YouTube's new 'nocookie' feature continues to serve cookies

Responding to criticism from privacy activists, YouTube in the past two weeks has rolled out a number of new privacy features. Chief among these is a "delayed cookie" option thatYouTube promises will not leave cookies in the browsers of users who have not yet clicked the "play" button to view a video.

While this statement is true for traditional Web browser-based cookies, YouTube's cookie-lite solution still leaves long-term, non-session Flash cookies behind in the Web browser of visitors who have yet to actually click play to watch the YouTube videos.

As revealed on this blog yesterday, YouTube has recently rolled out a number of new privacy features, chiefly in response to privacy activists complaining about the company's use of non-session cookies.

Writing on the Google corporate policy blog Tuesday, Steve Grove of YouTube stated:

To ensure that we openly communicate about privacy issues on all federal websites that use our technology, we created an embeddable video player that does not send a cookie until the visitor plays the video.

YouTube's online technical documentation also reveals a bit more about the feature:

Enabling delayed cookies means that the YouTube video player will not set any non-session cookies on the computer of a visitor (viewing the page on which the YouTube video is embedded). The YouTube video player may set non-session cookies on the visitor's computer once the visitor clicks on the YouTube video player.

While this statement is true for browser-based permanent cookies, it is still a false statement. Visitors to Web pages that have made use of this new cookie-lite feature continue to receive long-lasting Flash cookies, even when they do not click play to watch a video.

The Electronic Privacy Information Center has thoroughly described the Flash cookie privacy problem:

Flash cookies provide the only method by which a flash movie can store information on a user's computer....

Few consumers are aware of where Flash cookies are stored or how to control their use. Normal web cookies can be managed via the preferences dialog of most web browsers, but no similar utility is included for these Flash cookies. It is possible for Flash cookies to remain on user's computer indefinitely, as there is no mechanism to set an expiration date on Flash cookies.

The only way to delete these well-hidden objects is to visit a special Web page on Adobe's site. The existence of Flash cookies and the need to visit the special Adobe Web site to remove them is not widely known by most Web users.

Web browsers are unable to automate the process of Flash cookie removal. As a result, those in the security community have had to take rather extreme steps to try to automate the process of Flash cookie removal in a way that doesn't break most Web functionality. These obscure techniques remain far too advanced for non-technical users.

Proof of YouTube's use of Flash cookies
To verify that YouTube is still using non-session cookies, follow these steps:

• First, go to the Adobe Flash Settings Manager page, and delete all of your old Flash cookies.
  

  A screenshot of an empty Flash cookie jar

• Close all of your browser tabs, and restart your browser. Now revisit the Adobe Flash Settings Manager page, and verify that you still have no Flash cookies.

• Then, go to a Web page that is making use of the new YouTube "delayed cookies" feature. For this example, we used Barack Obama's inaugural address, as embedded into one of the older White House blog entries.

  
  
  

  (As we noted on this blog yesterday, the White House used an in-house Flash based tool for its latest weekly video address. Earlier messages from the President are still delivered using YouTube, although the White House tech team has enabled the "delayed cookie" option for all of these).

• By looking through the source code for that blog page, we can verify that the YouTube flash file is indeed being served from youtube-nocookie.com, and thus should be making use of the "delayed cookie" feature.
  
  
  

  <script type="text/javascript">
  	var params = { allowscriptaccess: "always", allowfullscreen: "true" };
  	swfobject.embedSWF("http://www.youtube-nocookie.com/v/3PuHGKnboNY&hl=en&fs=1&showinfo=0",
  
          "flashcontent", "480", "295", "8", null, {}, params);
  </script>
  

• Wait for the YouTube flash file to load, but do not click play. Now, close all your browser tabs, and then restart the browser.
• Remember that session-cookies, by definition, are for a single browsing session, and thus when you restart the browser, all previous session cookies are deleted. Anything still hanging around is long-term.
• Now, go back to the Adobe Flash Settings Manager, and you should see that a cookie from s.ytimg.com (a domain controlled by Google) has now been quietly added to your Flash cookie jar, even though the White House Web site made use of the "delayed cookie" option, and you never clicked the play button.

A screenshot of the flash-cookie jar, containing a cookie from YouTube

Analysis
Those in the privacy community will likely pounce on this as evidence of Google's hypocrisy, while Google will likely respond by carefully parsing the definition of the phrase "non-session cookie" to not include Flash-cookie objects. Google might even even argue that its Flash-based cookies do not contain unique tracking information (something this blogger is unable to verify, since the Adobe Flash Manager only allows you to delete, but not view the contents of a Flash cookie).

One thing is clear. YouTube has advertised a new delayed cookie feature, and stated that it "does not send a cookie until the visitor plays the video." That message is further reinforced by the fact that the new cookie-lite embedded video players are served from a different domain name, youtube-nocookie.com.

Yet a user visiting a page that includes one of these "delayed cookie" videos still ends up with a long term, non-session Flash cookie hidden away in the depths of their browser.

Technical definitions of "cookie" versus "Flash cookie" aside, YouTube's "delayed cookie" feature simply fails to deliver on the company's promises.

When reached for comment, Marc Rotenberg, the director of the Electronic Privacy Information Center, said:

(Regarding the) spat over cookies, the Youtube and the Whitehouse web site is the tip of the iceberg. There is a much bigger debate about Google's role in federal information policy looming.

The Google blog post, if read carefully, is very revealing. It is all about justifying Google's growing dominance in government information dissemination.

This is a business plan. It is tied directly to YouTube's advertising model and revenue forecasts. There is nothing about actual federal information policy.

Complying with federal laws (e.g. the Privacy Act which regulates data collection) or federal policy on persistent cookies are real obstacles. The question is whether Google will decide for itself whether it will comply with these laws or the people's representatives.

The debate is just beginning.

Google's PR team have yet to respond to queries from this blogger regarding the cookie issue.

Disclosure: In 2008, I worked as a policy fellow for the Electronic Privacy Information Center. In 2006, I worked as a summer intern at Google, and have twice received graduate fellowships from the company.

[hawkeyeaz1]

You can view the contents by going to %appdata%\Macromedia\ (Windows) or /Users/User/Library/Preferences/Macromedia (OSX)... binary files.

[gggg sssss]

Blame Macromedia for this albatross called Flash, and now adobe for perpetuating it. Only Silverlight is worse

[LarrytheG]

I'm having a hard time understanding the issue and it's implications and I suspect that I'm not alone.

I could be helpful if ..you might include a link that explains the implications of such behaviors....

The fact that hundreds/thousands of other organizations use YouTube without such concerns - requires that more education be done by blogs like this unless you want it to just become an "insiders" place to visit.... which would be fine by me if that is your intent anyhow...but then why have the RSS available if that is the case?

Why did it take the use of YouTube by the WH to cause this upheaval? What are the consequences of the White House doing exactly what many other organizations including Federal, State and Local Governments use?

And not to let GOOGLE or any other entity go free on this criticism... why not be FULLY TRANSPARENT on the use of these things that do affect people's privacy rather than getting into verbal back&forthing over semantics and parsing words and phrases?

Finally - why not have the White House Site itself - fully explain what it is doing (and not) and why?

If this is really important to the public - Ya'll need to be talking to the public more than playing "inside baseball" with each other...

just my 2 cents worth.

[georgezimmer]

Hi Larry. I can answer both of your questions.

1. These cookies are being used to track people who visit the White House website and give them ID numbers. This post shows that despite Google's publicly announced changes to the way the tracking is done (tracking only people who click "play" on a video), it is still being carried on for all users in secret.

2. The White House has a privacy policy that says it will not track visitors. YouTube is breaking this policy so they wrote a special exemption that they refuse to release. The White House explained this policy somewhat but they don't have a private "ombudsman" so probably they don't want to publicly respond to these new findings and cause a ruckus.

[LarrytheG]

Hi georgezimmer -

What exactly is being captured and saved and what can it be used for?

is it true or not - that no Gov site uses cookies to "track"?

What is the US Govt policy on tracking cookies?

I think if we want the "average" person to be interested/concerned then we need to lay out in chapter and verse in ordinary person language what the "rukus" is all about.

Otherwise.. it will remain "inside baseball" .. "geek" talk.. to most ordinary folks.

[georgezimmer]

They're tracking your computer. They don't have your home address, but they have your computer address, which can be traced to you most of the time.

Cookies cannot be used on ANY federal website.

[LarrytheG]

Are we saying that it is Federal Policy NOT to allow cookies on ANY Federal Website - and the White House just ignored that policy?

as far as "tracking" is concerned ... if you want the public to get involved and demand from their elected representatives - changes - then my 2 cents worth - the dialog has to get way beyond the current "inside baseball" level.

The average guy is already a bit paranoid about the government being to wiretap their phones, track their cell phones.. track their credit cards... track their EZ-Pass, etc, etc...

what makes the cookie issue - different.. perhaps more important compared to these other things?