Zombie cookies don't crumble

A privacy activist lawyer is taking MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd to the cleaners because they used storage in Adobe’s Flash player to raise cookies from the dead after they had been deleted by users.

Joseph Malley is miffed that the outfits used software by Quantcast, which is also being sued, which animates those old embarrassing cookies you might have deleted and allows them to shamble around your computer saying “brains”.

According to court documents the zombie cookies came to light last year, after researchers at UC Berkeley were surprised when a deleted browser cookies shambled across a researcher’s desk and ate his brains.

According to Wired , when it was made public Quantcast quickly fixed it. It said it was an unintended consequence of trying to measure web traffic accurately.

However it was not quick enough to avoid the lawsuit, which was filed in US district court in San Francisco, and asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws.

Malley claims that the software was part of a “pattern of covert online surveillance” and seeks status as a class action lawsuit.

Malley’s name should bring the fear of god to many an IT outfit. He played a key role in other high profile privacy lawsuits, including a $9.5 million settlement earlier this year from Facebook over its ill-fated Beacon program. He also squared a settlement with Netflix after the company gave imperfectly anonymised data to contestants in a movie recommendation contest.

QuantCast was using the same user ID in its HTML and Flash cookies. When a user killed the cookie Quantcast would reach into the Flash storage bin, retrieve the user’s old number and reapply it so the customer’s browsing history around the net would not be cut off.

The thing is that Quantcast is used by legions of sites to measure the number of visitors and to get information on the kinds of people visiting sites.

The technique was particularly nasty because it bypassed lots of security people have on their browsers about what cookies to accept and which to get rid of.

Because Flash cookies are handled differently they have to be fixed through a web page on Adobe’s site, and the controls are difficult and not widely known.

Firefox users can prevent or delete Flash cookies using a free add-on called BetterPrivacy.