Ever since consumers started gaining access to the internet, cookies have been controversial. They have a lot of legitimate uses, such as helping websites remember that you're logged in. On the other hand, privacy campaigners have often voiced concerns about ad networks using cookies to gain information about your surfing habits. Although browsers will let you disable regular cookies completely if you want, this doesn't keep sites from storing a more sophisticated type of cookies on your computer...
How is it possible that sites can still track you even if you've disabled cookies? The answer lies within a browser plugin that is installed on approximately 99.0% of Internet-enabled computers worldwide: Flash. In version 6 of the popular plugin, something called Local Shared Objects was introduced. This allows websites to store a small amount of data on your computer. But hey, wait a minute... that sounds an awful lot like the concept of cookies.
There are three major reasons why we should be cautious with Flash cookies:
- By default, every website is allowed to use up to 100kB of storage on your computer. Regular cookies are limited to 4kB. That may not sound like a lot of space these days, but that's huge in cookie terms.
- Flash cookies never expire, unlike regular cookies.
- Even when you opt out of cookies entirely in your browser's preferences, Flash cookies can still be set unless you disable Flash entirely.
Calm down
Don't panic. Flash cookies don't will not send your social security number to criminals or anything like that, but it is important that you understand what they could be used for to make an informed decision about them.
Let's have a closer look at a common "evil" use of cookies in general: marketing. Sites A, B and C display ads from ad network X on their site. If you go to site A for example, the ad network can place a cookie on your computer that contains the URL you just visited. As you go from site to site, perhaps including site B and C, the network can collect the URLs that display their advertising to generate an anonymous profile about you, containing such information as your interests, political orientation, beliefs, age and the region where you live.
So basically Flash cookies do what regular cookies do too, except that Flash cookies can contain more data and never expire. If that doesn't sound bad to you, Flash cookies are nothing to worry about.
Finding your Flash cookies
To help us find and delete Flash cookies, we're gonna need a Firefox add-on called BetterPrivacy. After installing it, you can start it by going to Tools > BetterPrivacy. If you take a look at the screenshot, you can see that I've been playing a Flash game called Level Up and that I have been using Gmail's web interface. All entries that begin with a hash are harmless because they're related to Flash's preferences.
There are two entries that caught my eye: cnettv.cnet.com and vizu.com. CNET TV appears to have stored data in a file called OVPMetricsProvider.sol, which leads me to believe this cookie is used solely to do detailed site analytics. I didn't remember going to Vizu.com, so I looked it up. A quick search revealed that it is an analytics company, therefore people who are concerned about their privacy probably don't want this cookie around.
Deleting Flash cookies
Unfortunately, BetterPrivacy can't block Flash cookies as of yet. You can however let it delete your Flash cookies on demand with a hotkey or automatically every couple of hours. I'm not too paranoid about my privacy, so I went with the less radical solution of having BetterPrivacy delete my Flash cookies when quitting Firefox. All these options can be accessed on the second tab of the add-on's preferences window.
Much like regular cookies, Flash cookies also have legitimate uses you don't want to block. After all, you don't want to lose your progress in that Flash game you've nearly finished. Luckily you can whitelist certain Flash LSOs so that BetterPrivacy won't delete them. This can be done by going to the first tab of the settings window, selecting an entry and clicking the 'Prevent automatic LSO deletion' button.
The tips in this article only cover Firefox. If you have Opera/Chrome/IE/Safari tips that fit in with the article, please do share them with us in the comments.
Flash also has a problem with sessions when sending data to a PHP script – in some instances it may use these cookies to keep track of your session so that you can save data etc. from inside a flash container. An example of this is favouriting YouTube videos through an embedded player. So blocking them entirely or deleting everything isn’t advised; even if you don’t want to save progress in a game you may be cutting yourself off from useful features like this.
This isn’t limited to flash, and could be done with any technology that has isolated storage. With silverlight becoming more and more popular, the same could be done there.
Have you tried Ghostery for Firefox? It will not only show you what sites are collecting information about you but allow you to block this behavior customized to what you want.
Also no person wanting to protect themselves on the net should be without NoScript which will block this behavior as long as you don’t enable scripts for a site (which in many cases would not do as you need those to see what you want).
That would be where BetterPrivacy would come in providing another layer for cleanup. Nice find Pieter.
I’ve found 2 tools for those who don’t use Firefox :
Flash Cookie Cleaner (without installation)
Flushflash cookies flash (without installation)
Can I disable “flash cookies” using this tool [macromedia.com]
CCleaner DO IT OK.
I’ve disabled them via adobe.com, and then set the permissions on the directory on my linux machine such that it cannot be written to in case adobe gets any cute ideas about opting me back in.