Flash Cookies: The Newest, Secret Way to Invade Your Privacy

| How-To

Many users periodically purge their cookies in browser settings to prevent tracking. However, the industry, with the help of Adobe Flash, has found a way to store a new kind of cookie that can't be managed by a browser. They're much bigger, up to 100 KB, and can even reconstruct conventional cookies after they've been deleted. Here's the background and how to block them.

A study at the University of California, Berkeley, released on August 10, 2009, entitled, "Flash Cookies and Privacy" revealed that many popular websites are using "Flash Cookies" to circumvent privacy practices by users with conventional cookies.

The abstract said: "We find that more than 50% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking."

The research team found that Flash Cookies are preferable because they can better track a user's habits, can't be managed by a browser, and have no expiration date.

In order to manage your Flash Cookies, you must go to an Adobe Website which, in turn, interacts with Flash on your Mac or PC to set preferences. It's under the heading of "Flash Player Help" and can easily be overlooked as a page that actually manages Flash on your own computer.

For example, you can see your Flash cookies in the "Website Storage Settings Panel." it's on the upper left. Doing so, I found that I had about 160 of these Flash Cookies that I had no knowledge of.

 

Flas Cookies list

Website Storage Setings; Your list of Flash Cookies

You can delete them all the with "Delete all sites" button, but that doesn't prevent them from recurring. To permanently block them, you must go to "Global Storage Settings Panel."

Flash Cookies control

Global Storage Setings Panel: Block Flash Cookies

Uncheck the box that says, "Allow third-party content to store data on your computer." Note that this may reduce the functionality of Flash in the future.

There has been a lot of discussion about this practice in the last month. Not only does the practice violate the spirt of user control over cookies, but, worse, the practice has been lurking, unseen, unknown, until the UC Berkeley report.

In one instance, the researchers found a case where, "at least one site used a Flash cookie even when the user had opted out of tracking through the Network Advertising Initiative's opt-out cookie," as explained by Wendy Davis at the The Daily Online Examiner.

Clearly, some websites will use this secret technology track your habits for their own ends even if you thought you opted out and exercise what you think is due diligence with conventional cookie handling.

One has to wonder if this is yet another reason why Flash has left a bad taste in the mouth of Steve Jobs.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

25 Comments Leave Your Own

Mike Weasner

I have or rather had) those annoying Kontera pop-up links disabled but they keep coming back.  I go to their web site and disable them.  But when I come back to this article, they are enabled again.  I wonder if they are using Flash Cookies (which I disabled).

Yahtzee

Dude! Thanks for posting this.

Lee Dronick

John, thank you very much for this post.

I deleted all those damn Flash cookies, there was even one from .me!

I thought that I hated Flash before

Nemo

John:  Thanks.  This is tremendously useful and, I believe, little known information.  I am handing this info to friends and our IT Administrator.  But you should look at the other settings in the Settings Manager.  Flash, according to what is there, can also be used by third parties to gain remote access to the camera and microphone on your computer; it can also allow some websites to access information about other sites that you visit by using an older system of security.  I think that your readers would benefit by reviewing all of the settings in the Settings Manager to determine whether the default settings are consistent with their security policies.

And let’s hope that audio and video capabilities of HTTP5 put a quick end to Flash or at least begin the end of Flash.

Islandgirl45

I’m having a problem with Flash Player that involves the Global Storage Settings in a slightly different way.

Frequently, when I’m viewing a page with a video like the the Daily Show on Comedy Central it shows as a gray box with an error message that reads:“User must allow third-party flash content.” To do that, the message directs you to: Flash Player storage

But when I try to adjust storage levels, the level I choose keeps sliding back to default. This occurs in both Firefox 3.5.3 and Safari 4.

As a result, I keep getting the storage adjustment message and some videos like the Daily Show just won’t play. I’ve filed a bug about Flash with Adobe and their tech person didn’t know why this is happening. I’m running 10.4.11 but others who have encountered the same bug are using 10.5.

CrazyHarry

I really appreciate this info, but you really should warn people that doing this breaks Flash functionality.  I just spent 10 minutes wondering why a video on the WSJ wouldn’t play, when it dawned on me that following your advice broke Flash.

jragosta

If any politician would promise to implement the death penalty for spammers and people who implement crap like these Flash cookies, I would vote for them in a heartbeat.

Lee Dronick

I really appreciate this info, but you really should warn people that doing this breaks Flash functionality.

That is good, Flash needs to go away.

I just spent 10 minutes wondering why a video on the WSJ wouldn?t play, when it dawned on me that following your advice broke Flash.

Did you pay Murdoch’s subscription fee smile

CrazyHarry

CrazyHarry said: I really appreciate this info, but you really should warn people that doing this breaks Flash functionality.
That is good, Flash needs to go away.

Don’t be a nuckfut.  Flash is a pain, but it is also currently a major tool for accessing a lot of content on the web.  If Macobserver is going to give people advice about how to configure software on their computers, then they ought to inform the readers of the full consequences and let individuals decide for themselves which is more important to them, privacy or being able to access content on the web.

date="1253212738">

Did you pay Murdoch?s subscription fee

Why is that your business, nuckfut?

Lee Dronick

Why is that your business, nuckfut?

See this MacObserver story Wall Street Journal

Most websites deliver content without the putting the burden of Flash on their visitors, adverts not withstanding. I stand by my statement; Flash needs to go away.

John Martellaro

Calm down fellas.  I added a warning in the article.  Let the buyer decide and beware.

Lee Dronick

Okay, I just had a lemonade and am cooled down a bit.

Question, if the 3rd parties were storing stuff on our computers, where is located? Maybe we could do a folder action to trash the contents or at least alert the user when something is put in there.

Carl

I ran across the whole flash cookie thing a few months back. What I found is that if I change the Adobe settings to not allow any local storage then it results in blocking flash that I want to see at some sites. So I have just been deleting the flash cookies.

If use Finder and look here:

~/Library/Preferences/Macromedia/Flash Player

You will find a #SharedObjects folder that contains a sub-folder of a random name. Delete all the files in that folder.

I have also noticed a macromedia.com folder in the same location as #SharedObjects. Drilling down to the support >> flashplayer >> sys folder I see that sites store their settings there. While not technically cookies, you may want to delete all or some of these as well.

There are some Firefox add-ons such as Better Privacy:

https://addons.mozilla.org/en-US/firefox/addon/6623

which will automatically delete flash cookies if you desire but I have not found anything similar for Safari yet. (although it may be out there)

Carl

It looks like Safari Cookies may do this to but I haven’t tried it yet:

http://sweetpproductions.com/safaricookies/index.htm

Dean Lewis

Besides being added to the article, the Adobe settings pages the article links to also warn that certain settings will mean losing functions on some sites. Turning all the features off just to see which sites are saving information without disclosing they are can be pretty enlightening in and of itself.

Lee Dronick

Thanks Carl

I looked in those folders and there was a lot of stuff in from sites that I never visited, they look like ads. Of course there were items from sites that I did visit.

I added a folder action to them and will see how that works out.

Lee Dronick

Turning all the features off just to see which sites are saving information without disclosing they are can be pretty enlightening in and of itself.

Well the folder action I applied warns me that something was added when I opened this page. It was an empty folder.

Lee Dronick

Hmmm, if i leave the empty folder in the #SharedObjects folder then refresh this page then nothing gets added.

Russell

It looks like Safari Cookies may do this to but I haven?t tried it yet:

http://sweetpproductions.com/safaricookies/index.htm

I am the Dev for Safari Cookies, and while there is no support for managing the Flash cookies, there is an option to remove all Flash cookies when Safari is quit.

John Martellaro

Thanks for letting us know, Russell!

-JM

Nemo

Dear Russell:  I just explored the preferences for Safari 4.0.3, running on Snow Leopard, but I couldn’t find any option that explicitly addresses removing Flash, LSO, cookies.  Would you or anyone please describe the procedure for having Safari remove LSO cookies, when it quits?

Thanks for your help.

Russell

You need to install my plugin Safari Cookies, available here: “http://sweetpproductions.com/safaricookies/index.htm” and select the option to remove all Flash cookies.
(if you are running Snow Leopard, you will need to follow the instructions on that site to enable Safari Cookies”

Dear Russell:? I just explored the preferences for Safari 4.0.3, running on Snow Leopard, but I couldn?t find any option that explicitly addresses removing Flash, LSO, cookies.? Would you or anyone please describe the procedure for having Safari remove LSO cookies, when it quits?

CrazyHarry

See this MacObserver story Wall Street Journal

Most websites deliver content without the putting the burden of Flash on their visitors, adverts not withstanding. I stand by my statement; Flash needs to go away.

O.K., I’ll try to be a little more civil while carrying the debate forward.

Harry, I am going to blow your mind.

I also install another really crappy piece of software, Real Player, on my Mac solely so I have the ability to PAY $6.95 a month to watch BBC World News.  Are you going to argue that because you don’t like crappy software, Real Player should go away?  Or, that because you don’t think people should be allowed to charge for their content, that I shouldn’t be allowed to watch the BBC? 

Flash is crap, but I choose to install it any way.  Why should that bother you?

Nemo

Dear Russell:  Thanks for the information, but since I am running Safari in its default 64-bit mode, I will wait until you update Safari Cookies to run in 64-bit mode.

Russell

here it is:

http://sweetpproductions.com/safaricookies/updates/updates.htm

Dear Russell:? Thanks for the information, but since I am running Safari in its default 64-bit mode, I will wait until you update Safari Cookies to run in 64-bit mode.

Log-in to comment