Adobe Closes Door on Flash Cookie Abuse

Prompted by privacy advocates, lawsuits, and websites that have abused the local storage capability of Adobe’s Flash, the so-called Flash Cookies, Adobe announced on Wednesday that it’s working with Browser makers to give users more visible control over their Flash Cookies.

Adobe’s Emmy Huang posted a note in the Flash Blog titled: ” On Improving Privacy: Managing Local Storage in Flash Player.” After explaining the reasoning and advantages of a minimal amount of local storage for Flash, the blog described how some websites have abused the local storage objects (LSOs) to restore HTTP cookies that the user thought had been deleted. “This use of local data storage has raised questions about privacy. So we’re continually working to make sure that users have better control over the local data stored by applications running in Flash Player.”

Class-action lawsuits against Clearsprint, Specific Media, and Quantcast have been brought for allegedly misusing Flash Cookies to track customers and violate their privacy.

Flash Cookies and their potential for abuse were first documented by researchers at the University of California, Berkeley in a paper entitled “Flash Cookies and Privacy” in August 2009. The Mac Observer described the issues and how to block them in September, 2009.

According to Adobe:

Most recently, we’ve been collaborating with browser vendors to integrate LSO management with the browser UI. The first capability, one that we believe will have the greatest immediate impact, is to allow users to clear LSOs (and any local storage, such as that of HTML5 and other plugin technologies) from the browser settings interface—similar to how users can clear their browser cookies today. Representatives from several key companies, including Adobe, Mozilla and Google have been working together to define a new browser API (NPAPI ClearSiteData) for clearing local data, which was approved for implementation on January 5, 2011. Any browser that implements the API will be able to clear local storage for any plugin that also implements the API.”

Apple’s Safari takes advantage of changes in FlashPlayer 10.1.

The ability to clear local storage from the browser extends the work we did in Flash Player 10.1, which launched with a new private browsing feature integrated with the private browsing mode in major browsers, including Google Chrome, Mozilla’s Firefox, Microsoft’s Internet Explorer, and Apple’s Safari. When you are in a private browsing mode [emphasis by TMO] session in your browser, Flash Player will automatically delete any local storage that was written by websites during that browser session once the browser is closed.”

While the Federal Trade Commission (FTC) has previously expressed concern about abuses, no action has yet been taken by the agency. It’s possible that the class-action lawsuits, however, have accelerated Adobe’s interests in making the control of Flash Cookies more transparent to browser users.