Feeds

Disney sued for spying on kids with 'zombie cookies'

Snooping with 'little available redress for users'

Website security in corporate America

Walt Disney's internet subsidiary and several of its partners have been sued for allegedly using cookies based on Adobe's Flash Player to track highly personal information about their users, many of whom were minors.

The LSOs, or locally shared objects are better known as Flash Cookies, and their ability to gather detailed user information over long periods of time without a trace has been understood since at least 2007. Now, attorneys representing people who browsed websites that employed the technology claim it was used to track them in ways that violate the sites' privacy policies.

For instance, the habits of one individual who browsed articles on depression, were uniquely tracked across a network of partners, according to the complaint.

The suit was filed in US District Court in Los Angeles against Walt Disney Internet Group, Clearspring Technologies, Warner Bros. Records, and several other companies that shared the cookies. The affiliates fail to adequately warn users about the information-sharing arrangement, which according to the complaint, allows “zombie cookies” to be restored even after a user has gone through the trouble of deleting them.

“Using Flash cookies to re-identify users overrides this control, with little available redress for users,” the complaint, which seeks class-action status, states. “Although users may arguably protect themselves by periodically deleting their Flash cookies as well, the means for doing so are extremely obscure and difficult even for savvy consumers to use. Flash specifically attempts to obfuscate data within each LSO by controlling the format and forcing a binary serialization of any stored data, thus bypassing the web browser's same-origin security policy, allowing an application hosted on one domain to read data or code hosted on another.”

A research paper (abstract here) released last year by UC Berkeley researchers famously exposed the ability of Flash cookies to surreptitiously “respawn” deleted cookies. It served as a wakeup call about the uncanny persistence of the tracking files. What's more, Flash cookies can store up to 100 KB of data, 25 times more than normal cookies.

The suit alleges the companies violated a raft of laws, including the federal Computer Fraud and Abuse Act, the California Computer Crime Law, the California Invasion of Privacy Act and trespass and personal property statutes. The complaint is here. ®

Bootnote

To Adobe's defense, company officials have stated in comments (PDF) submitted to the FTC that their policy “condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent.” That's a great first step. Now the company should release a free consumer tool that makes it easy to manage and delete the new-fangled cookies.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.