YouTube's new 'nocookie' feature continues to serve cookies

A recently implemented "delayed cookie" privacy feature at YouTube begs the question: When is a cookie not a cookie?

Chris Soghoian
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/.
Chris Soghoian
5 min read

Responding to criticism from privacy activists, YouTube in the past two weeks has rolled out a number of new privacy features. Chief among these is a "delayed cookie" option thatYouTube promises will not leave cookies in the browsers of users who have not yet clicked the "play" button to view a video.

While this statement is true for traditional Web browser-based cookies, YouTube's cookie-lite solution still leaves long-term, non-session Flash cookies behind in the Web browser of visitors who have yet to actually click play to watch the YouTube videos.

As revealed on this blog yesterday, YouTube has recently rolled out a number of new privacy features, chiefly in response to privacy activists complaining about the company's use of non-session cookies.

Writing on the Google corporate policy blog Tuesday, Steve Grove of YouTube stated:

To ensure that we openly communicate about privacy issues on all federal websites that use our technology, we created an embeddable video player that does not send a cookie until the visitor plays the video.

YouTube's online technical documentation also reveals a bit more about the feature:

Enabling delayed cookies means that the YouTube video player will not set any non-session cookies on the computer of a visitor (viewing the page on which the YouTube video is embedded). The YouTube video player may set non-session cookies on the visitor's computer once the visitor clicks on the YouTube video player.

While this statement is true for browser-based permanent cookies, it is still a false statement. Visitors to Web pages that have made use of this new cookie-lite feature continue to receive long-lasting Flash cookies, even when they do not click play to watch a video.

The Electronic Privacy Information Center has thoroughly described the Flash cookie privacy problem:

Flash cookies provide the only method by which a flash movie can store information on a user's computer....

Few consumers are aware of where Flash cookies are stored or how to control their use. Normal web cookies can be managed via the preferences dialog of most web browsers, but no similar utility is included for these Flash cookies. It is possible for Flash cookies to remain on user's computer indefinitely, as there is no mechanism to set an expiration date on Flash cookies.

The only way to delete these well-hidden objects is to visit a special Web page on Adobe's site. The existence of Flash cookies and the need to visit the special Adobe Web site to remove them is not widely known by most Web users.

Web browsers are unable to automate the process of Flash cookie removal. As a result, those in the security community have had to take rather extreme steps to try to automate the process of Flash cookie removal in a way that doesn't break most Web functionality. These obscure techniques remain far too advanced for non-technical users.

Proof of YouTube's use of Flash cookies
To verify that YouTube is still using non-session cookies, follow these steps:

  • First, go to the Adobe Flash Settings Manager page, and delete all of your old Flash cookies.
    A screenshot of an empty Flash cookie jar
  • Close all of your browser tabs, and restart your browser. Now revisit the Adobe Flash Settings Manager page, and verify that you still have no Flash cookies.
  • Then, go to a Web page that is making use of the new YouTube "delayed cookies" feature. For this example, we used Barack Obama's inaugural address, as embedded into one of the older White House blog entries.

    (As we noted on this blog yesterday, the White House used an in-house Flash based tool for its latest weekly video address. Earlier messages from the President are still delivered using YouTube, although the White House tech team has enabled the "delayed cookie" option for all of these).

  • By looking through the source code for that blog page, we can verify that the YouTube flash file is indeed being served from youtube-nocookie.com, and thus should be making use of the "delayed cookie" feature.

    <script type="text/javascript">
    	var params = { allowscriptaccess: "always", allowfullscreen: "true" };
            "flashcontent", "480", "295", "8", null, {}, params);

  • Wait for the YouTube flash file to load, but do not click play. Now, close all your browser tabs, and then restart the browser.
  • Remember that session-cookies, by definition, are for a single browsing session, and thus when you restart the browser, all previous session cookies are deleted. Anything still hanging around is long-term.
  • Now, go back to the Adobe Flash Settings Manager, and you should see that a cookie from s.ytimg.com (a domain controlled by Google) has now been quietly added to your Flash cookie jar, even though the White House Web site made use of the "delayed cookie" option, and you never clicked the play button.
A screenshot of the flash-cookie jar, containing a cookie from YouTube

Those in the privacy community will likely pounce on this as evidence of Google's hypocrisy, while Google will likely respond by carefully parsing the definition of the phrase "non-session cookie" to not include Flash-cookie objects. Google might even even argue that its Flash-based cookies do not contain unique tracking information (something this blogger is unable to verify, since the Adobe Flash Manager only allows you to delete, but not view the contents of a Flash cookie).

One thing is clear. YouTube has advertised a new delayed cookie feature, and stated that it "does not send a cookie until the visitor plays the video." That message is further reinforced by the fact that the new cookie-lite embedded video players are served from a different domain name, youtube-nocookie.com.

Yet a user visiting a page that includes one of these "delayed cookie" videos still ends up with a long term, non-session Flash cookie hidden away in the depths of their browser.

Technical definitions of "cookie" versus "Flash cookie" aside, YouTube's "delayed cookie" feature simply fails to deliver on the company's promises.

When reached for comment, Marc Rotenberg, the director of the Electronic Privacy Information Center, said:

(Regarding the) spat over cookies, the Youtube and the Whitehouse web site is the tip of the iceberg. There is a much bigger debate about Google's role in federal information policy looming.

The Google blog post, if read carefully, is very revealing. It is all about justifying Google's growing dominance in government information dissemination.

This is a business plan. It is tied directly to YouTube's advertising model and revenue forecasts. There is nothing about actual federal information policy.

Complying with federal laws (e.g. the Privacy Act which regulates data collection) or federal policy on persistent cookies are real obstacles. The question is whether Google will decide for itself whether it will comply with these laws or the people's representatives.

The debate is just beginning.

Google's PR team have yet to respond to queries from this blogger regarding the cookie issue.

Disclosure: In 2008, I worked as a policy fellow for the Electronic Privacy Information Center. In 2006, I worked as a summer intern at Google, and have twice received graduate fellowships from the company.