Big Media sites sued over use of "zombie cookies"

Media sites including Hulu, ESPN, MTV and MySpace are facing a class action suit over the use of "zombie cookies," which allowed the sites to recreate a Web tracking cookie after the user manually deleted it.
Written by Sam Diaz, Inactive

Some of the nation's largest media Web sites - including ABC, ESPN, Hulu, MySpace and MTV - were named in a lawsuit filed last Friday for violating federal computer intrusion laws.

At issue is the use of "zombie cookies," a technology created by Quantcast - which is also named in the lawsuit - that allows site owners to use a storage compartment in Adobe's Flash player to recreate Web tracking files after they've been manually deleted by the user.

The suit (PDF), which was filed in U.S. District Court in San Francisco, alleges that the practice of recreating the cookies violates federal eavesdropping and hacking laws. It seeks class action status. From the suit:

The collection of data by Defendants was wholesale and all-encompassing. Data passing from the user’s computer was observed without discrimination as to the kind, type, nature, or sensitivity of the data. Like the privacy one loses from an airport security body scanner, everything passing through the consumer’s Internet connection was intercepted by Defendants, claimed as their property, and traded as a commodity. Regardless of any representations to the contrary -- all data – whether sensitive, financial, personal, private, complete with all identifying information, was intercepted, exposing users like a “fish in a fishbowl.”

According to a report on Wired's Threat Level blog, Flash cookies - as they're also known - are relatively unknown to users and are not controlled by a browser's privacy settings and controls. From the Wired post:

Websites can store up to 100 kilobytes of information in the plug-in, 25 times what a browser cookie can hold. Sites like Pandora.com also use Flash’s storage capability to pre-load portions of songs or videos to ensure smooth playback. QuantCast was using the same user ID in its HTML and Flash cookies, and when a user got rid of the former, Quantcast would reach into the Flash storage bin, retrieve the user’s old number and reapply it so the customer’s browsing history around the net would not be cut off. Quantcast’s behavior stopped last August, after Wired.com reported on the research from then-grad student Ashkan Soltani.

Adobe's Flash player - which was the subject of controversy when Apple killed its use for its iOS products - is installed on an estimated 98 percent of PCs and is a key element in powering online video players.

The suit was filed by Texas lawyer Joseph Malley, a privacy advocacy attorney who also was involved in other key technology privacy suit settlements, including Facebook's $9.5 million settlement over its Beacon advertising program and a settlement with Netflix over privacy issues raised as part of a promotional contest.

Editorial standards