Zoombie cookies

David S. Misell asked me to share the privacy issues of html5, and I thought that no better place to do this than by creating a post.

Html5 is really about these zoombie cookies, cookies that keep coming back from the dead, even after you’ve deleted them…. scarey or what?

According to Wikipedia “Zombie cookies were first documented at UC Berkeley, where it was noticed that cookies kept coming back after they were deleted over and over again. This was cited as a serious privacy breach. If you delete a cookie, it should remain deleted. Since most users are barely aware of these storage methods, it’s unlikely that users will ever delete all of them. From the Berkeley report, “few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.

Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases (RLDGUID). The only way to opt out of the tracking was to use the company’s opt-out link which gives no confirmation.”

To read more techie stuff on how this annoying cookie is working go here where ars technia has written an insightful article on this.

Ringleader Digital claim on its privacy page that it only collects “non-personally identifiable information, such as browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID and web sites visited. Now the question is what happens when you link this information together?

Now according to the UK for example an IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner. But an IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown.

And there is significant discussion on this around the world. In Seattle a Federal judge ruled that IP address is not personal information, however in the EU it is understood how easily an IP address can become an element of PII.

As to my personal opinion, it’s simple… I want visibility, i.e. if I delete a cookie on my PC or mobile device, I want it deleted. I don’t want a zoombie. It could be that I like the convenience of having a cookie there, but I want the choice to delete, and when deleted I don’t want any zoombies rooming around on my devices… my devices, yes, they are linked to my very person, and have become a part of my DNA..

One Reply to “Zoombie cookies”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.