Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flash Cookies Raising Privacy Questions Again

Posted by kdawson on from the flash-in-the-pan dept.

Nearly a year after we discussed the privacy implications of Flash cookies, they are in the news again as the US government considers revising its cookie policy. Wired covers a study out of UC Berkeley exposing questionable practices used by many of the Internet's most-visited Web sites (abstract). The most questionable activity the report exposes is known as "respawning": after a user has deleted browser tracking cookies, some sites will use information in Flash cookies to recreate them. The report names two companies, Clearspring and QuantCast, whose technologies reinstate cookies for other Web sites. "Federal websites have traditionally been banned from using tracking cookies, despite being common around the web — a situation the Obama administration is proposing to change as part of an attempt to modernize government websites. But the debate shouldn't be about allowing browser cookies or not, according Ashkan Soltani, a UC Berkeley graduate student who helped lead the study. 'If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,' Soltani said."

26 of 103 comments (clear)

  1. Perhaps we should surveil the surveyors... by fuzzyfuzzyfungus · · Score: 4, Interesting

    Spread across a reasonable number of annoyed individuals, paying to have a private investigator tail high level officers and major shareholders of advertising corporations that engage in this sort of thing 24/7/365 would be fairly inexpensive and amusing.

    1. Re:Perhaps we should surveil the surveyors... by johanatan · · Score: 4, Insightful

      I tend to think that it will come to that. In the near future, I expect everyone to record everything. The only question left for courts to decide will be the legitimacy of the material (i.e., whether it is authentic or counterfeit).

    2. Re:Perhaps we should surveil the surveyors... by PetriBORG · · Score: 2, Insightful

      Yeah but in case you hadn't noticed the courts accept a large amount of digital evidence in courts with less then a steller backing, or so it seems to me. As a programmer I know *nothing* on a computer is 100% reliable right down to the CPU microcode (blue pill hacks). It really is turtles all the way down.

      --
      Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
  2. Re:All i can say is by auric_dude · · Score: 5, Informative

    All I can say is BetterPrivacy via https://addons.mozilla.org/en-US/firefox/addon/6623

  3. Unintended reinterpretation. by girlintraining · · Score: 3, Insightful

    "If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies"

    I'm glad we're agreed then. Cookies are used for tracking, so cookies should be regulated. But we won't treat cookies like they're special -- we'll regulate all other forms of tracking as well. That seems fair. In other, unrelated news -- anonymity doesn't exist. Sherlock Holmes may be a fictional character several hundred years dead now, but what he said back then applies today on the internet (which I paraphrase here) "Every place you go, you leave something behind and you take something with you." Tracking, therefore, is just a matter of following the (achem) tracks, and it's something anyone with a bit of skill can do.

    The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Unintended reinterpretation. by Darkness404 · · Score: 2, Insightful

      We should not regulate tracking cookies for non-government things any more than we are doing now. Its pathetically easy to clear cookies and anyone with a bit of knowledge can even clear these "impossible to remove" Flash cookies. The problem is, if we try to spread this around we end up with these super-paranoid users which honestly are more of a pain to deal with than those who enjoy running IE 6 on an unpatched XP install. Remember when the media did stuff on normal cookies? There were people who thought a cookie, a plain text file contained viruses! All this media paranoia has given rise to people who think that -anything- has viruses, that the .pdf on a trusted site -MUST- have a virus, that Firefox -MUST- be a virus, that anything -MUST- be a virus, and that even though they admit you know more about computers than them, you -MUST- be breaking their computers whenever you navigate to a site other than Google and a handful of others.

      --
      Taxation is legalized theft, no more, no less.
    2. Re:Unintended reinterpretation. by Synchis · · Score: 3, Insightful

      The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.

      I disagree with this. I've spent a long time in the industry, and am pretty much the only "tech enabled" person in amongst many friends and family. Many of them use the computer recreationally, and without a care as to what harms may become of them. To the layman, the computer is just a tool, and to most of them, there is no perceived risk to themselves. Thus, when I try to inform them of the risks they take, or try to teach them safer browsing habits, good housekeeping, etc. It is often met with indifference, and sometimes hostility. People don't like to be told they are wrong, especially when most people use the computer in the way they think is correct, and in most cases, the only way they know how.

      Many people are intimidated by computers, and to have somebody who is deeply involved in computers try to teach them best-practices, is sometimes insulting.

      So yeah, we may feel we have a responsibility to protect those that know less than us, but in reality, instilling that knowledge is not always easy, practical, or even sometimes possible.

      So no, I don't agree, I don't think we've failed. I think we're doing the best job we know how to do, in the face of at times massive and gross ignorance. Resistance does not mean I've given up. But I have learned over time which people are worth taking the time to teach, and which people are not worth the effort.

      --
      Thomas A. Knight
      Author of The Time Weaver
    3. Re:Unintended reinterpretation. by causality · · Score: 2, Interesting

      The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.

      I am all for spreading the word and teaching anyone who is willing to learn about these things. It's an important subject and it should be obvious that the current status quo where tracking is commonplace depends entirely on the widespread ignorance that is present. However, this is more like advocacy than prevention and only addresses part of the problem.

      The real problem is that so many users are passive and rather uninvolved in their own experience. It's never good strategy to wait around for somebody else with an altruistic motive to assist you when the needed information is out there and basic literacy is the only requirement for using it. I am not arguing that every average user should become an expert, only that some personal responsibility is in order. Balking at the rather modest reading/research effort that would be necessary to have a solid understanding of the basics is a luxury that you can't afford in the face of active attempts to compromise your privacy. I would compare it to saying that you don't feel like getting up to bar the door when there is an enemy at your gates, and it makes about as much sense (i.e. none) in terms of decision-making.

      Part of the reason why people "don't know better" is that they assume it's someone else's job. At a corporation where you are not a member of the IT staff, indeed it IS someone else's job. At home where you have full control over your LAN and your equipment, it's your job and you can either take care of it or fail to do so. The price for failing to do so is that you get taken advantage of for the sake of some marketer, or worse. If people could understand it that way, in terms of someone trying to screw them over without their consent, they would delight in the knowledge that there is something they can do about it. Suddenly it wouldn't be "boring computer stuff" but would be about personal empowerment. I think clearly showing that it has a price is the best chance to get rid of this willful helplessness. If you really want to see gigantic improvements not just in unethical tracking, but also in malware and botnets and online fraud, what you need are not informed users, but users who are willing to inform themselves. Then the information they need is not some black box bestowed upon them by members of an esoteric priesthood, but would instead become a useful tool that they take into their own hands.

      Perhaps one day we'll have computing appliances that are essentially maintainence-free, so that safely using them requires no more understanding of computing than using your washer/dryer requires an understanding of plumbing and electrical engineering. Right now we don't have that, and I question just how desirable it would be anyway. Computers are not toys or curiosities anymore and haven't been for a long time now. They are increasingly essential to everyday life. Every time you make a financial transaction or surrender personal information, it behooves you to make some effort to have some understanding of what you are doing and how it can be used. Otherwise you are being irresponsible and are failing to protect your interests and there's nothing wrong with saying so. We live now in an age where any literate adult with access to Google can achieve knowledge and understanding that was once the exclusive domain of experts. What we really need is to restore the wonder and sense of empowerment that goes along with this so that people no longer view the most basic research as an unreasonable chore. If that doesn't happen, then this passive victim mentality will cause the average person to be little more than an electronic serf, only it will be a serfdom that they choose because something else was always more important to them.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  4. Re:Piece of cake... by dc29A · · Score: 3, Informative

    Or on Windows, go to 'Document and Settings' (Users on Vista/7 if I am not mistaken), 'Application Data\Macromedia\Flash Player'.

    Remove '#SharedObjects' folder, create a file with same name on it. Remove all security rights on it. Do same with 'macromedia.com' folder.

    Problem solved. To test it, go to Youtube, set your volume to a certain level. Close browser, re-open and see if Youtube maintained the volume level. It shouldn't.

  5. Flash Website Storage Settings by wile_e8 · · Score: 5, Informative

    Go here to see all the flash cookies and delete any and all you don't want. Might not be as easy as deleting a directory, but I don't necessarily want to delete them all.

  6. Good browsers let the user choose by gurps_npc · · Score: 3, Informative

    In Firefox, the "Better Privacy" addon deletes flash cookies. Any browser that doesn't offer that kind of control is not worth getting. In my opinion, Firefox without "TACO" (auto creates a bunch of "opt out" cookies without any identifing details), "Better Privacy" (removes flash cookies)and "NoScript" (prevents unwanted scripts - including site-jacking stuff), is not fully installed.

    --
    excitingthingstodo.blogspot.com
    1. Re:Good browsers let the user choose by TopSpin · · Score: 2, Insightful

      The question here is why doesnt Firefox do this natively?

      The answer is that the browser is ignorant of what Flash is doing with the hard drive. HTML cookies and Flash cookies (LSOs) are not related. Firefox is not aware of and has no mechanism to control what Flash does with your disk.

      Flash Player (for Mozilla/Firefox) is based on the ancient and crufty NPAPI. This interface provides no generic "clear your temporary crap" hook for the host (browser.) It should; it's 2009 and this browser thing has been going on for 15 years now...

      IE 7 has a feature in "Delete Browsing History" that prompts the user to delete "files and settings stored by add-ons." I've never confirmed whether this means "flash cookies" (because I don't rely on IE for anything...) but that is what is implied, so this isn't some novel idea unheard of in the traditions of the Internets.

      Dear Mozilla,
          It is incumbent upon you as the present keeper of the NPAPI specification, such as it is, to extend said specification to provide a generic mechanism to monitor and control any and all storage utilized by third party plug-ins, and then encourage third parties (nasty warnings on plug-in invocation would work...) to adopt this extension. Please do so THIS decade. Do not continue to delay the obvious because NPAPI is an unholy mess; privacy trumps engineering elegance.
      Thanks!

      --
      Lurking at the bottom of the gravity well, getting old
  7. Re:Piece of cake... by Anonymous Coward · · Score: 2, Insightful

    See, this is just a downright lie. Making a mediocre cake might be easy, but to make a superb cake requires refined knowledge of baking chemistry and experience. You can't just follow most recipes because they make all measurements by volume when you really should be making them by weight.

  8. Re:All i can say is by Dogers · · Score: 4, Informative

    And a way to view what you currently have..
    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

    --
    I am a viral sig. Please copy me and help me spread. Thank you.
  9. /dev/null by dtschmitz · · Score: 3, Informative

    What I do: #remove the existing macromedia directory and set a link to /dev/null
    $cd && rm -rf .macromedia && ln -s /dev/null .macromedia
    Be Safe!

    Dietrich T. Schmitz & Associates
    Cloud Computing Services

  10. Re:Piece of cake... by mad_robot · · Score: 2, Informative

    Doesn't Adobe's Flash settings widget work in Linux? It seems a bit drastic disabling Flash cookies for the whole internet when you can set preferences individually for each website you visit.

    --
    U1NCaVpYUWdlVzkxSUhkcGMyZ2dlVzkx SUdoaFpHNG5kQ0JpYjNSb1pYSmxaQT09
  11. Re:No.... by causality · · Score: 2, Insightful

    Really, not one good reason? Like the ability to create login sessions that allow both a logout function and the use of the back button? Or login sessions that do not re-submit your password with each new request? Or the ability to remember you search terms if you browse away from the search engine and then back?

    Certainly there's the potential for more nefarious use, and it's worthwhile to offer protections against that, but there are 1001 legitimate uses for sessions tracking, most of which are widely in use on almost every non-government website in the world; the no cookies rule is a result of the original cookies scare from 15 years ago, when you could create global cookies to track every website a user visited, and the rule is just as outdated as the scare.

    True but session cookies can arrange all of that. The case for persistent/permanently stored cookies is much harder to make.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  12. Re:All i can say is by trifish · · Score: 2, Informative

    Isn't this a way to permanently disable Flash cookies?

    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html

    Note that this isn't just documentation. If you have Flash installed, the first what looks like a screenshot is actually the Flash config panel.

    Adobe could improve it by adding "Clear all cookies on exit".

  13. Re:Piece of cake... by jo42 · · Score: 4, Insightful

    An even better solution is on Adobe's own web site: How to uninstall the Adobe Flash Player plug-in and ActiveX control

  14. Re:Yet another reason for flashblock by Anonymous Coward · · Score: 2, Informative

    Use Flashblock and NoScript. When you allow scripts on the page, then Flashblock fires up and puts in the place holders.

  15. Re:All i can say is by florescent_beige · · Score: 3, Informative

    I just started using bp last week and here is something important. The version on the Firefox addon site is not the latest. I got 1.41 at

    http://netticat.ath.cx/BetterPrivacy/BetterPrivacy.htm

    because it added a bit of functionality. Specifically in the way it treats DOM storage.

    DOM storage is not flash cookies (LSOs), it is a separate way sites can store data on your computer I had not heard about. The old version could only disable DS, but now BP can now treat DS like LSOs so it stays on but the data gets deleted on FF shutdown. Some sites like cnn video need DS turned on.

    Also I set it to delete the default LSO. That one stores a list of every flash site you visit. Even if you turn Flash local storage completely off using:

    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html

    you will see a list of visited sites on the last tab on that control. Deleting the default cookie gets rid of that list.

    --
    Equine Mammals Are Considerably Smaller
  16. forget the cookies, what I want to know is why by fast+turtle · · Score: 2, Insightful

    flash wants to grant access to my mic and camera to every damn website in the fucking world? Shouldn't it be denied by default and ask the user before granting that permission? To me this would certainly cut down on some of the flash vulnerabilities because now it's accessing other subsystems such as the MS Speech setup.

    --
    Mod me up/Mod me down: I wont frown as I've no crown
  17. Re:All i can say is by Mozk · · Score: 2, Funny

    Attempting to install the newer version of BetterPrivacy, an addon that protects you from certain types of cookies to maintain privacy:

    Downloads need activated script and cookies!

    Umm...

    --
    No existe.
  18. Re:All i can say is by NettiCat · · Score: 4, Informative

    The version on the Firefox addon site is not the latest.

    I wish the AMO folks would update BetterPrivacy to the latest version but I cannot do anything to accelerate that procedure. Thanks for your important note, I found it accidently while searching for related websites. NettiCat (author of BetterPrivacy, http://netticat.ath.cx/

  19. Re:Piece of cake... by elashish14 · · Score: 2, Informative

    BAD solution! Some sites will break if you do this and you won't be able to watch videos.

    There are many better solutions. Using an init or crond script is one to remove the directory regularly. Another is to mount ~/.macromedia to /tmp or a ramdisk which is what I do. Those cookies never even get to smell my hard drive and it's not like I'm doing anything better with the RAM.

    --
    I have left slashdot and am now on Soylent News. FUCK YOU DICE.
  20. Re:Adobe needs a new CEO. by muckracer · · Score: 2, Informative

    Actually found one:

    Bleachbit - http://bleachbit-project.appspot.com/

    Open-Source and for Linux and Windows.

    Still would love to find a command-line version of something like it to run on shutdown and/or from cron.