Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning

21 Pages Posted: 30 Jul 2011

See all articles by Mika D Ayenson

Mika D Ayenson

Worcester Polytechnic Institute (WPI)

Dietrich James Wambach

University of Wyoming

Ashkan Soltani

University of California, Berkeley - School of Information

Nathan Good

Good Research

Chris Jay Hoofnagle

University of California, Berkeley - School of Law; University of California, Berkeley - School of Information

Date Written: July 29, 2011

Abstract

In August 2009, we demonstrated that popular websites were using “Flash cookies” to track users. Some advertisers had adopted this technology because it allowed persistent tracking even where users had taken steps to avoid web profiling. We also demonstrated “respawning” on top sites with Flash technology. This allowed sites to reinstantiate HTTP cookies deleted by a user, making tracking more resistant to users’ privacy-seeking behaviors.

In this followup study, we reassess the Flash cookies landscape and examine a new tracking vector, HTML5 local storage and Cache-Cookies via ETags.

We found over 5,600 standard HTTP cookies on popular sites, over 4,900 were from third parties. Google-controlled cookies were present on 97 of the top 100 sites, including popular government websites. Seventeen sites were using HTML5, and seven of those sites had HTML5 local storage and HTTP cookies with matching values. Flash cookies were present on 37 of the top 100 sites.

We found two sites that were respawning cookies, including one site – hulu.com – where both Flash and cache cookies were employed to make identifiers more persistent. The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and “Private Browsing Mode” is enabled.

Our 2009 study is also available at SSRN: http://ssrn.com/abstract=1446862.

Keywords: privacy, tracking, flash, cookies, local shared object, local stored object, online advertising, behavioral targeting, self-help, persistent identification element

JEL Classification: D18

Suggested Citation

Ayenson, Mika D and Wambach, Dietrich James and Soltani, Ashkan and Good, Nathan and Hoofnagle, Chris Jay, Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning (July 29, 2011). Available at SSRN: https://ssrn.com/abstract=1898390 or http://dx.doi.org/10.2139/ssrn.1898390

Mika D Ayenson

Worcester Polytechnic Institute (WPI) ( email )

100 Institute Road
Worcester, MA 01609
United States

HOME PAGE: http://www.wpi.edu/

Dietrich James Wambach

University of Wyoming ( email )

Box 3434 University Station
Laramie, WY 82070
United States

Ashkan Soltani

University of California, Berkeley - School of Information ( email )

102 South Hall
Berkeley, CA 94720-4600
United States

Nathan Good

Good Research ( email )

828 San Pablo Ave
Suite 120D
ALBANY, CA CA 94706
United States

Chris Jay Hoofnagle (Contact Author)

University of California, Berkeley - School of Law ( email )

341 Berkeley Law Building
Berkeley, CA 94720-7200
United States
‭(510) 666-3783‬ (Phone)

HOME PAGE: http://hoofnagle.berkeley.edu

University of California, Berkeley - School of Information ( email )

212 South Hall
Berkeley, CA 94720-4600
United States
510-643-0213 (Phone)

HOME PAGE: http://hoofnagle.berkeley.edu

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
10,837
Abstract Views
92,634
Rank
985
PlumX Metrics