Privacy and Google Analytics For Flash

October 9, 2009

You can use Google Analytics (GA) to track visitors without any JavaScript on your pages. It’s called GA for Flash. It can be done entirely within a tiny Adobe Flash file embedded on every page of the site. This method uses “flash cookies” to persist data so that even if visitors turn off or delete their browser cookies, these Flash Cookies will still exist. They can be deleted, but not with the same tools/settings used to control browser cookies — they are a separate thing.

Is this a privacy concern?

Why do some people feel that browser cookies are okay to track with, but not flash cookies?

What can we do and should we do to ease those concerns?

These were some of the questions brought up in a recent discussion. My take is that it is really all about one thing:

** It is about empowering visitors with the ability to control their own privacy. **

Browser cookies have 3 things that make this happen:

1. Sensible browser defaults to control cookies
2. General knowledge and awareness of what cookies are and what they do
3. Accessible tools with which to control the behavior of cookies

Think of it in terms of buying a new car.

Did you know, that if you don’t change the oil in your car, it will stop running?!?

Hey, wait a minute! Is that fair? Can they do that??

It is fair for the same 3 reasons:
1. Sensible Defaults: Oil gauge denoting low oil, light indicating oil change needed, prominent checklist in the manual
2. General Knowledge: (nearly) everyone knows they need to change their oil.
3. Accessible Tools: Oil change shop on every other block, prominent oil displays at Auto Zone, etc

But what if you bought a new car that also required you to change the Flash-Oil in your car or it will stop running? Huh? The dealer never told me about this new Flash-Oil stuff. They don’t do that at Jiffy Lube. It’s not part of the standard maintenance when I take in my car to the dealer.

Of course, the mechanics and car lovers all know about the Flash-Oil. They say, “It’s nearly as easy as changing your regular oil, we don’t see what the big deal is. You can buy it and change it yourself.” But for everyone else, it’s a huge WTF moment!

Sure, Flash-Oil might be in some obscure page of the user manual, and hidden on a back-shelf in AutoZone. But if your car stopped running because you didn’t change the Flash-Oil, would you be happy when the dealer said it was your fault, told you that you’d need to buy a new engine and pointed to a single paragraph on page 203 of the manual and said “see, it’s right there, you have to change the Flash-Oil or the engine locks up”. Would you sue? Maybe. Would you win? Possibly.

But would any car manufacturer do this? Absolutely not.

Once flash cookies have those 3 key things, it will be much harder to consider them “stealth” tracking, and the concern about them will be greatly lessened.

How do we get there?

Well, how did we get there with browser cookies?

It seems that early on, those 3 key things didn’t exist. Once cookies started to gain more widespread use to track people and persist information, people began speaking out, and raising concerns, this led to general awareness. Pressure was put on browser makers to create sensible defaults, and individuals interested in privacy and control began to make tools and browser plugins to control cookie behavior.

We’re going down much the same path with flash cookies. We are at the early stages now. They are starting to be more widely used, and people are beginning to speak out about privacy concerns.

This doesn’t mean that tracking visitors with flash cookies is wrong.  We can’t wait until all these things are in place before we start using it to track...because those things are only going to happen if flash tracking gets used.

We just need to be aware of our responsibilities to our fellow internet users. We should encourage the support of flash cookie settings in browsers, aid in the general knowledge about Flash tracking and how to monitor/delete/control that data.

Sure, we can put it on our websites’ privacy policies, but doing that and saying “well, our job here is done” is equivalent to that single reference to Flash-Oil on page 203.

Much better is, as Jeremy Aube suggested, putting it in your privacy policy and then saying “... and here are the methods and tools you can use to manage these Flash cookies . . .”

Part of the struggle is that, by ourselves, there isn’t a lot more we can do.  I can’t force Firefox to add settings for Flash Cookies, for example.

Again, it all comes down to trying to make sure the visitor is in control of their own privacy.

Of course, whether or not there should be or can be privacy on the internet is another issue.  And maybe the legitimate answer to all of this is that privacy can no more be expected on the internet than it can be expected walking down the streets of New York.

Finally, thanks to Brian Clifton, Jeremy Aube, and everyone else who got me thinking about this issue.

– John Henson