Flash cookies: What's new with online privacy

Web site hosts and advertisers do not like relying on HTTP cookies, as users have now figured out how to avoid them.

According to security expert Bruce Schneier, Web site developers now have a better way. It's still considered a cookie, yet it's different.

LSO, a bigger better cookie
Local Shared Object (LSO) or Flash cookie, like the HTTP cookie, is a way of storing information about us and tracking our movement around the Internet.

Some other things I learned:

• Flash cookies can hold a lot more data, up to 100 Kilobytes. A standard HTTP cookie is only 4 Kilobytes.

• Flash cookies have no expiration date by default.

• Flash cookies are stored in different locations, making them difficult to find.

YouTube test
LSOs are also hard to get rid of. Here is a test proving that. Go to YouTube, open a video, and change the volume. Delete all cookies and close the Web browser. Reopen the Web browser and play the same video. Notice that the volume did not return to the default setting. Thank a Flash cookie for that.

Not many know about Flash cookies and that is a problem. It puts people who configure their Web browser to control cookies under a false sense of security. As shown earlier, privacy controls have no effect on Flash cookies.

Where are they stored
Flash cookies use the extension .sol. Knowing that, I still wasn't able to find any on my computer.

Thanks to Google (which uses Flash cookies), I determined the only way you can access information about resident Flash cookies is by going to Flash Player's Web site.

The following slide is from the Flash Player Web site and shows my storage settings. The visited Web sites (total of 200) shown in this tab all have deposited Flash cookies on my computer. This tab is also where the Flash cookies can be deleted, if so desired.

Flash cookies are rampant
Another Google search brought me to a report by University of California, Berkeley researchers. Flash Cookies and Privacy describes what the researchers found after capturing Flash cookie data from the top 100 Web sites.

Here are the results:

• Encountered Flash cookies on 54 of the top 100 sites.

• These 54 sites set a total of 157 Flash shared objects files yielding a total of 281 individual Flash cookies.

• Ninety-eight of the top 100 sites set HTTP cookies. These 98 sites set a total of 3,602 HTTP cookies.

• Thirty-one of these sites carried a TRUSTe Privacy Seal. Of these 31, 14 were employing Flash cookies.

• Of the top 100 Web sites only four mentioned the use of Flash as a tracking mechanism.

It appears many Web sites use both HTTP and Flash cookies. That surprised/confused the researchers. After more digging they found the answer, respawning.

Flash cookie respawning
UC Berkeley researchers determined that HTTP cookies deleted by closing the browser session were rewritten (respawned) using information from the Flash cookie:

"We found HTTP cookie respawning on several sites. On About.com, a SpecificClick Flash cookie respawned a deleted SpecificClick HTTP cookie. Similarly, on Hulu.com, a QuantCast Flash cookie respawned a deleted QuantCast HTTP cookie."

The researchers also found Flash cookies were able to restore HTTP cookies for more than one Web site domain:

"We also found HTTP cookie respawning across domains. For instance, a third-party ClearSpring Flash cookie respawned a matching Answers.com HTTP cookie. ClearSpring also respawned HTTP cookies served directly by Aol.com and Mapquest.com."

It gets better
Awhile ago, I wrote a piece about how Google started using behavioral targeting (BT) after originally saying they wouldn't. In that article, I mentioned the Network Advertising Initiative (NAI), a consortium of approximately 30 companies that use BT technology. Bowing to pressure, the group created an opt-out page making it simple to prevent tracking.

The researchers found that setting the opt-out cookie wasn't enough. Web sites belonging to the NAI created Flash cookies anyway. The report refers to one specific incident:

"We found that persistent Flash cookies were still used when the NAI opt-out cookie for QuantCast was set. Upon deletion of cookies, the Flash cookie still allowed a respawn of the QuantCast HTML cookie. It did not respawn the opt-out cookie. Thus, user tracking is still present after individuals opt out."

Some solutions
To prevent Flash cookies from being stored, switch to the Global Storage Settings tab in the Setting Manager and remove the check for "Allow third-party Flash content to store data on your computer" as shown in the following slide:

That is supposed to prevent Flash cookies from being installed. Ironically, we have to take the word of the Flash Web site.

For the tests, researchers used Mozilla Firefox. In the report, they mentioned BetterPrivacy, a Firefox add-on that removes all flash cookies when the Web browser is closed. Another Firefox add-on Ghostery raises alerts about any hidden scripts that track Web presence.

Final thoughts
I thought we were past unannounced tracking of our movements on the Internet. If the technology is so innocent, make tracking an opt-in feature.

Michael Kassner has been involved with IT for over 30 years, and is currently a systems administrator for an international corporation and security consultant with MKassner Net.