How Flash Cookies Threaten Your Privacy

Web sites are embedding bugs into your computer that track you even after you have cleared your browser's privacy settings.

These bugs are called Flash Cookies, or Local Shared Objects. Web sites use them to track you because they know that most people don't know about them and that they can track you even after you have cleared your privacy settings.

Web sites that use Flash cookies to bypass users' cookie privacy settings should be publicly flogged.

Examples of sites that use Flash cookies to remember your personal data even after you clear your cookies and privacy settings:

Flash Cookies and Privacy

The Electronic Privacy Information Center has a good page of information on Flash cookies:

Recently, users have become more vigilant in purging cookies from their computers. According to a Jupiter Research study, 58% of online users have deleted cookies from their computer and 39% of users do so on a monthly basis. This regular "cookie tossing" is causing direct marketers to see more invasive methods to track individuals. One of those methods is to set a "Local Shared Object," also known as a "Flash cookie" to track individuals. Simply put, the idea behind this tracking is to set two cookies on the user's machine--a standard cookie that the consumer may erase, and a second Flash cookie that the user probably will keep, because the existence of Flash cookies is not well known....

This practice is highly deceptive. By deleting cookies, consumers are clearly rejecting attempts to track them. Using an obscure technology to subvert these wishes is a practice that should be stopped. Cookies have many beneficial purposes and can make the end user's web experience better. Websites should be honest and up front about how they use cookies, and they should respect the decisions of those users who do not want to be tracked via cookies.

VistaPrint's privacy policy admits that they use Flash cookies, and says:

If you have Macromedia Flash installed on your computer, we will also use a file called a Flash Object to store your unique customer code and record locater on your computer. Unless deactivated by you, the Flash Object provides us with a backup method for recognizing you in the event that we are unable to identify your cookies.

In other words, it bypasses your choice to clear browser cookies and tracks you regardless of whether you have turned on your browser's privacy settings.

The Core Problem is Browsers

One of the core problems is that browsers do not clear Flash cookies at the same time the user clears other browser cookies.

For information about where your Flash cookies are stored, see this Wikipedia page. It has good criticisms of Flash cookies:

Flash Player uses a sandbox security model, but, contrary to some definitions, the application does not ask the user's permission to store data on his hard disk. This may constitute a collection of cookie-like data that may include not only user-tracking information but any personal data that the user has entered in any Flash-enabled application, whether it be stand-alone or Web-based.

Consumers often see cookies as an invasion of privacy and resent having them loaded into their computers without permission. While we have learned to delete traditional cookies, most are unaware of LSOs, and don't know how to disable them. Users who delete traditional cookies may find those cookies resurrected because of Adobe/Macromedia's LSOs. Since LSOs, unlike traditional cookies, have no expiration dates, the information resurrected in those cookies may persist indefinitely.

Useful Firefox Extensions

There is a Firefox extension called Objection that allows you to clear Flash cookies. It shouldn't be a separate step though; Firefox should clear Flash cookies when it clears your regular cookies. I found that it cleared the Flash cookies out of my ~/.macromedia/Flash_Player/#SharedObjects/ directory (Ubuntu Gutsy), but that when I visited Macromedia's Flash cookie manager (below), the cookies were still detected on my computer. The Objection extension apparently isn't clearing all of the history/cookie data.

Another useful Firefox extension for managing Flash is Flashblock which blocks all Flash by default, with the option to enable it in specific cases.

How to Remove and Block Flash Cookies

If you want to destroy all Flash cookies on your computer and prevent new ones from being created, go to this page which is Macromedia's Flash control panel. You can manage your Flash settings from that Web page. A full tutorial is here.

After you have blocked Flash cookies, you will be presented with the option to reject them whenever a Flash movie tries to set them:

clearing-blocking-flash-cookies-lso.png

The Solution

Obviously, Web sites should not be trying to bypass their visitors' privacy settings.

The ability to clear Flash cookies along with regular Web cookies is something that should be built into browsers. The default setting in browsers should be to delete Flash cookies whenever the browser is shut down.

Average: 4.3 (91 votes)

Comments

Flash Cookies

Excellent article my man! You have put succinctly by use of the printed word what I try to educate my clients concerning their online privacy and security. My goodness, I use Vista Print and was unaware they are one of the transgressors of "Flash Cookies". Bad Vista Print/Bad Vista Print!%&$#*. We do clean and sweep these intrusive and HIGHLY objectionable bits of electronic fluff out of our work computers, but I must admit to a bit of laziness on my home PC. Yup, I'm a PC user, rather the devil you know than the one you don't.
From now on a "Flash Cookie" clean up will be on the list of procedures when I shut down the home network.
I'm new to your site and find it Berry-Berry Good. I shall return and recommend it to my network of trusted compatriots.
Thank You & All The Best.
Mitch

Adobe Macromedia Flash Cookies Should Be ABOLISHED

Do you value your online privacy? Better do a search on your hard drive for *.sol - You will be shocked & maybe upset to find all those secret cookies that your FLASH PLAYER has been installing on your hard drive, behind your back.

It is outrageous that Adobe requires us to go over to their website and let them muck around on our own hard drive before we can DISABLE the secret, hidden, surrpetitious Flash Cookies that websites put onto our machines by virtue of visiting them, totally unbeknownst to us. (Note: These Flash Cookies NEVER expire and some of them even contain the NAME OF YOUR COMPUTER and the FILE PATH/DIRECTORIES of certain files! These cookies are SHARED ACROSS DOMAINS, without our knowledge or permission.)

Even after cowtowing to Adobe's heavyhanded demands, once we DELETED a bunch of Flash Cookies, the setting to DENY Flash Cookies somehow "miraculously" disappeared, so all Flash Cookies started appearing again on our hard drive. This is an outrage.

Recommend that everyone who prefers self-sovereignty and mastery over their own computers WRITE or CALL ADOBE and COMPLAIN LOUDLY about these secret snoop cookies and DEMAND that they create a patch or updated Flash Player that permits the end-user to SET THE DENY COOKIES SETTING ON OUR OWN HARD DRIVES and LEAVE IT THERE.

Thanks for listening.

Webmaster Tips's picture

Adobe Flash cookes

@justme
I agree with what you wrote. The only way I could stop Flash from recording which websites I visit was to chmod 000 the directory where Flash stores the cookies. That method of blocking Flash cookies only works on Linux though.

Flash cookies are unethical and this method of spying on Web users should be exposed.

MAXA Cookie Manager DETECTS FLASH COOKIES

The German MAXA Cookie Manager will detect Flash Cookies (as well as others) on your hard drive, but if you want it to delete the cookies (and do other functions), you have to buy it. Costs about $35.00.

We should not have to buy software to try to reclaim our privacy because a software vendor like Adobe/Macromedia has secretly RIGGED THEIR PRODUCT to snoop on us, behind our backs, without our knowledge or permission.

Remember Real Player and other things like the Pentium chip that caused such an OUTRAGE due to spying on end-users? We need a little more OUTRAGE right now, to stop Adobe/Macromedia from this secretly spying on us. Hope everyone will express their outrage to Adobe and help spread the word on this.

Thanks.

Webmaster Tips's picture

Flash and privacy

I hope that the media will expose this story.

Adobe's website has this claim that looks fraudulent:

Does Flash Player compromise my privacy and security?

    No. Flash Player is not only the most widely distributed piece of software on the Internet today, it's also one of the most secure. Given that Flash Player is in use by over 500 million internet users we invest considerable effort into keeping Flash Player safe and secure.

Flash cookies (LSOs) obviously compromise privacy by sneakily bypassing users' browser privacy settings, so Adobe's statement is false..

Flash Cookies DO Compromise Our Privacy & Security

Nice work! Thanks for posting that. Adobe is downright dishonest in that statement. Some of the Flash Cookies hold the computer's NAME and entire FILE DIRECTORY/PATH for Cookies, etc. etc. They also NEVER EXPIRE and are SHARED ACROSS DOMAINS.

It is odd that so few seem aware of this problem. Any ideas where we can help to publicize it, to pressure Adobe to STOP THIS? It is totally unacceptable that Adobe demands that users go to their website and ALLOW ADOBE TO CHANGE SETTINGS ON OUR HARD DRIVES, before we can stop the planting of these secret snooping cookies on our machines. (Then the settings are changed again, anyway, if you delete the *.sol files on your computer and the planting of the Flash Cookies resumes! Outrageous!)

Adobe seems to be patterning itself after the Microsoft model of dominance & submission tactics of their end-users!

Hope more people will raise a ruckus about this! It needs to stop--sooner rather than later.

Google Ordered to Hand Over YOU TUBE Database (Cookies)

Google was recently ordered to hand over all their records about WHAT VIDEOS we watch on YOUTUBE--these details are presumably obtained via the FLASH PLAYER SECRET COOKIES we're implanting on our machines.

GOOGLE CHROME USES THESE TOO

Just found out today (11/06/08) that Google Chrome - even when in "Incognito Mode" - uses these flash cookies too. I tried to see if there was some software out there that takes them out and nothing I saw seems really reliable or else involved a lot convoluted configuration.

I thought I might have been safer from cookie intrusion with FireFox, but I now see Mozilla even uses them.

I agree that the browser makers should allow an option to remove flash cookies too. Yes, I know they make their money by advertisements and cookies are part of that process.

However, most people who are reading this Blog are either somewhat or deeply geekified and probably don't click on any ads anyhow.

Further, the ordinary users doesn't really care anything about regluar cookies. So why would they care about flash cookies? All they want is software that works. Whatever else happens - they could care less. I know this as I am the I.T. specialist for a small agency and can literally see where folks surf all the time - they don't even try to cover their tracks. They are the ideal folks browser makers want.

So, why shouldn't MS, Mozilla, Adobe, Google, et al. just give the people the means? They probably won't be garnering much more business from the geeks anyway. It's almost like trying to squeeze water from a stone for pete's sake!

Webmaster Tips's picture

Flash cookies

I think it's Adobe's fault because it's their software that installs the cookies. If I'm not mistaken, Flash cookies that are stored while surfing in one browser will still be available in other browsers. (Can anyone confirm this?)

The browsers should make it possible to delete Flash cookies though.

Flash Cookies

Dear Webmaster:
Your article on flash cookies and privacy is spot on! I just wish I and found the article sooner. Through my own struggling investigation I have solved the mystery, for myself, of this insidious practice. If I had found this site first I could have saved myself two days of snooping. Your article is accurate and your opinion on the subject should be shared with the "unwashed" multitude.
Do your remember the stink we dumb consumers made about Intel's Pentium III chip with the identifier? So big a fuss, Intel gave up the idea. Why is there no outcry over this far more insidious "mpsnare" flash cookie.
Are there any groups, anywhere, on or off-line, that are fighting this devious trend in privacy invasion? Even respected companies use these flash-cookies and some say so in their privacy policy (i.e., Amazon) but no where do they explain that they use them to defeat your clearing out your session cookies. They know the average computer user does not know how to find, delete or prevent such cookies.
Thanks again for your article.

@Webmaster Tips You can

@Webmaster Tips

You can change the security permissions of the relevant directories on windows too - just right click the folder, security, and deny modify user and system. Voila!

Not all Flash Cookies are bad

If you have ever made an flash game, these files are a good way of storing the users progress/achievements/stats etc, just as in a video game.
It's not hard to delete these files, if you need an app to do it then use CCLeaner, otherwise the good old 'shift + delete' will always work.
I disagree that the 'obvious solution' is automatic deletion upon browser shut down, it should be an option that you can choose when installing the browser.

Webmaster Tips's picture

Flash cookies

I'm not saying automatic deletion upon shutdown should be mandatory, but there should be the option to have automatic deletion upon shutdown -- the same way that it is for HTTP cookies.

Syndicate content