Flash Cookies

The University of California at Berkely discovered that a large number of the web's most popular sites are surreptitiously using a particularly sneaky cookie without informing users in their privacy policies. (SOURCE)

Everybody knows all about standard browser cookies, but Flash cookies are relatively unknown to most web users. Worse still, they are not controlled through the cookie privacy controls in a browser. So then even if a user believes that they have cleared their computer of all cookie like tracking objects, they most likely have not if they have visited a site that uses Adobe's Flash cookie.

If you think that's sneaky...

Several services were even using this surreptitious data storage to reinstate traditional cookies that a user deleted, which is called 're-spawning' the report found. Like a bad zombie in a "B" movie, such cookies come back again and again even after you have used your best weapons to kill them. So even if you got rid of a website's tracking cookie, that cookie's unique ID will be assigned back to a new cookie again using the Flash data as the "backup."

Even the government website, Whitehouse.gov showed up in the report, with researchers reporting they found a Flash cookie with the name "userId." Whitehouse.gov does say in its privacy policy that it uses tracking technology but it does not mention Flash or tell users how to get rid of the Flash cookie. You like it when the government snoops on you, right?

The funny thing is that the Berkely study was to be used in the government's proceeding about the use of cookies on federal websites. Federal websites have traditionally been banned from using tracking cookies, despite being common around the web — a situation the Obama administration wants changed.

Congress and federal regulators are looking at ways of controlling the online tracking and advertising industry, whom they feel have failed to make the industry transparent about when, how and why it collects data about internet users. Strangely enough, the government has done no better at this.

Third party advertising networks have previously agreed to a voluntary code of conduct. The code they proposed prohibits little and has no enforcement mechanism. So even with regard to sensitive health information, advertisers are free to collect as much information as they please, just as long as it does not involve an actual prescription.

Berkely's Chris Hoofnagle, the Director of Information Privacy Programs at the Berkeley Center for Law and Technology tested the top 100 sites to see what their privacy policies said, what their tracking technology actually does and what happens if a user blocks the Flash cookie.

The 2009 study found that 54 of the top 100 Internet sites set Flash cookies, which vary from simply setting audio preferences to tracking users by a unique identifier. Some of these sites merely handle innocuous and useful functions, such as remembering the volume level you preferred when you watched a video or listened to song.

Adobe's Flash software is installed on an estimated 98 percent of personal computers. Some of the web's most popular sites depend upon it, such as YouTube, Facebook and Hulu. Every time you see a YouTube video, you are using Flash.

Adobe's Flash cookie lets a site store up to 100K of information. That's about 25 times more than what a browser cookie can hold. Pandora.com uses the Adobe Flash cookie's storage capability to preload portions of songs or videos to deliver smooth and fast playback.

All modern browsers include controls that let users decide what cookies to accept and which to eliminate. Flash cookies are handled differently and do not abide by these rules or controls. These are fixed through a web page on Adobe's site, where the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it is the control, not just a tutorial on how to use the control.

Defenders of behavioral ads say that privacy shouldn't be a concern since cookies really identify a browser, not a person. Moreover, they argue that users would prefer to have relevant ads. Targeted Behavioral Ads could also help save online journalism. Under this theory, Google text ads don't work on a news story about the governor raising the sales tax, since there's no product that goes with that context. But if the site knew the reader was in the market for a car, it could show an ad for the new Lexus and earn much more.

Users who want to control or investigate Flash cookies have several options:


Mac OS X:

Where to find your sneaky flash cookies:

  • Windows: LSO files are stored typically with a ".SOL" extension, within each user's Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.
  • Mac OS X: For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications: ~/Library/Preferences/[package name (ID) of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys
  • GNU-Linux: ~/.macromedia