Topic: The Undeletable Cookie: Flash Cookies

[Skhilled (OP)]

Here's an except from an article about Flash cookies:

Eliminate Flash-spawned 'zombie' cookies
By Woody Leonhard

Way back in a 2008 column, I spotlighted one of the most insidious and least-known features on the Internet: Adobe Flash cookies that were not subject to the usual cookie rules.

Almost two years later, these special Flash cookies are still living in our PCs, and enterprising privacy-busters now use them to create zombie cookies ? regular cookies that come back from the dead.

My Oct. 23, 2008, column, "Flash cookies are putting your privacy at risk," described how data stored by Adobe's Flash Player is beyond your browser's control and how it could store more personal data than you'd suspect.

Flash cookies have now landed their manipulators in troubled waters. Last week, two well-known privacy attorneys, Dallas-based Joseph Malley and California-based David Parisi, filed a lawsuit in U.S. District Court for the Central District of California against Quantcast, a Web page?ranking and audience-statistics firm. (A July 27 Wired Threat Level story on the lawsuit includes a link to a PDF copy of the filed court documents.)

The lawsuit claims class action status and lists additional defendants ? a Who's Who of online players including MySpace, ABC, ESPN, Hulu, JibJab, MTV, NBC Universal, and Scribd.

In the class action complaint, Quantcast "and websites affiliated individually with Quantcast, referred collectively to as, 'Quantcast Flash Cookie Affiliates,'" are accused of "setting [F]lash cookies on their user's computers to use as local storage within the [F]lash media player to back up browser cookies for the purposes of restoring them later."

The complaint goes on to accuse the defendants of setting online tracking devices that let them access and disclose personal information. But while the complaint is complex, the technology that spawned it is surprisingly straightforward.

Flash cookies are the all-pervasive app

In order to understand zombie cookies (yes, that's the technical name), you need to know about Flash's Local Shared Objects, or LSOs ? the formal name for Flash cookies. My 2008 column goes into detail about LSOs, but the upshot is this: Adobe Flash Player LSOs work much like the cookies maintained by our browsers ? they are files that live in our computers and are updated and read by Web pages that we visit.

Since Flash Player runs on more computers than even Windows (!), Flash Cookies are as close to universal as anything on the Internet. Steve Jobs won't let Flash run on iPads and iPhones, but for just about everything else, there's a version of Flash.

Like standard cookies, LSOs usually fly under the radar. But they can store significantly more data than the usual cookie. Regular old browser cookies are limited to 4KB in size; LSOs can go up to 100KB. Regular cookies are completely controlled by your browser ? you can use your browser to turn them on or off, to delete them, to block them. Not so LSOs. They are controlled by Adobe's Flash Player, and it's notoriously difficult to get at them.

While you may not have easy access to Flash LSOs, Web sites do. If you have Adobe Flash installed on your computer, Web pages can set and read Flash cookies ? whether the page you're viewing has a visible Flash animation or not. So while you think you've blocked a site's cookies, it's entirely possible for the site to use an LSO for the same purpose.

And it's all hidden under the covers and difficult to turn off unless you run a Flash Cookie blocker (more about which later) or jump through some major hoops.

Cookies that return from the cookie-crusher

Most PC users know the basics of Web cookies. Most have their computers set up to block cookies, block third-party cookies, or delete all cookies when they end a browsing session. It's all based on your level of paranoia. You may have a spyware scanner that looks for and deletes various types of cookies, particularly from marketing companies such as Doubleclick. Even those of us who allow cookies free rein still delete them from time to time, if only to clear out the cobwebs.

Here's how zombie cookies reappear.

When you visit Web sites, they often plant cookies on your computer, if they can. But some sites will also stick duplicate cookies into the Flash LSO. When you go back to these sites, they check whether you have their standard cookies stored in your browser. If none are found, they then check whether there's any doppelg?nger cookies in the Flash LSO. And if they find any, the sites reconstruct their original cookies and stick them back into your PC. Very clever.

Zombie cookies are scary because they provide online companies with a secret way to keep tabs on people and their Web-surfing proclivities. Unless you check your browser's list of cookies regularly, you may never know that these resurrected tracking cookies are back in business.

Where companies like Quantcast come into play

Data-gathering companies such as Quantcast make money selling information about people who visit web sites. According to Quantcast's own site, "Millions of Web site owners, including two-thirds of the Online Publisher's Association, use Quantcast's measurement service to create demographic, geographic, and affinity-based audience profiles." And the cookies placed on your PC can be used as sophisticated monitoring tools.

Curious about what's gathered? You can take a free ride with the Quantcast demo.

I ran a Quantcast analysis for U.S.-based visitors to our site, windowssecrets.com, in May of this year. The results appear in Figure 1. You should take the results with a grain of salt, of course.



Figure 1. According to Quantcast, 86% of those who visit the Windows Secrets site have no kids under 18; 19% make more than $100,00 per year; and 17% at least walked through part of grad school.

It's in the best interest of these companies to continually gather data about Web-site visitors. Cookies, as already mentioned, are a key part of that process. Zombie cookies undoubtedly contribute to keeping these tracking cookies alive for as long as possible.

Take control of Flash cookies with PC cleaners

Controlling Flash LSOs, and thus eliminating zombie cookies, is a pain in the neck if you use the Adobe method, which involves futzing around with a very unfriendly Web site. I talk about the official method in my October 2008 article.

For Firefox users, an add-in can now help. To control Flash cookies, just download (page) and install the BetterPrivacy add-in for Firefox.

For cleaning Internet Explorer, there are two products ? both free ? you can try: CCleaner, available for download on Piriform's home page, and Flash Cookies Cleaner 1.2, offered as a free download on Softpedia's site.

Certainly, the zombie cookie approach to subverting a user's direct commands ? reinstating a cookie after the user has explicitly deleted it ? constitutes some sort of privacy invasion. Whether it's actionable in court is anybody's guess.

Should be quite interesting.

I already use CCleaner and just installed Better Privacy. After installing it I found a ton of hidden flash cookies from various sites that I've been to and had forgotten all about! Bye-bye cookies!  :wave:

[Ken]

Cookies have been around for years now, almost from the beginning of the internet. There started to be major security concerns as far back as 2000 because by then advertisers had discovered that they could track our internet use by placing cookies in our browsers and on our PC's.

Thanks for posting this article Steve, it has been a good long while since the last time I checked my cookies.   :innocent:

[Skhilled (OP)]

I delete my cookies regularly but did not know that the flash ones reacted this way until now.