The Federal Trade Commission’s (FTC) proposed “Do Not Track” legislation has generated a lot of interest in how websites track visitor behavior. In this article, I am going to introduce Flash cookies and explain how they may be used to violate consumer’s privacy.
What Is a Flash Cookie?
A Flash cookie, or Flash Shared Object (FSO), is like a normal browser cookie on steroids. It can continue to collect information about a person’s browsing behavior even if all other cookies have been restricted and deleted.
Permission Is Not Required
Adobe’s Flash Player does not prompt the user for permission to store FSOs on the user’s hard drive. What’s worse, it can be very difficult to find the files that a Flash cookie creates. On my Windows XP machine, here’s where I found a list of the Flash cookies:
C:Documents and SettingsMikeApplication DataMacromediaFlash Player#SharedObjectsB8QNMREQ
I found well over one hundred FSO files stored on my computer. The Flash cookie files are special Windows hidden files, making it even more difficult for the average user to find. I suggest that you search for the #SharedObjects directory on your computer. I found this directory on each of my Windows, Mac, and Linux computers as well.
Flash Cookies Have Enormous Storage Capacity
By default, a Flash cookie can store up to 100KB of data. Malicious or not, that’s an enormous amount of tracking information. Websites can use that 100KB to track a visitor’s behavior for many years. Normal browser cookies, by comparison, are limited to only 4KB of storage space.
FSOs Have No Boundaries, No Expiry Date, and Are Not Readable by Humans
A normal browser cookie exists within the boundaries of a single web browser, which means that a cookie stored for a Firefox user cannot track the same user in Internet Explorer. This tightly controlled environment does not apply to Flash Shared Objects, whose boundaries are not limited to a single web browser. Whether the visitor uses Internet Explorer, Firefox, Opera, or any other browser, the Flash cookie will continue to collect data.
A Flash Shared Object will never expire unless it’s deleted, and as you will see below, that’s not so easy to do. Browser cookies, on the other hand, have a built in expiry mechanism.
If you do succeed in discovering where your Flash cookies are being stored, you will not be able to read their contents. They are saved in binary format. Even though you may not understand what’s saved in a normal browser cookie, the contents are stored as plain text, and thus readable by humans.
Flash Cookies Are Not Deleted Along With Browser Cookies
Over the last few years, most web surfers, including novice users, have become accustomed to activities such as clearing private data, removing browsing history, and deleting cookies. Accordingly, it will be quite disconcerting for many people to learn that none of these processes will remove Flash cookies. Flash cookies don’t play by the same rules as normal browser cookies. Clicking a remove all cookies button will delete normal browser cookies, but does not remove FSOs.
In January 2011, several companies, including Adobe, developed an API called NPAPI:ClearSiteData, which allows subscribing browsers — Firefox, Internet Explorer, Safari, Chrome — to truly delete Flash Shared Objects from a computer. As of writing, this API’s status is “Accepted, ready for implementation.” So it remains to be seen what web browsers will adopt this technology.
Along with the difficulty and confusion involved in deleting them, Flash cookies are capable of violating a user’s privacy in another way – by reinstalling normal browser cookies that have been deleted. This somewhat malicious practice is often referred to as “cookie re-spawning.”
The process of re-spawning a cookie is fairly simple. A website installs a regular browser cookie and a Flash cookie on the user’s computer. The Flash cookie stores the normal cookie’s unique cookie ID. When the Flash cookie is activated, it checks for the existence of the normal cookie. If the normal cookie does not exist — because the user has deleted it — the Flash cookie creates and installs another one. This practice is malicious because it never allows a user to truly delete a cookie, and the user’s privacy is never really protected.
A recent New York Times article entitled “Code That Tracks Users’ Browsing Prompts Lawsuits” states that at least five class-action lawsuits have been filed against well-known companies — like Fox Entertainment, NBC, and Quantcast — accusing them of malevolently using Flash cookies. Unfortunately, and probably because Flash cookies are a relatively unknown phenomenon, unethical companies are still able to exploit cookie re-spawning. Do Not Track legislation and upcoming web browser releases will surely address the privacy issues presented by Flash cookies.
Removing Flash Cookies, and Opting Out
To view the storage settings for a website that uses Flash, right-click on the Flash content itself. In the menu that appears, click the Settings item.
From the Adobe Flash Player Settings dialog, select the file storage folder tab. You can use the slider control to reduce the amount of local stored content to zero, if you wish. This will delete any previously installed Flash cookies and prevent future installations by this specific site.
An additional problem is that sites can install Flash cookies on your computer without actually displaying any Flash content. In the examples above, it was easy to find the Flash content — YouTube, for example, makes use of Flash to display its movies. Some websites, however, will display a nearly invisible 2-pixel Flash movie to plant a Flash cookie.
To gain more control over Flash cookies on your computer, access the Adobe Website Storage Settings panel here.
The administration panel that you will see is not an image; it is the actual Settings Manager. You can use this tool to:
- View all of the sites that have stored Flash cookies on your computer;
- Delete some or all of the Flash cookies;
- Prevent Flash cookies from being stored on your computer;
- Limit the file size of a Flash cookie or set the permitted file size to zero, effectively restricting the cookie.
Adobe Flash Player 10.2 and Browser Privacy Mode
Most likely because of pressure from privacy advocates and the proposed Do Not Track legislation, version 10.2 of Adobe’s Flash player supports the private browsing mode of the major browser applications. Adobe’s official release states that Flash player 10.2 “integrates support for private browsing mode in Chrome, Firefox, Internet Explorer, and Safari. Flash Player will not save any local storage data when private browsing is in use, helping to protect user privacy.”
While this does not prevent unethical sites from attempting to re-spawn cookies, it does allow users to restrict Flash cookies — if the user activates the private browsing mode.
The question of whether or not visitor tracking with cookies is a violation of privacy continues to be debated. On the one hand, cookie tracking provides visitors with a more personalized browsing experience. Conversely, some users simply do not want their browsing behavior recorded and stored by third parties.
For now, the only way to prevent a Flash cookie from tracking behavior is to upgrade both the browser application and the Flash player to the latest versions, and to always use the web browser’s private browsing mode. It will be interesting to see if the FTC and other privacy advocate groups pressure Adobe into taking a more aggressive stance against the misuse of Flash cookies.