Watch CBSN Live

Apple-Adobe Flash Fight: Think Ads, Not Video

There's been much to-do about Apple's (AAPL) unwillingness to allow Adobe (ADBE) Flash on the iPad or iPhone. Generally, that issue often turns into a debate over whether the 5.0 version of HTML will provide video and interface design support -- and thus supplant the need for Flash. But the discussion is largely a smoke screen. Flash will stay for a long time. Not because companies need it for video, but because they can use it to create super-cookies that never expire and that are normally invisible to browsers, and thus harder for users to delete. And that puts Apple's apparent dislike of Flash -- and the likelihood that HTML 5 will displace the technology -- in a different light.

All versions of Adobe Flash support locally shared objects (LSOs), which allow companies to create flash cookies. These differ from regular cookies in some important ways:

  • They can contain up to 100KB of data, versus the 4KB that an HTML cookie can store.
  • By default, HTML cookies expire at the end of a browser session; however, flash cookies have no default expiration date.
  • Flash stores LSOs in different locations from HTML cookies, so users may not know where to look to eliminate them.
  • Browsers have no control over flash cookies, so users can't delete them with the tools that browsers provide.
  • Most anti-spyware, antivirus, and anti-adware packages do not search for flash cookies.
  • Flash cookies can regenerate deleted regular HTML cookies.
Flash cookies can let sites track users without consumers being able to readily remove or control them, increasing the power of behavioral marketing. There are some packages, like the Firefox extension BetterPrivacy, that can remove Flash cookies, but most people don't even realize that the cookies exist.

According to a UC Berkeley School of Law study released last summer, more than half of the top 100 web sites a group of researchers investigated employed Flash cookies:

We found that top 100 websites are using Flash cookies to "respawn," or recreate deleted HTTP cookies. This means that privacy-sensitive consumers who "toss" their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies. Few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.
That significantly changes the whole HTML 5 discussion. Underpinning it is the issue of whether companies would move from Flash to HTML 5 -- presumably retooling their websites to shift technologies. But Flash cookies bring up an issue that most companies would prefer to leave hidden: If you're going to hide tracking cookies in places where most users would never look, why would you call attention to their existence in the first place?

It also helps explain the clash of the vendors. Adobe wants Flash on all mobile browsers, and Apple, which is now interested in mobile advertising, will clearly follow its usual form and want total control over how the mechanism works. That means preventing Adobe from providing a key marketing tool.

Image via Flickr user pjmorse, CC 2.0.