Blog

Overview

A recent study at UC Berkeley, a government inquiry, and several recent news articles have combined to highlight a new privacy concern, as well as some underhanded tricks that web tracking companies are using to monitor internet user activity. Using Adobe’s Flash Player, web sites now have the ability to track users using a concept similar to browser cookies – and up to now, this has been done silently, without notification, and in some cases even after individual users have “opted out” of cookie tracking.

In fact, the study showed that more than 50% of the top 100 internet sites used Flash data to “re-spawn” cookies that had been intentionally cleared, deleted, or blocked by users.

Here’s an experiment you can try. Take a look at the following folder in your system, to see what sites are using Flash data to maintain tracking information on your system:

In Windows XP:

C:Documents and Settings{yourname}Application DataMacromediaFlash Player#SharedObjects

In Windows Vista:

C:Users{yourname}AppDataRoamingMacromediaFlash Player#SharedObjects

In Mac OS/X:

~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/

In either case, look in the subfolder with a random name, and you’ll be amazed at what you find.

The idea of using Flash Player to store tracking information isn’t new, but it has spawned a hidden system for tracking user activity in a way that is neither self-evident, nor easily managed. Read on for some background and suggestions in how to deal with this situation.

If you want to skip the gory details and just know how to prevent this, skip to the section near the end, titled “Adobe’s Flash Player Settings Application.”

Read on…

Concept of a browser cookie

Once upon a time, a very long time ago in web years (about 1994), early developers of internet Web tools came across the challenge of keeping track of multiple users of a web site. They developed a technology that would allow the web server to know whether a particular user had previously visited their site. This would allow the server to display different content based on the visitor’s history, and led to many new ways of conducting Web business, most notably e-commerce (the original “shopping cart” concept). Thus was born the “cookie.”

A browser cookie isn’t much more than a very small amount of data, usually something like a serial number, that identifies a site visitor. The actual user-specific data is managed on the server, and the cookie is the link that lets the visitor’s browser talk to the server and allow the server to keep track of the visitor’s status – logged in, items in shopping cart, site display preferences, etc.

Almost as soon as cookies were developed, watchful groups became concerned over the potential privacy violations; ways that companies (or individuals) could misuse the browser as a tool to keep track of users and their browsing habits. Browsers were updated to allow users to block cookies entirely, or to clear them from history, and the game was on.

Third party cookies and privacy concerns

In many cases, today’s web sites are composed of content from multiple servers and locations, notably servers different from the ones to which we’ve requested a connection. Consider the ubiquitous advertisement pane that pops up on many pages – this advertisement is coming from another server, a “third party” to you and the hosting server. The advertising company serving the banner uses cookies to know whether it has served you an ad, and it may adjust its content based on your browsing history.

These types of third party cookies created a whole new area of concern, and most modern web browsers now include a setting in which you can completely block third party cookies, while allowing regular cookies to be passed between you and the site you are visiting. If you don’t have this blocking active already, please consider doing so right now!

Cookie management in browsers

Here is an example of the cookie management feature in Internet Explorer, and Firefox (Windows):

Note that in both cases, the browser clearly allows you to accept or block all cookies, and also makes a provision to block only third-party cookies while accepting first-party cookies. Other browsers have similar settings.

If you don’t already have these settings made, I recommend blocking third-party cookies as a privacy measure. This is my personal opinion, but is shared by many in the computing security field.

The Local Shared Object (aka “Flash Cookie”)

Now that you’ve got your cookie blocking active, here comes the curve ball.

Adobe’s Flash Player allows web sited to store information similar to a cookie on your machine. Adobe euphemistically refers to this data as a “Local Shared Object,” but most people refer to this as a “Flash Cookie,” and indeed it shares many traits with browser cookies:

• An LSO can store data from the server
• An LSO can be used to maintain state for user management (tracking, commerce, session management, etc)

However, the LSO has some very key differences from browser cookies:

• An LSO has no expiration date
• An LSO can be very large (up to 10 Mb) in contrast to a browser cookie’s 4kb
• An LSO can not be blocked or cleared by any setting within the browser

Scared yet?

The study and results

A recent study by UC Berkeley reviewed the characteristics of 100 top web sites, as ranked by QuantCast. This study concluded that both HTTP and Flash Cookies were ubiquitous among top web sites, and over 50% of the sites surveyed were using Flash as well as HTTP cookies for various purposes. Further, the study found that Flash data was being used to reinstate, or “re-spawn,” cookie data that had been deleted or blocked by users. This included cookie data that was specifically subject to “opt-out” settings in accordance with the Network Advertising Initiative process.

I don’t know about you, but I don’t care to have companies re-spawning anything on my system after I’ve deleted it. This sounds WAY too much like malware behavior.

Adobe’s Flash Player Settings Application

Are you ready to stop the insanity? OK, let’s see how we can put an end to this nonsense. As I mentioned in the beginning, the solution is neither self-evident, nor easily managed. Here’s the kicker:

There is no settings panel within the Flash Player.

That’s right, it doesn’t exist at all. Not in the browser. Not in the player. How, then, do we manage the Flash Player settings? Why, we go to macromedia.com, of course. Didn’t you know that? (Sarcasm intended).

Here’s the entry link, spelled out, just for fun, and below that is a small snapshot of the page you get when you go there:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

What an odd place to locate the Flash Player Settings Manager. The oddest thing is, this page *is* the settings manager – there is no application, it is the page itself. Notice the fine print below the small image:

Am I wrong in thinking that, if your app needs a notice below it saying, “this is not an image, this is the actual Settings Manager,” there might be some room for improvement here?

The bottom line is that this is what Adobe has provided, obviously a relic from Macromedia days… so let’s dig in and look at some of the settings. Notice the row of icons across the top, there are actually 6 separate pages to this app, one for each tab. First is the "Global Privacy Settings” which controls your camera and microphone. You can set it to “always deny” or to “always ask” for permission to use your microphone and camera. Spooky…

Next up, we’ll go to the second tab, and here’s where it gets interesting:

In Global Storage settings, the default size for LSOs is 100Kb, but it will grow if needed. You can set it to a lower setting, or move it all the way to the left for 0kb… no storage (although an empty “cookie” is still created).

Notice that “Allow third party Flash content” is ON by default. I recommend turning this OFF!

You can explore the other tabs, but we’re going to jump over to the fourth tab, titled “Website Privacy Settings.” Pay dirt!

In here, we can see a list of all the sites that have installed Flash content on your computer. Some are relatively harmless (the kuler.adobe.com site stores my kuler settings) and others are obviously tracking cookie engines. Again, you can set “always ask,” “always allow,” or “always deny,” but given that I’ve never had a site like quantserve ask my permission to install LSOs on my machine, I chose to “Delete all sites.”

Notice that there isn’t any sign of an “OK” or “make it so” button, so we must assume that clicking these settings has an immediate effect on Flash Player.

Conclusions and Recommendations

Having Local Shared Objects accessible by Flash Player allows many rich internet features, and enables intelligent applications to provide a broad and engaging user experience. However, the potential for abuse is far too open in the current Flash Player incarnation. The fact that the settings application is on a seemingly deprecated Macromedia website, and not readily available within the application, is an oversight that must be remedied, and soon. The results of the UC Berkeley study demonstrate that this feature is already widely abused.

Adobe, please give us a settings panel accessible from the right click context menu in Flash Player. Also, please embrace the TNO (“trust no one”) philosophy, by having the default for third party content be “opt-out.” We have to make these types of things easy for the common users – I don’t want to have to explain these settings to my parents.

That’s all I have to say about that. I’d love to hear your comments!