Flash cookies: What's new with online privacy

Website hosts and advertisers do not like relying on HTTP cookies. Users have figured out how to avoid them. According to Bruce Schneier, website developers now have a better way. It's still considered a cookie, yet it's different.

LSO, a bigger better cookie
Local Shared Object (LSO) or Flash cookie, like the HTTP cookie, is a way of storing information about us and tracking our movement around the internet. Some other things I learned:

• Flash cookies can hold a lot more data, up to 100 kilobytes. A standard HTTP cookie is only 4 kilobytes.
• Flash cookies have no expiration date by default.
• Flash cookies are stored in different locations, making them difficult to find.

YouTube test
LSOs are also hard to get rid of. Here is a test proving that. Go to YouTube, open a video and change the volume. Delete all cookies and close the web browser. Reopen the web browser and play the same video. Notice that the volume did not return to the default setting. Thank a Flash cookie for that.

Not many know about Flash cookies and that is a problem. It puts people who configure their web browser to control cookies under a false sense of security. As shown earlier, privacy controls have no effect on Flash cookies.

Where are they stored Flash cookies use the extension .sol. Knowing that, I still wasn't able to find any on my computer. Thanks to Google (uses Flash cookies), I determined the only way you can access information about resident Flash cookies is by going to Flash Player's website.

The following slide is from the Flash Player website and shows my storage settings. The visited websites (total of 200) shown in this tab all have deposited Flash cookies on my computer. This tab is also where the Flash cookies can be deleted, if so desired.

Flash cookies are rampant (Screenshot by Michael Kassner/TechRepublic)

Another Google search brought me to a report by University of California, Berkeley researchers. Flash Cookies and Privacy describes what the researchers found after capturing Flash cookie data from the top 100 websites. Here are the results:

• Encountered Flash cookies on 54 of the top 100 sites.
• These 54 sites set a total of 157 Flash shared objects files yielding a total of 281 individual Flash cookies.
• 98 of the top 100 sites set HTTP cookies. These 98 sites set a total of 3602 HTTP cookies.
• 31 of these sites carried a TRUSTe Privacy Seal. Of these 31, 14 were employing Flash cookies.
• Of the top 100 websites only four mentioned the use of Flash as a tracking mechanism.

It appears many websites use both HTTP and Flash cookies. That surprised/confused the researchers. After more digging they found the answer, respawning.

Flash cookie respawning
UC Berkeley researchers determined that HTTP cookies deleted by closing the browser session that were rewritten (respawned) using information from the Flash cookie:

"We found HTTP cookie respawning on several sites. On About.com, a SpecificClick Flash cookie respawned a deleted SpecificClick HTTP cookie. Similarly, on Hulu.com, a QuantCast Flash cookie respawned a deleted QuantCast HTTP cookie."

The researchers also found Flash cookies were able to restore HTTP cookies for more than one website domain:

"We also found HTTP cookie respawning across domains. For instance, a third-party ClearSpring Flash cookie respawned a matching Answers.com HTTP cookie. ClearSpring also respawned HTTP cookies served directly by Aol.com and Mapquest.com."

It gets better
Awhile ago, I wrote a piece about how Google started using behavioural targeting (BT) after originally saying they wouldn't. In that article, I mentioned the Network Advertising Initiative (NAI). A consortium of approximately 30 companies that use BT technology. Bowing to pressure, the group created an opt-out page making it simple to prevent tracking.

The researchers found that setting the opt-out cookie wasn't enough. Websites belonging to the NAI created Flash cookies anyway. The report refers to one specific incident:

"We found that persistent Flash cookies were still used when the NAI opt-out cookie for QuantCast was set. Upon deletion of cookies, the Flash cookie still allowed a respawn of the QuantCast HTML cookie. It did not respawn the opt-out cookie. Thus, user tracking is still present after individuals opt out."

Some solutions
To prevent Flash cookies from being stored, switch to the Global Storage Settings tab in the Setting Manager and remove the check for "Allow third-party Flash content to store data on your computer" as shown in the following slide:

(Screenshot by Michael Kassner/TechRepublic)

That is supposed to prevent Flash cookies from being installed. Ironically, we have to take the word of the Flash website.

For the tests, researchers used Mozilla Firefox. In the report, they mentioned BetterPrivacy, a Firefox add-on that removes all flash cookies when the web browser is closed. Another Firefox add-on Ghostery raises alerts about any hidden scripts that track web presence.

Final thoughts
I thought we were past unannounced tracking of our movements on the internet. If the technology is so innocent, make tracking an opt-in feature.