by Micah Fisher-Kirshner, Search Strategist

Since its introduction in 1996, Flash has become one of the most widely-used platforms on the Internet for web animations, web design, and website development. Though its use is not search engine friendly (with only the recent ability from Google to index links within Flash), the benefits of Flash have propelled its use around the globe. However, there is a dark side of Flash that you should know about: Flash can potentially run third-party scripts that gather your website’s information without your knowledge.

Last November Google announced that Google Analytics can track Flash by placing its code within the Flash file. This was received with great excitement as it allowed Flash websites to track their own Flash files, videos, and actions that were not captured as effectively as a regular HTML website. This announcement, however, spawned the troubling potential for malicious developers to run black hat analytics scripts through Flash that could effectively track a third party’s web data without their direct knowledge.

At Red Bricks Media, we ran a test to determine the seriousness of this threat. Through our test we determined that anytime a user uploads or embeds a third-party video, pixel, or graphic made from Flash, the data from that page can be transmitted into the same third-party’s Google Analytics or an analytics package built solely for the purpose of gathering black hat analytics competitive intelligence data.

People will embed scripts into their websites to become an affiliate partner, to run ads, or to display their latest movie RSS feed without reading any privacy notes, terms of service, or end user license agreements. Many of these Flash files can come in innocuous forms such as a common VeriSign Seal used by ecommerce websites (please note that VeriSign is not doing anything black hat). The openness of the web and the benefits that are given through online advertising are often abused by black hat tactics, so it’s important to be careful about which scripts you include on your website.

As a general rule, if you are thinking about embedding third-party Flash files or code, only place code from places you trust. Furthermore, we strongly suggest that you have your developers read the privacy notes and use data packet sniffing to determine just what these files are possibly sending out. Your data is a valuable asset in the competitive online world; do not let other sites have access to it without your explicit understanding or agreement.

Share this

Hide Sites

This entry was posted on Monday, March 30th, 2009 at 5:16 pm and is filed under Analytics, RIA, Search Engine Marketing, Search Engine Optimization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.