How To Keep Tabs On Sneaky "Flash Cookies"

Maybe it's true that what you don't know won't always hurt you. But that doesn't mean you have to trust it.Most informed Web users know all about cookies. They know what cookies are and what they typically do. They know why cookies are sometimes helpful but often unnecessary. Above all, most of us know where to find cookies on our systems and how to get rid of the ones we don't want.

And a lot of us do keep an eye on Web cookies. According to a 2005 Jupiter Research report, more than half of all Web users have deleted cookies from their systems, and more than a third do so on a monthly basis.

I call these people responsible, informed Internet users. Some Web marketing companies, however, call them something else: an economic threat.

That's why more advertisers and online tracking tools are taking advantage of a little-known Adobe Flash feature. Flash allows Web sites to place what it calls Local Shared Objects -- aka "Flash Cookies" -- on a visitor's desktop PC.

Flash Cookies can store up to 100kb of data on a user's system, as opposed to the 4kb limit placed on regular browser-based cookies. They may reside on a system indefinitely; they load silently, without requesting permission or even notifying the user; and Flash Player provides no desktop tools for managing or deleting them.

Adobe does provide a way to delete and/or restrict Flash Cookies, using Macromedia's online Flash configuration tool. It's better than nothing -- if you know it exists.

Do Flash Cookies pose an imminent security risk? Almost certainly not. On the other hand, it seems reasonable to view any application that stores data or tracks online behavior without a user's knowledge or permission as an implicit security risk. And Flash Cookies certainly match this description.

Worse still, quite a few sites use Flash Cookies even when they don't load any visible Flash content. Instead, they simply load a tiny, invisible Flash module on each page a user visits. These may or may not serve a useful purpose. The problem is that users don't see them load, and they don't have any easy way to manage or delete them once they are loaded.

What should your company do about this? That's a two step process -- although the second step will work only for Mozilla Firefox users.

First, get the information you need to make an informed decision about Flash Cookie technology. Here are a few sites that provide a good overview of the technology, how it is used, and its privacy/security implications:

- Electronic Privacy Information Center's Flash Cookie Page. This includes a description on how the technology works and how some online marketers are deliberately using it to undermine users' efforts to control the use of Web cookies on their systems.

- Flash Cookies Explained, on ghacks.net. Go here for instructions on using the Adobe Flash Player Settings Manager (accessible only through the Macromedia.com Web site) to manage or delete Flash Cookies on a desktop system.

- Adobe's Flash Settings Manager online documentation. Note: If you use Flashblock or a similar Firefox extension, you will have to enable Flash on these pages to access the Flash Settings Manager panels.

- Wikipedia's entry on Local Shared Objects provides lots of additional information if you want to delve into the technical details of the spec and its use.

Let's move on to step two: tips Firefox users can employ to manage Flash Cookies directly from their own desktops.

Flashblock is one of my favorite Firefox extensions. When it's active, it keeps Flash modules from loading; instead, you see clickable icons that allow you to load Flash content on a case-by-case basis. Flashblock keeps Flash out of the way when you don't want it but makes it easy to load Flash content that serves a legitimate purpose.

How effective is Flashblock against Flash Cookies? Quite a few people who use the Adobe Flash Settings Manager report finding dozens of Flash Cookies on their systems.

I found two on my system. Both loaded on sites where I deliberately allowed Flash content to load after Flashblock had flagged it.

Another Firefox security extension does what Adobe refuses to do: Give desktop users direct, local control of their Flash Cookie settings. Among other features, the BetterPrivacy extension provides detailed information about every Flash Cookie stored on a user's system, can auto-wipe downloaded Flash Cookies on startup or shutdown, and supports whitelistng objects that users want to keep around.

No reasonable person would suggest that Flash Cookies are inherently evil or unnecessary. In fact, like standard Web cookies, they can be quite useful.

Privacy issues aside, however, it is simply impossible to practice sound desktop computer security without two key ingredients: knowledge and control. And that is why Flashblock, BetterPrivacy, and so many other Firefox extensions are such a boon for security-conscious Web users.