Ever since consumers started gaining access to the internet, cookies have been controversial. They have a lot of legitimate uses, such as helping websites remember that you’re logged in. On the other hand, privacy campaigners have often voiced concerns about ad networks using cookies to gain information about your surfing habits. Although browsers will let you disable regular cookies completely if you want, this doesn’t keep sites from storing a more sophisticated type of cookies on your computer…

How is it possible that sites can still track you even if you’ve disabled cookies? The answer lies within a browser plugin that is installed on approximately 99.0% of Internet-enabled computers worldwide: Flash. In version 6 of the popular plugin, something called Local Shared Objects was introduced. This allows websites to store a small amount of data on your computer. But hey, wait a minute… that sounds an awful lot like the concept of cookies.

There are three major reasons why we should be cautious with Flash cookies:

  • By default, every website is allowed to use up to 100kB of storage on your computer. Regular cookies are limited to 4kB. That may not sound like a lot of space these days, but that’s huge in cookie terms.
  • Flash cookies never expire, unlike regular cookies.
  • Even when you opt out of cookies entirely in your browser’s preferences, Flash cookies can still be set unless you disable Flash entirely.

Calm down
Don’t panic. Flash cookies don’t will not send your social security number to criminals or anything like that, but it is important that you understand what they could be used for to make an informed decision about them.

Let’s have a closer look at a common “evil” use of cookies in general: marketing. Sites A, B and C display ads from ad network X on their site. If you go to site A for example, the ad network can place a cookie on your computer that contains the URL you just visited. As you go from site to site, perhaps including site B and C, the network can collect the URLs that display their advertising to generate an anonymous profile about you, containing such information as your interests, political orientation, beliefs, age and the region where you live.

So basically Flash cookies do what regular cookies do too, except that Flash cookies can contain more data and never expire. If that doesn’t sound bad to you, Flash cookies are nothing to worry about.

Finding your Flash cookies
betterprivacy.jpgTo help us find and delete Flash cookies, we’re gonna need a Firefox add-on called BetterPrivacy. After installing it, you can start it by going to Tools > BetterPrivacy. If you take a look at the screenshot, you can see that I’ve been playing a Flash game called Level Up and that I have been using Gmail’s web interface. All entries that begin with a hash are harmless because they’re related to Flash’s preferences.

There are two entries that caught my eye: cnettv.cnet.com and vizu.com. CNET TV appears to have stored data in a file called OVPMetricsProvider.sol, which leads me to believe this cookie is used solely to do detailed site analytics. I didn’t remember going to Vizu.com, so I looked it up. A quick search revealed that it is an analytics company, therefore people who are concerned about their privacy probably don’t want this cookie around.

Deleting Flash cookies
Unfortunately, BetterPrivacy can’t block Flash cookies as of yet. You can however let it delete your Flash cookies on demand with a hotkey or automatically every couple of hours. I’m not too paranoid about my privacy, so I went with the less radical solution of having BetterPrivacy delete my Flash cookies when quitting Firefox. All these options can be accessed on the second tab of the add-on’s preferences window.

betterprivacy options.jpg

Much like regular cookies, Flash cookies also have legitimate uses you don’t want to block. After all, you don’t want to lose your progress in that Flash game you’ve nearly finished. Luckily you can whitelist certain Flash LSOs so that BetterPrivacy won’t delete them. This can be done by going to the first tab of the settings window, selecting an entry and clicking the ‘Prevent automatic LSO deletion’ button.

The tips in this article only cover Firefox. If you have Opera/Chrome/IE/Safari tips that fit in with the article, please do share them with us in the comments.