What would you say if you found out that there was a way for a web site to store up to 100,000 bytes of information on your PC that they can use for tracking your activities, and you have no control over it with your normal browser security settings? Would you be surprised? What if these files can be scattered throughout your PC, and are not detected and removed by most anti-virus software? Prepare to be surprised.
A recent video on Tech Republic called Delete Flash cookies to protest online privacy caught our attention and made us aware of something called “Flash cookies.” Flash cookies are similar to the normal type of tracking cookies that every web developer and most users are aware of, but are also different in many ways.
For a start, Flash cookies can store much more information. An HTML cookie can only store up to 4,000 bytes of data and can be easily deleted by using tools built into browsers. As previously mentioned, a Flash cookie can store up to 100,000 byes of information and are not deleted by your browser when you delete normal cookies. It also appears that neither anti-spyware programs, such as Spybot Search and Destroy, or anti-virus programs, such as Norton, are doing anything to either delete Flash cookies or alert you to their presence.
We are not Flash developers, so we were not aware that something like this existed. We were also quite surprised to find 657 Flash cookies lurking on our main PC. We were further surprised to find that many major web sites are using Flash cookies, yet we see no mention of their use in privacy policies. While most sites do mention the use of cookies, Flash cookies go way beyond the capabilities of standard, fairly harmless HTML cookies. If you are concerned about potential privacy issues, you should be very concerned about the prevalence of Flash cookies.
A Flash cookie is a Locally Shared Object or LSO. It uses the file extension .sol. Web sites can read and write these cookies using Flash objects embedded in web site code.
The good news is that you can control the use of Flash cookies by using an online tool called the Adobe Flash Player Settings Manager. As soon as you load this page, it has already connected to the Flash player on your computer.
If you are concerned about potential privacy issues, there are a couple of settings that you might want to change.
The first is the Global Privacy Settings panel. If you read it carefully, it clearly implies that Flash cookies have the ability to access a microphone or camera connected to your PC. This is clearly way beyond the capabilities of HTML cookies. The good news is that the default setting says that a Flash cookie must ask your permission before accessing these peripherals.
The second is the Global Storage Settings panel. By default, “Allow third-party Flash content to store data on your computer” is checked, which allows anyone who wrote a Flash object to store cookies without your knowledge or permission. I suggest that you make sure that this is unchecked.
The third is the Website Privacy Settings panel. This is where you can view all of the web sites who have stored Flash cookies on your PC. Whaile there are a lot big names here, including the Wall Street Journal, ABC News, CNET, Fedex, Amazon, etc., there are tons of sites that we have never visited, which leads us to conclude that these are likely from syndicated ads and web bugs that are tracking the sites that we visit. On this panel you can set individual privacy settings for different sites or you can delete all of the Flash cookies stored by these sites.
If you do not delete all of the sites, their cookies will remain on your PC. Any privacy settings from the previous changes you might have made on different panels only affect future Flash cookies. How do we know? Well, it was pretty obvious when we took this one step further by installing a free FireFox addon called BetterPrivacy. BetterPrivacy claims to clear all of the Flash cookies from your PC every time you shut down FireFox.
Here is what we saw the first time we closed FireFox after installing this addon.
Yes, that says 657 LSO objects were removed from the PC. We found over 500 on another PC we tested.
I know some of you who are web developers are going to say, “Perhaps some of those cookies were used for remembering web site logins or shopping cart contents, so maybe they should not be deleted.” That is a possibility, but thus far we have not noticed anything that would have benefited us as users.
I want to make it clear that I am not paranoid about HTML cookies. I understand that they have their place and can be important for tracking user statistics and improving the user experience by storing user preferences. However, there is something that just comes across as sneaky about Flash Cookies, because most users are not aware of them and they are beyond the control of browser privacy settings.