Tuesday, February 01, 2011

An open letter to Adobe

MeMe Rasmussen
Chief Privacy Officer
Adobe Systems Inc.

Dear MeMe,

Yesterday, as you know, two researchers from Carnegie Mellon University released a study on the extent to which Flash Local Stored Objects ("Flash cookies") are used on popular websites, and in particular, how often sites engage in cookie "respawning".

Before discussing the report, I want to begin by stating that I have great respect for the two researchers, Dr Aleecia McDonald and Professor Lorrie Cranor. They both have truly stellar track records in their area of academic expertise: the study of usable security and privacy.

However, I have serious misgivings about the the motivation of this study, the role that several non-academic entities played in shaping it, its methodology, and the way that it may be used by your company and others in industry to whitewash a significant privacy issue.

The motivation of the study, and the role played by Adobe, CDT and Reed Freeman

It is not entirely clear, at least from publicly available sources, who first came up with the idea for the study. That is, did the researchers decide to conduct the study, and seek funding from Adobe and CDT in order to help pay their costs, or did Adobe seek to repair its own reputation, write a large check to the Center for Democracy and Technology (CDT), which then passed on some of the money to these researchers in order to produce the report?

Update Feb 2: A post by MeMe on Adobe's official blog confirms that:
Adobe commissioned the Carnegie Mellon University research study ... with assistance provided by the Center for Democracy and Technology (CDT)
What is clear, from the acknowledgements at the end of the report, is that the researchers received financial support from Adobe. Looking at CDT's funding charts for 2009 and 2010, it looks like 2010 is the first year that Adobe has given any money to CDT. Was this funding tied to the creation and publication of this report?

Both Adobe and CDT are thanked by the researchers for assistance in developing the experimental protocol, and several CDT staff members are thanked for providing the researchers with assistance and feedback on their report. One other person who is thanked for his assistance is Reed Freeman, a partner at the law firm Morrison & Foerster.

Given the trigger-happy nature with which some firms fire off DMCA cease and desist letters, or call in Department of Justice, it is unfortunately quite common for privacy and security researchers to have to solicit the advice and assistance of attorneys before publishing research. I myself have several attorneys on speed-dial, and have turned to the absolutely amazing attorneys at the Electronic Frontier Foundation (EFF) on several occasions.

What puzzles me though, is why Professor Cranor did not go to the EFF for her legal questions, particularly given that she serves on EFF's board of directors. Instead, she sought and received feedback from Reed Freeman.

As far as I know, Reed has no experience or special expertise in helping academic researchers avoid lawsuits from pissed off companies. However, he does have quite a bit of experience in helping companies engulfed in privacy scandals escape the wrath of the Federal Trade Commission. For example, he represented Netflix a year ago, after the FTC took an interest (pdf) in the company's plan to share a second dataset of its customers' movie reviews.

I would love to find out the role that he played in shaping this study and the final report. Did he provide advice to these researchers on a pro-bono basis, or did Adobe pick up the likely very expensive tab for his assistance?

Research methodology

This study was a response to a 2009 study by Soltani et al, which coined the term "respawning Flash cookies" and exposed several major web properties and advertising networks engaging in the practice.

Leaving aside the potential issues that Joe Hall has raised of how the researchers chose the 500 random sites, I want to focus on one key area which suggest serious limits (and perhaps even flaws) in this study.

Consider the data collection method followed by Soltani:
Each session consisted of starting on a Firefox about:blank page with clean data directories. We then navigated directly to the site in question (by entering the domain name into the browser’s navigation bar) and mimicked a ‘typical’ users session on that site for approximately 10 pages. For example, on a video site, we would search for content and browse videos. On a shopping site, we would add items to our shopping cart. We did not create accounts or login for any of the sites tested. As a result, we had to ‘deep link’ directly into specific user pages for sites such as Facebook.com or Myspace.com since typically these sites do not easily allow unauthenticated browsing.

In the CMU study, the researchers visited the front page only of the top 100 sites, plus an additional random 500 sites. The researchers did not navigate beyond paywalls, conduct searches, click on items to add them to shopping carts, or otherwise interact with the sites. As such, any Flash cookies present on these other pages have gone undiscovered.

Naming names

One important norm in the academic privacy community, is that when researchers discover companies engaged in privacy invasive (or even just problematic) practices, they are named. Soltani et al named the companies they discovered respawning Flash cookies, Krishnamurthy and Wills (pdf) named Facebook, MySpace and a few other social networks that were leaking user identifiers via referrer headers, and Jang et al (pdf) named YouPorn, Morningstar, Charter and the dozens of other firms they discovered abusing CSS flaws to determine users' browsing history.

Similarly, when Professor Cranor, Dr McDonald and several other CMU researchers published a paper last year examining the extent to which major websites misrepresent their privacy policies via machine-readable P3P headers, the researchers identified the offending websites.

It seems curious then that this time around, these same researchers would decide to not identify the two companies that they discovered were engaged in Flash cookie respawning.

It is just a wild guess, but I suspect that the decision not to identify the offending firms was not a decision left up to the researchers. What I do not know though, is if this was a decision made by CDT, or Adobe.

Adobe's commitment to privacy

One year ago, you submitted written comments (pdf) to the FTC as part of its series of privacy roundtables. In your submission, you wrote that:
Adobe condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent.


Adobe is committed to supporting research to determine the various types and extent of the misuse of Local Storage. We are eager to participate in the discussion of which uses are and are not privacy friendly. We will support appropriate action, in consultation with the development, advocacy, regulatory, and legislative communities, to eradicate bad, unintended uses of Local Storage.


Adobe Supports the Commissions’ Use of its Authority to Police Unfair and Deceptive Acts and Practices in Commerce.

Adobe believes that existing legislation and regulation provide the Commission with robust enforcement authority against deceptive or unfair trade practices, including the use of Local Storage to re-spawn cookies users have deleted.

Adobe should identify the offending websites, or at least rat them out to the FTC

The studies published by Soltani et al, Krishnamurthy and Wills and Jang et al have all lead to class action lawsuits against the companies engaged in the various privacy violating activities exposed by these researchers. As such, it is quite reasonable to assume that had the CMU Flash cookie study identified the two firms that were caught engaging in Flash cookie respawning, class action lawsuits would have soon followed.

Given the strong tone you took in your FTC comments, and the fact that Adobe "condemns" the misuse of your technology to violate consumers' privacy, it is surprising that you have not pushed for the identification of these two companies. Surely the millions of users of Flash who have had their privacy violated by these firms should have an opportunity to seek their day in court?

Even if you do not wish to expose these firms to the threat of class action litigation, at the very least, you should turn them in to the FTC, which would then be able to investigate the firms, and prohibit them from engaging in similar privacy violations in the future.

As such, I hope you will confirm if you know the identity of the two firms discovered by the CMU researchers, and further confirm what plans you have, if any, to provide FTC staff with the evidence that was uncovered.

It is time for Adobe to be a leader on privacy. Turning these two firms in to the FTC would be a good first step.

With regards,


1 comment:

Philip said...

Maybe it's time to replicate a bit of the suspect research, and "rat out" a few abusers to the FTC. :-)

And if the expose somehow gets buried, there's always OpenLeaks or an alternative.