Sunday, January 31, 2010

Another threat to computer security and privacy

I was surprised - unpleasantly - to learn that persistent cookies can be set on your computer without your knowledge or permission, and without the ability to delete them unless you take special measures. Wired reports:

More than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies, UC Berkeley researchers reported Monday.

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

What’s even sneakier?

Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called ‘re-spawning’ in homage to video games where zombies come back to life even after being “killed,” the report found. So even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as the “backup.”

. . .

Websites and advertisers track users closely in order to improve services and to prove to advertisers that an ad has been shown one time to 1 million users, and not 10 times to the same 100,000 people. Ad networks also collect the information in order to segment users into different groups, such as “car fanatic” or “fashionista,” in order to charge advertisers a premium for reaching just the slice of the populace that the company thinks will be most receptive to its ad.

Smelling possible regulation coming, third party ad networks recently agreed to an updated voluntary code of conduct, though it prohibits little and has no enforcement mechanism. For instance, when it comes to sensitive health information, the networks are free to collect as much information as they like, so long as it does not involve an actual prescription.

Soltani led a summer research team at Berkeley, under the direction of Chris Hoofnagle, the Director of Information Privacy Programs at the Berkeley Center for Law and Technology. The team tested the top 100 sites to see what their privacy policies said, what their tracking technology actually does and what happens if a user blocks the Flash cookie.

The study found that 54 of the top 100 set Flash cookies, which vary from simply setting audio preferences to tracking users by a unique identifier., for instance, placed on this writer’s work computer to set the volume of a video player.

Adobe’s Flash software is installed on an estimate 98 percent of personal computers, and has been a key component in the explosion of online video, powering video players for sites such as YouTube and Hulu.

Websites can store up to 100K of information in the plug-in, 25 times what a browser cookie can hold. Sites like also use Flash’s storage capability to preload portions of songs or videos to ensure smooth playback.

All modern browsers now include fine-grained controls to let users decide what cookies to accept and which to get rid of, but Flash cookies are handled differently. These are fixed through a web page on Adobe’s site, where the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it is the control, not just a tutorial on how to use the control.

. . .

The report names two companies, Clearspring and QuantCast, as companies whose technologies reinstate cookies for other websites.

Clearspring, the makers of the popular AddThis tool that lets users share a link by e-mail or on social networking sites, used its Flash cookie to reinstated deleted browser cookies for, and, according to the report.

The company defends its behavior, saying everyone uses Flash cookies these days, that it discloses its use of Flash in its privacy policy and that the copying of data back into cookies is a simply way to speed up pages by transferring data into HTML cookies, which browsers read faster.

Clearspring’s AddThis tool is used by more than 300,000 publishers and the company collects data on some 525 million unique internet users monthly, according to Clearspring CEO Hooman Radfar. The data will soon be used to personalize the AddThis widget, making it so that a user who has previously shared a story by Twitter and Friendfeed will see those options first, rather than social networks he doesn’t use.

There's more at the link.

Another useful Web page giving information on persistent cookies is Fight Identity Theft. Their article, and the Wired article linked above, provide links to tools to identify and eliminate these intruders. I installed and/or ran them today, and was extremely irritated to find a large number of these persistent cookies on my system. I usually ban the use of cookies in my browser, and delete any that I have to use when I close the browser: so I was very annoyed to find my control over my computer bypassed in this way.

I'm now (hopefully) proofed against further intrusions of this kind. If you value your online privacy as much as I do, I strongly suggest that you read both the articles linked above, and run and/or install the safeguards they mention.



Morris said...

Peter, thanks for posting this. I will be looking into this as soon as I get home tonight.

Anonymous said...

They're called LSOs. An add-on to Firefox, BetterPrivacy, will remove them. It's interesting to see how many sites use them.


Angus said...

In addition to Firefox's wonderful add-on "BetterPrivacy", those who use Other Browsers can remove their Flash "cookies" using CCleaner -- freeware from

Crucis said...

I've been using BetterPrivacy for a month (it works on Linux too.) The first time it ran, it found 732 LSOs. It was almost enough for me to purge Flash from my PCs.

Anonymous said...

Great info. Now I know why there is no flash on the Iphone