Big Media sites sued over use of "zombie cookies"

Big Media sites sued over use of "zombie cookies"

Summary: Media sites including Hulu, ESPN, MTV and MySpace are facing a class action suit over the use of "zombie cookies," which allowed the sites to recreate a Web tracking cookie after the user manually deleted it.

TOPICS: Storage

Some of the nation's largest media Web sites - including ABC, ESPN, Hulu, MySpace and MTV - were named in a lawsuit filed last Friday for violating federal computer intrusion laws.

At issue is the use of "zombie cookies," a technology created by Quantcast - which is also named in the lawsuit - that allows site owners to use a storage compartment in Adobe's Flash player to recreate Web tracking files after they've been manually deleted by the user.

The suit (PDF), which was filed in U.S. District Court in San Francisco, alleges that the practice of recreating the cookies violates federal eavesdropping and hacking laws. It seeks class action status. From the suit:

The collection of data by Defendants was wholesale and all-encompassing. Data passing from the user’s computer was observed without discrimination as to the kind, type, nature, or sensitivity of the data. Like the privacy one loses from an airport security body scanner, everything passing through the consumer’s Internet connection was intercepted by Defendants, claimed as their property, and traded as a commodity. Regardless of any representations to the contrary -- all data – whether sensitive, financial, personal, private, complete with all identifying information, was intercepted, exposing users like a “fish in a fishbowl.”

According to a report on Wired's Threat Level blog, Flash cookies - as they're also known - are relatively unknown to users and are not controlled by a browser's privacy settings and controls. From the Wired post:

Websites can store up to 100 kilobytes of information in the plug-in, 25 times what a browser cookie can hold. Sites like also use Flash’s storage capability to pre-load portions of songs or videos to ensure smooth playback. QuantCast was using the same user ID in its HTML and Flash cookies, and when a user got rid of the former, Quantcast would reach into the Flash storage bin, retrieve the user’s old number and reapply it so the customer’s browsing history around the net would not be cut off. Quantcast’s behavior stopped last August, after reported on the research from then-grad student Ashkan Soltani.

Adobe's Flash player - which was the subject of controversy when Apple killed its use for its iOS products - is installed on an estimated 98 percent of PCs and is a key element in powering online video players.

The suit was filed by Texas lawyer Joseph Malley, a privacy advocacy attorney who also was involved in other key technology privacy suit settlements, including Facebook's $9.5 million settlement over its Beacon advertising program and a settlement with Netflix over privacy issues raised as part of a promotional contest.

Topic: Storage

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Big Media sites sued over use of

    So turn off cookies in Flash Player using the flash settings app, or install the Flashblock add-on for Firefox. This is not "intrusion" or "hacking". This is just utilizing a feature of a plug-in. It's certainly no reason to sue someone, looking for a quick buck. Hopefully this lawsuit is laughed out of court.
    • RE: Big Media sites sued over use of

      I don't even know where to begin to diagnose the ignorance and pompousness of that comment...
    • RE: Big Media sites sued over use of

      @spatula6 That renders a lot of these useless. If what you're intimating is that you shouldn't use these websites without companies taking every bit of data about you (without user knowledge, unless someone can read a long, lawyered-up TOS in only some cases), then guess what: you've shut down half of the internet.

      It is intrusion because the data that is being taken by these companies is shared via third parties, often without the user's knowledge or consent.
  • Ugh, Flash

    Yet another reason not to trust Flash, or otherwise closed, proprietary software to begin with. Just recently, me and a friend were discussing how plain HTML (and CSS) web pages are inherently more trustworthy, given that you can look at its source code at any time; whereas those all-Flash pages, it seems that people make their pages all-Flash for no other reason than to hide its source, using the excuse of "visual enhancement" to cover their tracks.

    Believe me, I'm all for sprucing up pages whose content and theme would need it, so that everything doesnt look like a sheet of paper, but until we get a (roughly) equal open-source counterpart, where we can SEE what's going on when we visit, then I say, "no thanks."
    • Good ol' Freetard sentiment.. gotta love it..

      @Wodenhelm -

      Then get off your ass and invest some time and money in producing a Flash replacement, release it as open source, and make sure it's better than Flash so everyone can use it..

      After all, it's just that easy, isn't it?
      • RE: Big Media sites sued over use of

        @daftkey HTML5.
      • RE: Big Media sites sued over use of

        @daftkey You should try calming yourself down before posting. I can picture you now, getting mad, screaming at the screen (in your head), while sipping on a cup of Fox News.

        In any case, many companies have indeed done such things, for the simple fact that they didnt want to be tied in with the competing vendor, or otherwise they'll make their money off of support, instead of product sales. Linux, OpenOffice, upcoming HTML5 will be universal, there are many other examples out there.

        My point, is that we have the right to see what's going on, just the same as any of us can easily open the hoods of our cars.
      • HTML5 isn't

        @Wodenhelm - <br><br>..It's open standards - a small difference, but a difference nonetheless..

        It's interesting that you list three products that have been in the works for years, and are still only "kindof almost but not really" as good as the proprietary products that they are attempting to replace..

        Pattern, see, here?
  • Interesting they didn't seem to include Adobe in the suit.

    Since they apparently are at least as responsible for this as Quantcast
    • RE: Big Media sites sued over use of


      Ah, but Adobe just put this into their thing and said "Here are the uses for it!" It's like blaming Microsoft if a ActiveX control that you install has something like this in it, it doesn't fly.

      The functionality has a legitimate use, these people are using it for illegitimate purposes.
  • I guess we now know why all the big media

    wants to keep using flash.
  • I hate Flash. I wish we could be rid of it

    Yes, I want to SKIP INTRO
    • RE: Big Media sites sued over use of


      Flash is no worse than WMP plugins and other things. In fact, Flash is much BETTER than those things when it comes down to it.
  • Horrified and installed Better Privacy plug-in

    I was really disgusted to discover this Flash cookie nonsense - immediately installed Fox plug-in Better Privacy that allows you to autokill flash cookies in various ways.<br><br>The FTC could also initiate some legal proceedings against Adobe or web sites for setting these cookies.<br><br>I think this story is going to gain a lot of traction in the blogosphere and that Adobe will have to withdraw the feature.
    Don Collins