Browser

Flash Cookies? What are Flash Cookies?

Life as a support pro requires that one be versed in a little bit of everything. Put on your Security hat: there is a new threat to users' privacy.

Life as a support pro requires that one be versed in a little bit of everything. Put on your security hat: there is a new threat to users' privacy.

----------------------------------------------------------------------------------------------------

I have to say up front that I'm not really that fastidious about keeping my browser clean. That doesn't mean that I'm surfing adult sites or anything, I just don't spend a lot of time worrying about cookies or Web advertising.

The idea that companies might be tracking where I go online used to bother me more, I guess, when the idea of monetizing the Internet started to take off a few years ago. Frankly, there are a lot of things available on the Web right now that I can use and enjoy because they are supported by advertising. So, if putting a cookie or two on my browser helps to keep those sites running, I say go right ahead. (I also tend to feel like my browser doesn't perform as reliably when extended with ad-blocker plug-ins, but that's a post for another time.)

A recent Wired article turned me on to a new tool for Web advertising, though -- something I hadn't heard about before, something that I'm less comfortable with. There is a new way to track a user's Web habits, something colloquially known as a Flash Cookie.

Turns out that Web site operators can use Flash applets embedded on their site to write information into a preference file stored on the computer that visits the site. One thing this preference file can be used for is recreating a browser cookie that may have been deleted or storing other tracking information. The idea of using Flash as a means of hiding a tracking cookie on a machine bothers me because it is insidious. There are clear interfaces built into Web browsers for managing regular cookies, and users can delete or reject them as they choose. Flash Cookies are hidden in user libraries and preference files, and to manage them you have to burrow into Adobe's support site to find the applet that will manage the privacy settings for the Flash Player installed on your computer. Did you catch that? To manage the privacy settings of a program installed on your computer, you have to go to an external Web site. That bothers me on a fundamental level. I should be able manage the software on my computer using tools on my computer, without having to go to a vendor's Web site.

Because Flash Cookies use preferences written elsewhere on the computer, they aren't tied to a single browser. I visited the Adobe page containing my Flash privacy settings with 2 different browsers and saw the same list of sites that are storing information on my machine. So, in that way, Flash Cookies are even better than regular browser cookies for advertising use, because they can affect every browser you have installed. A Flash Cookie could identify you to an advertiser, even if you've never visited the site with this specific browser before!

I don't choose to block Web ads, and I don't aggressively delete cookies, but I have users frequently ask me how to do so. People are right to be concerned about their privacy. When people delete cookies, I believe that they should be able to count on them staying deleted and not being recreated from information stored by Flash. If you have clients who are concerned about how their browser usage may be being tracked or who are interested in seeing fewer ads, I believe that you should start including Flash Cookies in your support interactions. I found that my computer was storing more than I had anticipated.

To take a look at the Flash Cookies your computer is storing, click here.

For a more detailed--and technical--discussion of this issue, check out Michael Kassner's excellent post over in the TechRepublic Security blog.

47 comments
HardlyNoticable
HardlyNoticable

Come on guys... wouldn't it be GOOD if your habits were tracked? I mean, if they are going to show you ads anyway (and lets face it, they ARE), wouldn't it be good if the advertisers knew enough about you that they were actually able to show you ads you may actually be INTERESTED in? I mean, I look forward to the day that advertisers know enough about me that they'll never again try to sell me tampons or feminine hygiene products (I'm male) or many of the other utterly inappropriate things that I'm regularly advertised. One of the things that I like about online advertising is that there is the possibility of having ads actually be something USEFUL, that I may actually WANT. As far as I'm concerned, this stuff is all good and I can't wait for it to get better. I wish there was a way that I could opt into some kind of network that analyzed my habits so well that it started anticipating my needs before I even knew I had them. Now THAT would be useful.

f1087
f1087

Many thanks for the info re flash cookies. Very interesting - and a bit scary

timebrat
timebrat

In the facebook and twitter age, it's getting harder and harder to find ways to stay private, if you want to. Do these companies feel we don't want privacy because we'll post everything about ourselves anyway? If they just ask we'll likely tell them what they want to know. We still want to be asked. When did the internet go from a great idea of sharing information (by choice) to nothing more than digital stalking?

JCitizen
JCitizen

but with today's exploit vectors, why take a chance? Advertisements are about 75% of the vectors malware use to get on my machine; or attempt to,that is* ]:)

lazaurus
lazaurus

Personsally, I feel that they are just another "open door" for hackers to exploit. Like so many other "new ideas"; ie: enhancements, introduced over the years, they all "seem" to end up being "addressed" on a 'Patch Tuesday' as another security risk.

johnphodges
johnphodges

Although running ubuntu 9.04, I was alarmed by this report. I checked the Flash Cookie presence and was relieved to find none.

jraz
jraz

I have to agree with William about this. I too don't mind the ads as they keep the interent relatively free. But this is the first time I have heard of this and it anoys me that it hasn't been exposed very much. Why aren't people talikng about this? Can this be used as another way to exploit us via malware?

michaelkolynych
michaelkolynych

Have you any idea of how flash cookies effect performance of the broswer?

Richard Noel
Richard Noel

How am I supposed to manage these settings for all the users on my terminal servers?

KI4QFL
KI4QFL

Access a website , to remove cookies , on your pc. I agree that does not sound like a good idea.

Shergill
Shergill

Thank you, For someone who deletes temp files about 3 times a day, I found a lot of cookies.

williamjones
williamjones

There are tons of ways companies try to gather information about Internet users, and almost as many tools to evade them. What are some of your favorite utilities for protecting your online privacy?

Editor's Picks