Flash cookies to re-identify users overrides this control, with little available redress for users,” the complaint, which seeks class-action status, states. “Although users may arguably protect themselves by periodically deleting their Flash cookies as well, the means for doing so are extremely obscure and difficult even for savvy consumers to use. Flash specifically attempts to obfuscate data within each LSO by controlling the format and forcing a binary serialization of any stored data, thus bypassing the web browser's same-origin security policy, allowing an application hosted on one domain to read data or code hosted on another.”

A research paper (abstract here) released last year by UC Berkeley researchers famously exposed the ability of Flash cookies to surreptitiously “respawn” deleted cookies. It served as a wakeup call about the uncanny persistence of the tracking files. What's more, Flash cookies can store up to 100 KB of data, 25 times more than normal cookies.

The suit alleges the companies violated a raft of laws, including the federal Computer Fraud and Abuse Act, the California Computer Crime Law, the California Invasion of Privacy Act and trespass and personal property statutes. The complaint is here. ®

Bootnote

To Adobe's defense, company officials have stated in comments (PDF) submitted to the FTC that their policy “condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent.” That's a great first step. Now the company should release a free consumer tool that makes it easy to manage and delete the new-fangled cookies.

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Put down that shotgun: Wi-Fi's the way to beat Zombies
CreepyDOL sensors can pick walkers from humans with MAC snack attack
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.