FTC Takes a Critical Eye to Adobe Flash Cookies

| News

The U.S. Federal Trade Commission has started looking into how Adobe Flash stores cookies on user’s computers and has been questioning the company on why they don’t honor Web browser privacy controls, according to paidContent. Instead of complying with user preferences for standard Web browser cookies, Flash cookies are managed through the Adobe Web site via difficult to find Web pages.

“The issues have to do with uses of Flash for tracking, Flash cookies for example,” FTC chief technologist Ed Felten said. “As of today, when you use the privacy controls in your browser, they don’t directly affect the treatment of Flash local shared objects.”

Local shared objects is the term Adobe uses to identify Flash cookies, or the files Web sites store on your hard drive to perform tasks like tracking your browsing activity or remembering you login information.

For its part, Adobe representatives claim that local share objects weren’t intended to be used for tracking, and that it has “repeatedly stated publicly that we condemn such practices because they clearly circumvent the user’s expressed choice.”

One issue of concern is that managing Flash privacy settings isn’t intuitive because users must visit the Adobe Web site to make changes and delete unwanted cookies. In comparison, standard cookies can be managed and deleted in Web browsers.

Adobe representatives pointed out that browser-based Flash privacy management is available in Google’s Chrome. Other main stream browsers, such as Apple’s Safari and Microsoft’s Internet Explorer, however, can’t manage Flash privacy settings.

Mr. Felton added “There are some other issues with Flash, which I suppose we could address at another time.”

Interested in learning more about Flash privacy and security issues? Check out what TMO’s John Martellaro had to say on the topic.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

For its part, Adobe representatives claim that local share objects weren?t intended to be used for tracking, and that it has ?repeatedly stated publicly that we condemn such practices because they clearly circumvent the user?s expressed choice.?

Well then why do you allow the practice?

Click here to manage your Flash cookie/security settings

Bosco (Brad Hutchings)

It’s no different than the local database support that (the more far-reaching thing is commonly labeled under the umbrella of) HTML5 adds. If there is going to be persistence for web applications, then some developers are going to use the persistence mechanism for tracking.

For example, let’s say you could play an online version of a game Angry Birds. You’d like it to remember what levels you’ve completed. It can remember these things without setting up an explicit account on a site using a local persistence system, whether that be in Flash, HTML5 database, a cookie, etc.

Lee Dronick

It?s no different than the local database support

Yes it is.

Bosco (Brad Hutchings)

Yes it is.

OK, whatever. I should have figured that would be the anti-Adobe spin put on it, despite the fact that the mechanisms do exactly the same thing by enabling local persistence for web applications and have the same potential for “abuse” by marketers using them for tracking.

ibuck

Another reason to dump Flash fast.

It’s unfortunate that ordinary, non-technical people can’t easily control their privacy. It would be great if those who want to avoid the unmitigated mess that is Flash could register their disapproval on web sites that use it, and be counted along with hits on that page.

Lee Dronick

It?s unfortunate that ordinary, non-technical people can?t easily control their privacy

Yup, if the databases were stored locally, then can more easily be managed from the browser preferences.

Bosco (Brad Hutchings)

Yup, if the databases were stored locally

They are.

John Dingler, artist,

Hi Ibuck.
The need for local control by normal users is exactly the point, and it seems to me that Safari developers could make it so if Adobe allows Apple access to the method.

And to everyone,
Facebook delivers three cookies to my instance of Safari even though I neither have a Facebook acct. nor do I visit it. I don’t what to know why Facebook is spying on and collecting my reading habits; I just want it Facebook to stop this unauthorized activity.

BurmaYank

“It?s no different than the local database support that… HTML5 adds. If there is going to be persistence for web applications, then some developers are going to use the persistence mechanism for tracking.”

“Yes it is” (different).

OK, whatever. I should have figured that would be the anti-Adobe spin put on it, despite the fact that the mechanisms do exactly the same thing by enabling local persistence for web applications and have the same potential for ?abuse? by marketers using them for tracking.

Even though Brad may be correct about the idea that both Flash cookies and everyone else’s cookies accomplish exactly the same thing “...by enabling local persistence for web applications…”, Sir Harry is nevertheless also correct (& Brad is incorrect in ignoring/denying the article’s point) that the mechanisms to manage the accomplishment of this are very intrinsically different:

“...when you use the privacy controls in your browser, they don?t directly affect the treatment of Flash…? cookies, the way those (non-Chrome) browser privacy controls do. Instead, to manage Flash “local shared objects” privacy settings, users “...must visit the Adobe Web site to make (online!!!) changes and delete unwanted cookies. In comparison, standard cookies can be managed and deleted in Web browsers.”

Bosco (Brad Hutchings)

Actually, Brad isn’t as incorrect as BurmaYank thinks. Brad is just thinking ahead to when “HTML5-compliant” web browsers all include a SQLite database for supporting local persistence. You’ll pretty much need to be a DBA to manage your security effectively grin.

Lee Dronick

Facebook delivers three cookies to my instance of Safari even though I neither have a Facebook acct. nor do I visit it. I don?t what to know why Facebook is spying on and collecting my reading habits; I just want it Facebook to stop this unauthorized activity.

How do you have your cookies set? Are you allowing 3rd party cookies? If not then Facebook cookies should not be set. Anyway, I use and recommend Sweet Production’s Safari Cookies. This handy plugin lets you easily manage cookies and locally stored databases.

John Dingler, artist,

Hi Harry,
Visited the Adobe link you provided to enter my preference. Thanks. I see no reason why Safari can’t have the method in its own preferences pane.

John Dingler, artist,

Hello Harry,
I hope my setting the “Accept Cookies” to “Only from sites I visit” will do the trick to block Facebook as well as other aggressively intrusive sites from installing their cookies or other spy methods not currently known. 

Let’s call it what it truly is; It’s spying.

Thanks again.

Bosco (Brad Hutchings)

Actually John, it’s not spying. It’s how Facebook integrates the ubiquitous “Like” button that millions of people happily use across the network. You don’t have to participate, and are free to block the mechanisms of such services if you are so inclined. But please don’t ruin things for people who enjoy these services or ascribe nefarious intent or action where there is none.

ibuck

I agree with John Dingler. It’s spying unless the site specifically asks you to “Opt In” to sharing your personal info.  LinkedIn is an example of an Opt In database.

Opt Out is not sufficient, in my view, nor are the practices of (to say nothing of their actual existence) commercial firms that maintain databases of personal info (name, age, address, phone, income, employers, buying or giving habits, browsing habits, etc) and sell the dossiers and/or mailing lists of those who did not specifically Opt In and permit sales of their personal data.

jbelkin

This is why Adobe is hated by everyone because they are either stupid or don’t care - Adobe Flash is like MERCURY, useful for industry in mining but then just dumped into the groundwater - that’s Adobe’s attitude towards consumers - they’re happy to sell $5k packages to programmers who make their life easier but for us, who cares? We’re just dumb consumers who shold bow before them. Adobe flash is the REAL NETWORKS of the 21st century and should be deleted ASAP.

Jason

How do you have your cookies set? Are you allowing 3rd party cookies? If not then Facebook cookies should not be set. Anyway, I use and recommend Sweet Production?s Safari Cookies. This handy plugin lets you easily manage cookies and locally stored databases.

Thanks for the tip on Sweet Production’s.  I’ve been monitoring cookies but wasn’t aware of the flash cookies, purged 350 from my OS.  Now I have my favorites set and don’t have to keep changing preferences when a site requires cookies only to delete them when I leave.

alannala

another option for mac users is to simply change the macromedia files to read-only.  Use “get info” right click and change all the sub files in macromedia folder to read only.  Seems to work, i don’t have any .sol files since i did that.

Log-in to comment