Web privacy: Flash cookies

Web privacy is a major concern at Exotic and Irrational Entertainment. Most people know about browser cookies, which are used to record what sites you visit, what ads you view, what products you buy online, and other information about you. But you can set your browser to reject all cookies except those that you explicitly agree to (it's particularly important to block third-party cookies). What's more insidious are the data-gathering techniques that you may be unaware of.

A few months ago I wrote about web bugs and beacons, and how they are used without your knowledge or consent to gather and aggregate information about you. There's another way that your internet use is monitored without your knowledge, and it's through a technology called "local shared objects."

Local shared objects are essentially permanent super-cookies that can each hold up to 100 KB of information about your web usage. To give you an idea of how much information this is, the text of this blog post is about 5 KB. So 100 KB would be the equivalent of 20 posts this size. It's a lot of information about the URLs you visit, the images you view, the products you buy, and the videos you watch.

Local shared objects can be placed on your computer without your knowledge or consent every time you use Adobe's Flash Player. That means every time you view a video on YouTube, Hulu or a similar site, a Flash super-cookie can be placed on your computer. But it can happen too whenever you visit a page on any site that contains Flash content (like ads that play automatically when they load in your browser). A recent report on "Flash Cookies and Privacy" (see below) found that more than 50% of the websites in their sample used Flash cookies.

Not only do these Flash cookies have the capability of recording a large amount of information about you, they act as a backup for browser cookies that you think you've deleted. So when a new browser cookie is placed on your computer by the site, the Flash cookie simply gives it same user ID and other information as the old cookie, "re-spawning" the deleted cookie.

To prevent Flash cookies from being automatically placed on your computer, you have to go to the Adobe website's Flash Player Settings Manager.

On the left-hand side of this page is a list of links for what Adobe calls global privacy, storage and security options. These control the settings for sites you haven't yet visited. There are also links for what Adobe calls website privacy and storage options, which control the settings for individual websites that you have already visited.

The Settings Manager that you see when you click on one of the links on this page is not an image. It is the actual Settings Manager that controls the Flash cookie privacy, security and storage options for your individual computer. Here is Adobe's own page on how to manage and disable local shared objects.

For more information on Flash cookies, how they are being used, and what you can do to prevent them from being set on your computer without your knowledge, here are some resources:

A recent article by Ryan Singel in Wired magazine: You Deleted Your Cookies? Think Again.

A page on the Electronic Privacy Information Center website: Local Shared Objects--"Flash Cookies".

A report by Ashkan Soltani of the University of California Berkeley School of Information and colleagues posted on the Social Science Research Network: Flash Cookies and Privacy.

Ironically, the Soltani report apparently can't be downloaded unless you allow the SSRN site to place browser cookies on your computer. Here's the abstract: "This is a pilot study of the use of 'Flash cookies' by popular websites. We find that more than 50% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking."