A complaint filed last week in California alleges that several companies including Disney, Warner Bros. Records, Ustream and others have installed illegal codes on millions of computers with the purpose of tracking online activity. At the center of the suit, which seeks class action status, are the so-called Flash cookies. Technically known as Local Shared Objects (LSO), these are used by Flash-based applications to store preferences, cache files or save state and temp data, all methods of improving user experience. However, security experts and researchers have warned that this feature can be misused to store tracking cookies and even re-create them if they are intentionally deleted from the browser. This is exactly what the companies referred to collectively as “Clearspring Flash Cookie Affiliates” in the complaint are accused of doing, thus affecting the visitors to their respective Web sites. The defendants are Clearspring Technologies, the company developing Flash-based technologies and its customers, which include Walt Disney Internet Group, Demand Media, Project Playlist, Soapnet, SodaHead, Ustream and Warner Bros. Records. “Defendants Clearspring Flash Cookie Affiliates acted with Defendant Clearspring, independently of one another, and hacked the computers of millions of consumers’ computers to plant rogue, cookie-like tracking code on users’ computers. With this tracking code, Defendants circumvented users’ browser controls for managing web privacy and security,” the complaint reads. Unlike regular cookies, which are governed by the browser’s Same-Origin policy, making it possible only for their creator to access them, Flash cookies can be read by any Web site. This allowed Clearspring to build visitor profiles and sell the data to advertisers.