Life as a support pro requires that one be versed in a little bit of everything. Put on your security hat: there is a new threat to users’ privacy.


I have to say up front that I’m not really that fastidious about keeping my browser clean. That doesn’t mean that I’m surfing adult sites or anything, I just don’t spend a lot of time worrying about cookies or Web advertising.

The idea that companies might be tracking where I go online used to bother me more, I guess, when the idea of monetizing the Internet started to take off a few years ago. Frankly, there are a lot of things available on the Web right now that I can use and enjoy because they are supported by advertising. So, if putting a cookie or two on my browser helps to keep those sites running, I say go right ahead. (I also tend to feel like my browser doesn’t perform as reliably when extended with ad-blocker plug-ins, but that’s a post for another time.)

A recent Wired article turned me on to a new tool for Web advertising, though — something I hadn’t heard about before, something that I’m less comfortable with. There is a new way to track a user’s Web habits, something colloquially known as a Flash Cookie.

Turns out that Web site operators can use Flash applets embedded on their site to write information into a preference file stored on the computer that visits the site. One thing this preference file can be used for is recreating a browser cookie that may have been deleted or storing other tracking information. The idea of using Flash as a means of hiding a tracking cookie on a machine bothers me because it is insidious. There are clear interfaces built into Web browsers for managing regular cookies, and users can delete or reject them as they choose. Flash Cookies are hidden in user libraries and preference files, and to manage them you have to burrow into Adobe’s support site to find the applet that will manage the privacy settings for the Flash Player installed on your computer. Did you catch that? To manage the privacy settings of a program installed on your computer, you have to go to an external Web site. That bothers me on a fundamental level. I should be able manage the software on my computer using tools on my computer, without having to go to a vendor’s Web site.

Because Flash Cookies use preferences written elsewhere on the computer, they aren’t tied to a single browser. I visited the Adobe page containing my Flash privacy settings with 2 different browsers and saw the same list of sites that are storing information on my machine. So, in that way, Flash Cookies are even better than regular browser cookies for advertising use, because they can affect every browser you have installed. A Flash Cookie could identify you to an advertiser, even if you’ve never visited the site with this specific browser before!

I don’t choose to block Web ads, and I don’t aggressively delete cookies, but I have users frequently ask me how to do so. People are right to be concerned about their privacy. When people delete cookies, I believe that they should be able to count on them staying deleted and not being recreated from information stored by Flash. If you have clients who are concerned about how their browser usage may be being tracked or who are interested in seeing fewer ads, I believe that you should start including Flash Cookies in your support interactions. I found that my computer was storing more than I had anticipated.

To take a look at the Flash Cookies your computer is storing, click here.

For a more detailed–and technical–discussion of this issue, check out Michael Kassner’s excellent post over in the TechRepublic Security blog.