Security

Flash cookies: What's new with online privacy

If you thought refusing HTTP cookies prevented tracking, think again. Web site developers have found a way.

Web site hosts and advertisers do not like relying on HTTP cookies. Users have figured out how to avoid them. According to Bruce Schneier, Web site developers now have a better way. It's still considered a cookie, yet it's different.

LSO, a bigger better cookie

Local Shared Object (LSO) or Flash cookie, like the HTTP cookie, is a way of storing information about us and tracking our movement around the Internet. Some other things I learned:

  • Flash cookies can hold a lot more data, up to 100 Kilobytes. A standard HTTP cookie is only 4 Kilobytes.
  • Flash cookies have no expiration date by default.
  • Flash cookies are stored in different locations, making them difficult to find.
YouTube test

LSOs are also hard to get rid of. Here is a test proving that. Go to YouTube, open a video, and change the volume. Delete all cookies and close the Web browser. Reopen the Web browser and play the same video. Notice that the volume did not return to the default setting. Thank a Flash cookie for that.

Not many know about Flash cookies and that is a problem. It puts people who configure their Web browser to control cookies under a false sense of security. As shown earlier, privacy controls have no effect on Flash cookies.

Where are they stored

Flash cookies use the extension .sol. Knowing that, I still wasn't able to find any on my computer. Thanks to Google (uses Flash cookies), I determined the only way you can access information about resident Flash cookies is by going to Flash Player's Web site.

The following slide is from the Flash Player Web site and shows my storage settings. The visited Web sites (total of 200) shown in this tab all have deposited Flash cookies on my computer. This tab is also where the Flash cookies can be deleted, if so desired.

Flash cookies are rampant

Another Google search brought me to a report by University of California, Berkeley researchers. Flash Cookies and Privacy describes what the researchers found after capturing Flash cookie data from the top 100 Web sites. Here are the results:

  • Encountered Flash cookies on 54 of the top 100 sites.
  • These 54 sites set a total of 157 Flash shared objects files yielding a total of 281 individual Flash cookies.
  • Ninety-eight of the top 100 sites set HTTP cookies. These 98 sites set a total of 3,602 HTTP cookies.
  • Thirty-one of these sites carried a TRUSTe Privacy Seal. Of these 31, 14 were employing Flash cookies.
  • Of the top 100 Web sites only four mentioned the use of Flash as a tracking mechanism.

It appears many Web sites use both HTTP and Flash cookies. That surprised/confused the researchers. After more digging they found the answer, respawning.

Flash cookie respawning

UC Berkeley researchers determined that HTTP cookies deleted by closing the browser session were rewritten (respawned) using information from the Flash cookie:

"We found HTTP cookie respawning on several sites. On About.com, a SpecificClick Flash cookie respawned a deleted SpecificClick HTTP cookie. Similarly, on Hulu.com, a QuantCast Flash cookie respawned a deleted QuantCast HTTP cookie."

The researchers also found Flash cookies were able to restore HTTP cookies for more than one Web-site domain:

"We also found HTTP cookie respawning across domains. For instance, a third-party ClearSpring Flash cookie respawned a matching Answers.com HTTP cookie. ClearSpring also respawned HTTP cookies served directly by Aol.com and Mapquest.com."

It gets better

Awhile ago, I wrote a piece about how Google started using behavioral targeting (BT) after originally saying they wouldn't. In that article, I mentioned the Network Advertising Initiative (NAI). A consortium of approximately 30 companies that use BT technology. Bowing to pressure, the group created an opt-out page making it simple to prevent tracking.

The researchers found that setting the opt-out cookie wasn't enough. Web sites belonging to the NAI created Flash cookies anyway. The report refers to one specific incident:

"We found that persistent Flash cookies were still used when the NAI opt-out cookie for QuantCast was set. Upon deletion of cookies, the Flash cookie still allowed a respawn of the QuantCast HTML cookie. It did not respawn the opt-out cookie. Thus, user tracking is still present after individuals opt out."

Some solutions

To prevent Flash cookies from being stored, switch to the Global Storage Settings tab in the Setting Manager and remove the check for "Allow third-party Flash content to store data on your computer" as shown in the following slide:

That is supposed to prevent Flash cookies from being installed. Ironically, we have to take the word of the Flash Web site.

For the tests, researchers used Mozilla Firefox. In the report, they mentioned BetterPrivacy, a Firefox add-on that removes all flash cookies when the Web browser is closed. Another Firefox add-on Ghostery raises alerts about any hidden scripts that track Web presence.

Final thoughts

I thought we were past unannounced tracking of our movements on the Internet. If the technology is so innocent, make tracking an opt-in feature.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

218 comments
maxatwo
maxatwo

Flash Cookies are not the only kind of browser independent or advanced cookies that are not deleted when clearing the browser's cookies. Silverlight and DOM Cookies join them to store information. MAXA Cookie Manager finds all kinds of cookies and allows automatic management with white and blacklists. See http://www.maxa-tools.com/cookie.php

Deadly Ernest
Deadly Ernest

This only works for the sites where you have Flash enabled, more and more, people are disabling Flash as a default activity as there is so much crap that uses Flash now.

NickNielsen
NickNielsen

The default to "Allow third-party flash content to store data on your computer." So...even though I run Noscript and Adblock in Firefox, I am vulnerable to Flash exploits because Adobe (and Macromedia before them, no doubt!) decided that [u]they[/u] could decide what could be saved on my computer? And yes, I know the difference between an exploit and a cookie. But Flash is Flash...

mdhealy
mdhealy

For most of my web browsing I use a copy of Firefox that does not have Flash Player installed. I also have a copy of MSIE with Flash Player, for times when I specifically want the functionality.

Michael Kassner
Michael Kassner

I have disabled everything I could on the Adobe Flash Web site and all Flash cookies stay away, except mail.google.com. If you use Gmail, could you please check this out. I'm trying to figure out what is different with Gmail. Thanks.

JackOfAllTech
JackOfAllTech

I found the Flash Cookies here: C:\Documents and Settings\{username}\Application Data\Macromedia\Flash Player\#SharedObjects\...\*.sol I have updated my Janitor program to delete these as well.

pandu
pandu

... go to "Global Storage Settings", slide the slider to the left ("Never"), and check the box "Never Ask Again"? That in addition to remove the check on "Allow third-party Flash content to store data on your computer"

pgit
pgit

Excellent information. I'm getting myself up to speed on what all this implies and pondering what to do about it. (aka how to handle these objects for myself and end users) You are hands down the single most useful presence on this here internet. Keep writing and I'll keep reading... and forwarding your articles to everyone I know with an internet connection.

bus66vw
bus66vw

Does anyone know if you should check your "flash setting manager" after updates? I get the feeling they can change or be dropped during updates.

Jacky Howe
Jacky Howe

Another good one Michael. I had a play today after reading your Article and some of the responses. List of Web addresses found 03/08/2009 03:28 PM < DIR > acvs.mediaonenetwork.net 15/06/2009 03:09 PM < DIR > bin.clearspring.com 26/07/2009 06:52 PM < DIR > cdn.gigya.com 09/07/2009 06:50 PM < DIR > cdn.lookery.com 27/06/2009 04:57 AM < DIR > cdn1.ustream.tv 13/08/2009 04:31 PM < DIR > cdna-video.amgvgt.com 06/07/2009 06:38 PM < DIR > com.au 27/06/2009 04:57 AM < DIR > core.videoegg.com 15/06/2009 07:16 PM < DIR > d.scribd.com 27/06/2009 04:57 AM < DIR > flash.quantserve.com 16/07/2009 01:27 PM < DIR > image.com.com 05/09/2009 02:08 PM < DIR > images.amazon.com 06/07/2009 06:41 PM < DIR > images.soapbox.msn.com 09/08/2009 01:43 PM < DIR > include.classistatic.com 21/08/2009 02:04 PM < DIR > load.tubemogul.com 08/09/2009 07:54 PM < DIR > mail.google.com 24/06/2009 02:56 PM < DIR > mcstatic.com 27/06/2009 05:11 AM < DIR > media.scanscout.com 15/06/2009 01:20 PM < DIR > news.ninemsn.com.au 28/06/2009 02:00 PM < DIR > player.stickam.com 06/07/2009 06:38 PM < DIR > rmd.atdmt.com 24/06/2009 02:56 PM < DIR > s.mcstatic.com 05/09/2009 02:21 PM < DIR > s.ytimg.com 09/09/2009 12:41 PM 0 sol.txt 15/06/2009 03:14 PM < DIR > static.twitter.com 18/07/2009 06:47 PM < DIR > video.google.com.au 03/07/2009 03:42 PM < DIR > www.dailymotion.com 16/06/2009 08:36 AM < DIR > www.pluggd.tv 30/08/2009 04:35 PM < DIR > wwwimages.adobe.com To condense this a bit I removed a few things but this is a before and after Total Files Listed: 37 File(s) 3,439 bytes 194 Dir(s) 18,791,792,640 bytes free EOF 1 taken before going online to Adobe Flash Player Setting manager and Deleteing all sites. What you see below is what was left afterwards. It doesn't remove everything at all. Total Files Listed: 8 File(s) 23,154 bytes 23 Dir(s) 18,790,133,760 bytes free I removed the remainder by running a batch file from the root directory. cd "C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F" del /s /q /f *.* C:\>cd "C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F" C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F>del /s /q /f *.* Deleted file - C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F\sol.txt Deleted file - C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F\bin.clearspring.com\clearspring.sol Deleted file - C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F\core.videoegg.com\com.quantserve.sol Deleted file - C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F\core.videoegg.com\#com\videoegg\Demo.sol Deleted file - C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F\core.videoegg.com\#com\videoegg\Tearsheet.sol Deleted file - C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F\core.videoegg.com\#ve\admanager.sol Deleted file - C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F\flash.quantserve.com\com.quantserve.sol Deleted file - C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F\www.pluggd.tv\settings.sol C:\Users\Rob\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NSKRDS7F>pause Press any key to continue . . . Edit: formatting

Deadly Ernest
Deadly Ernest

and I don't care what the makers say, if the user has not got total control, it's an exploit.

JCitizen
JCitizen

about why using AdWatch in AdAware, which blocks a lot of cookies, was speeding up my browsing. As deepsand and Jaqui explained to me the cookies are just text files(not talking about the flash kind). Of course I've known that since Windows 3.1. My argument was - why does blocking them speed the connection? I left the discussion thinking either AdAware blocks the precursor server contections that attempt or accept cookie placement, and this somehow speeds things up, or temp files are placed along with the cookie (that are controlled by the cookie), that gum up my bandwidth with all the server contections going on. Even using CCleaner gives me almost the same benefit; but I set CCleaner to delete temp files, so apparently is effective that way! Does this make sense?

Michael Kassner
Michael Kassner

Then, they are not browser-specific. Have you checked?

Jacky Howe
Jacky Howe

I went to the Flash Player site: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html I selected Website Storage Settings and moved the slider to the left until it equalled None. Website Privacy Settings Panel, I couldn't tick anything. Global Notifications Settings Panel, I unchecked the box. Global Security Settings Panel was already set to always ask. Global Storage Settings Panel unchecked all boxes. Global Privacy Settings Panel use at your discretion. I opened gmail. A quick check in my Macromedia folder showed no entries after opening google mail. Back to the Flash Player site and Website Privacy Settings mail.google.com was there showing 0 KB under limit. I then tried to find a site that would prompt me to store information on my computer. image.com.com was obliging with a prompt to Allow or Deny. http://image.com.com/gamespot/images/cne_flash/production/media_player/proteus/gs/proteus_embed.swf It didn't do anything when I clicked Deny. So I clicked Allow and then went back to Flash Player management and under Web Storage image.com.com was there with a 10KB limit. Global Storage slider was still showing None. A quick check and there were no entries on my System. It appears that Gmail has a mind of its own and doesn't prompt you at all. Apart from the reference on the Flash Player site there is nothing on my System. Could it be the fact that you have an account with Gmail and it's set to automatically add the cookie. Website Privacy Settings Panel can only be ticked Always ask if there is an entry. It doesn't appear to work anyway.

JCitizen
JCitizen

I've nearly worn my fingers down thanking Michael, I'm afraid he'll think I'm a metronome soon! :)

Michael Kassner
Michael Kassner

Wow, written in 2005. Lots of good information. I read that they weren't able to prove respawning. That must be why the UC, Berkeley researchers published their results as they were able to prove it. Thanks for the post.

Michael Kassner
Michael Kassner

I ran a search using Windows Explorer and it didn't find anything. Yet I had three .sol files. Strange.

Ocie3
Ocie3

those settings will deny any future request to store an LSO on your computer. But you should also go to the [b]Website[/b] Storage Settings panel and delete all of the websites (if any) that have already stored their content on your computer. Bear this in mind, though: every request to store an LSO on your computer is not an attempt to install a "Flash cookie" to track your activities on the web. Many sites just want to store data that they can retrieve on your next visit, to make initialization of the service(s) they provide more rapid and easy to effect. Pandora.com, for example, is an "internet radio station" where you can compose the station format -- not explicit playlists, for better or for worse -- as you choose. And you can create multiple stations. Pandora stores a 4 KB LSO on my computer to identify me, so that I can always remain logged-on and they don't have to search my account data for the "stations" that I have created. (I have been somewhat acquainted with one of their founders, and he is definitely not someone who would approve of "tracking cookies".) [i]Note: edited to change "Global" to "Website" in first paragraph[/i].

Michael Kassner
Michael Kassner

The slider just designates the amount of space you want to dedicate to Flash cookies. I guess, my thought is to not trust the site and use Better Privacy, as it works in the background.

JCitizen
JCitizen

You too, are a valuable member here. I hope you don't mind me dropping your moniker on ZDNet as I respect your opinion a lot more than the dunder heads I meet over there. If this was over stepping my welcome, I shall cease and desist! Of course I like posting Mr. Kassner's links over there too. Gives them a taste of true IT journalism!

Michael Kassner
Michael Kassner

The subject matter is interesting to say the least. What happens now will also be interesting. Hopefully more consumers will be aware of what is happening.

Ocie3
Ocie3

they have never changed until and unless I change them myself. The settings that I have now are the same as they were before the most recent Adobe Flash Player security updates.

JCitizen
JCitizen

CCleaner had listed in the Adobe objects found, after scanning. It found three different file folder locations. I only had about 5 cookies to clean though.

lars.staurset
lars.staurset

Inspired by this article and some of the replies, I searched my PC for *.sol files. The GUI search in Vista is too complicated to use, so I reverted to the good old prompt: c:>dir /s *.sol The result was 40 hits, not counting one that obviously had another purpose. They were stored in folders whose paths generally included an URL, such as europe.nokia.com. I assume that the URL in each case identifies the originator of the cookie. Most file names were neutral, such as settings.sol or preferences.sol, but the name travelexpense_personalia.sol caught my attention. I opened it in a text editor and found my name, address, birth number (unique national id, similar to social security number), and bank account number, all in clear text! The path in this case did not contain a "dot.com", but an IP address (213.225.125.209). I looked it up with http://www.db.ripe.net/whois/, but found an unclear reference to a company. A Google search seems to indicate that the company was in marketing, but has disappeared or is renamed. I have no idea as to how they came across my data. Can any accessed website with Flash read any Flash cookie on my computer? If so, my id could be compromised. I have now deleted the 40 files: C:\>del /s /p *.sol

seanferd
seanferd

As always, you provide good information.

GyroGearloose
GyroGearloose

Flash user can configure her player to confirm or reject any attempt to store "flash cookies". In my terms this is "Total Control".

Deadly Ernest
Deadly Ernest

many cookies now are actually third party cookies, and others now grow as they store more an more information. Each time they talk back to base they send the current information with them. And this takes time to transmit, usually very little, but some time and it varies with the connectivity speed. The biggest slower down is the third party cookies for things like Google Analytics as they require your system to contact the Google server (wherever that is) and exchange information with it. Third party cookies are becoming much more common as web site managers get lazier and lazier in not wanting to manage that aspect from their own server and just settle for having reports sent to them by Google.

NickNielsen
NickNielsen

Blocking the cookies also blocks background downloads related to those cookies? I don't know, but that may very well be pretty close to what happens.

MartyL
MartyL

Taking exception, as I do, to web sites having their way with My Computer, I removed all the .sol folders and files I could find, then waited for them to repopulate. When I saw them begin to reappear, I edited the few that were there and replaced text at random. Now I have one .sol file in the entire heirarchy - and no .sol files anywhere else. All I have now are folders corresponding to some of the web sites I've visited.

Michael Kassner
Michael Kassner

That is what I found as well. I will have to check out my Google EULA again.

pandu
pandu

Hmmm... after setting the Global Setting slider to "Never" and checking "Never ask", now I never have *any* LSO when browsing around - Good. BUT... Strangely, checking the "Website Storage Settings" on Adobe's site shows exactly 1 (one) LSO from Gmail... it's size is -- (dash), which I assume is 0 KiB. Hmm...

Michael Kassner
Michael Kassner

That is what they are doing? That's the part that bothers me.

pandu
pandu

... the slider there determines how much space a site is allowed to store LSO. If a site requests to store an LSO larger than the slider's setting, Flash would ask for confirmation from the user. Clicking "Never ask" automatically denies that request, and the LSO must be stored using the allotted space. Moving the slider leftmost means no space is by default allotted to new LSOs. Couple that with "Never ask", means no site will ever be allowed to store any LSO. Of course that's what Adobe said -- if you can trust them :) That said, I agree to add an additional layer of protection using BetterPrivacy.

pgit
pgit

Likewise I appreciate your input. Lots of thinking going on around these parts, that's what I had hoped for signing up here and at zdnet. About all I get over there is a headache from the incessant window-Linux smack downs. Amazing how just about any article over there ends up in a fight. Tech Republic rocks! I set up my TR flag everywhere I go before I do any work. =D

Michael Kassner
Michael Kassner

Good to know. I wasn't aware of the Adobe site until I started researching this article.

Michael Kassner
Michael Kassner

I missed your point. Can you enlighten me, must be having another brain fart.

santeewelding
santeewelding

I took that route: 9 files; 2,073 bytes deleted.

Michael Kassner
Michael Kassner

I certainly appreciate you sharing your experience. I did read that one company's Flash cookies can work on more than one Web site in the report. That was the second quote, I think. I will try to find a for sure answer for you. I checked out the domain. Would a company have coziba.com as an e-mail domain?

Jacky Howe
Jacky Howe

and between you and Michael, have provided me with a wealth of information. Your doing OK yourself. ;) That check was performed on my W7 System. Some interesting sites in there. ;)

GyroGearloose
GyroGearloose

I fail to see the risk from Flash cookies in general. At the same time they offer a great deal of convenience and flexibility. See broadbandspeed tester . It keeps your past results in flash cookie for YOU to compare. But, I totally agree with your point on websites: It only seems fair to for web sites to declare how they use cookies. BTW: The speed tester makes no mention. I trust, it leaves the cookie content on your computer. Your son could have saved timea and used Flash player configuration instead of 3rd party application. Note: There is nothing dodgy about this config being on a website. The website is to ensure that all controls are accessible. Why? The player has no chrome for this. And the size of the Flash window is defined by the application and could be too small for the controls.

Deadly Ernest
Deadly Ernest

it auto accept and run on receipt of the Flash File - why does it take a third party application to stop Flash from auto downloading and give you play control of the file and the embedded player? Now days I use Linux and have these controls by using a non genuine Flash player, but my son is using Windows and, in a recent rebuild, he bitched about the time needed to download and install the extra third party software to give him controls of things like that. He wasn't even aware Flash had cookies until I told him. The web site should tell you if it uses cookies, and it should give you an option to not use them - but we aren't going to see that happen as it requires more work by lazy designers - which is the vast majority of web site designers. The next level of protection should be the operating system or the browser controlling all cookies, flash or otherwise, but we won't see it in Windows as it gives the user control, something MS don't want, and we already see some control in FF and other browsers, even MS followed on that one when they saw they had little choice if they wanted to keep people using MSIE.

JCitizen
JCitizen

the flash downloads, despite the disagreements to use or privacy. Perhaps I'm too loose on giving away trade information for trusted companies. What would have made me truely angry was if my malware apps were ducking out on me. I've always suspected Lavasoft was copping out despite a former founder making the same claims. All I had to do was gauge performance. I can't be too mad at Lavasoft, because they've basically replaced Safernetworking's SS&D for my clients, and done a better job of it. I've always considered their emails worthless, however.

JCitizen
JCitizen

I think CCleaner is removing them, and MBAM is somehow blocking some of the respawn. Although I wouldn't know how! They say that utility was developed by a former Microsoft MVP, you don't suppose he took the source code with him, do you? In his personal memory of course, just enough to get around in the NT7 kernel? Or is that 6.1? ;)

JCitizen
JCitizen

Thanks for your contribution here!

Michael Kassner
Michael Kassner

Well, then Pandora has the right to plant Flash cookies. Thanks for looking.

Ocie3
Ocie3

is at http://www.pandora.com/privacy/ . It is a bit different, I think, than when last I read it -- though I just read the summary at the start of "Pandora's Privacy Policy and Terms of Use" during this visit. The summary does not specifically mention "tracking" activity from website-to-website, with one exception: Quote: "If you come to Pandora directly from a partner site, we may share your information back with the partner that sent you to Pandora. If that's the case, we'll tell you onscreen that we're going to do so. Other than that one case, we won't share any information that identifies you as an individual with any other third party. Not ever." In the past 10 years or so, I've never seen such a notice displayed. But what the "partner site" can do with that data in terms of web-wide tracking does appear to be a hole in their otherwise respectful privacy policy. Since I have configured Sunbelt Personal Firewall to remove the "referrer" data from packet headings, I don't believe that any website can determine the previous website that I visited. Pandora also states that they never disclose e-mail addresses to anyone else. There is, or used to be, a specific description of their use of cookies, and of Flash Player objects, in the "Help". But I could not find it in a quick survey of the documentation that is currently available, only statements that allowing (HTTP) cookies and using Adobe Flash Player are "system requirements". Their documentation is quite detailed and voluminous, and there is no search feature available that I could find, but the topic tree is quite usable.

Jacky Howe
Jacky Howe

how long it would take anyone to realise that image.com.com belongs to CNET. I checked a System that is used by one of my Sons and it has a lot more web addresses that are involved in this type of behaviour.

Editor's Picks