Forgot your password?
typodupeerror
Privacy The Internet Your Rights Online

Adobe Flash Cookies Raising Privacy Questions Again 103

Posted by kdawson
from the flash-in-the-pan dept.
Nearly a year after we discussed the privacy implications of Flash cookies, they are in the news again as the US government considers revising its cookie policy. Wired covers a study out of UC Berkeley exposing questionable practices used by many of the Internet's most-visited Web sites (abstract). The most questionable activity the report exposes is known as "respawning": after a user has deleted browser tracking cookies, some sites will use information in Flash cookies to recreate them. The report names two companies, Clearspring and QuantCast, whose technologies reinstate cookies for other Web sites. "Federal websites have traditionally been banned from using tracking cookies, despite being common around the web — a situation the Obama administration is proposing to change as part of an attempt to modernize government websites. But the debate shouldn't be about allowing browser cookies or not, according Ashkan Soltani, a UC Berkeley graduate student who helped lead the study. 'If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,' Soltani said."
This discussion has been archived. No new comments can be posted.

Adobe Flash Cookies Raising Privacy Questions Again

Comments Filter:
  • Piece of cake... (Score:1, Interesting)

    by Anonymous Coward

    ln -s /dev/null ~/.macromedia

    • Re:Piece of cake... (Score:4, Informative)

      by dc29A (636871) * on Tuesday August 11, 2009 @04:31PM (#29029327)

      Or on Windows, go to 'Document and Settings' (Users on Vista/7 if I am not mistaken), 'Application Data\Macromedia\Flash Player'.

      Remove '#SharedObjects' folder, create a file with same name on it. Remove all security rights on it. Do same with 'macromedia.com' folder.

      Problem solved. To test it, go to Youtube, set your volume to a certain level. Close browser, re-open and see if Youtube maintained the volume level. It shouldn't.

      • by jo42 (227475) on Tuesday August 11, 2009 @06:02PM (#29030601) Homepage

        An even better solution is on Adobe's own web site: How to uninstall the Adobe Flash Player plug-in and ActiveX control [adobe.com]

      • Re: (Score:3, Informative)

        by elashish14 (1302231)

        BAD solution! Some sites will break if you do this and you won't be able to watch videos.

        There are many better solutions. Using an init or crond script is one to remove the directory regularly. Another is to mount ~/.macromedia to /tmp or a ramdisk which is what I do. Those cookies never even get to smell my hard drive and it's not like I'm doing anything better with the RAM.

        • by Canazza (1428553)

          I've got a batch script for deleting these as part of my development toolset, it wouldn't take too much to set it as a Startup item.

          Stick the following .bat file in C:\Documents and Settings\*USERNAME*\Application Data\Macromedia\Flash Player\ (Windows XP)

          rd /s /q #SharedObjects

          run it whenever you want to delete shared objects

          • I've posted a script in my Journal to do this automatically and to use your %appdata% folder without having to change the script for each user.
            I've been running this for several years and never had any problems with it breaking any sites.
    • by PReDiToR (687141)
      I think this [mozdev.org] might be a better solution.

      Although I've had trouble getting it to work properly on a couple of machines, it seems to do what it says on the tin most of the time.
    • by kitserve (1607129)

      Unfortunately, linking to /dev/null makes some sites not work, though I forget which, it's been a while since I tried that method. I ended up setting a daily cron job to delete the .adobe and .macromedia directories from users' home directories. It's not ideal, but it does the trick.

    • by hipifreq (1323407)

      "Windows cannot find 'ln'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and the click Search"

      huh... For the MAJORITY of operating systems out there your technique doesn't work

      go figure!

    • Re: (Score:2, Informative)

      by mad_robot (960268)

      Doesn't Adobe's Flash settings widget [macromedia.com] work in Linux? It seems a bit drastic disabling Flash cookies for the whole internet when you can set preferences individually for each website you visit.

      • There is more than one URL: Adobe's Flash settings widget [macromedia.com]. You have settings_manager03.html. Adobe has been recommending settings_manager07.html.

        The Flash updating tool is very buggy. It may update only your installation of Opera, instead of Opera and Firefox. If you have multiple installations of Opera, it will update only one of them.

        In Windows, it is necessary to use the Replace.exe command [microsoft.com] to replace all instances of flashplayer.xpt, NPSWF32.dll, and NPSWF32_FlashUtil.exe. The latest version of th
        • by mad_robot (960268)

          The different URLs (containing the numbers 02, 03, 04, 06 and 07) are just part of the same widget. Click the tabs at the top to access them.

          (Incidentally, there's another one at settings_manager05.html that doesn't appear to be accessible by clicking the tabs.)

  • by fuzzyfuzzyfungus (1223518) on Tuesday August 11, 2009 @04:15PM (#29029035) Journal
    Spread across a reasonable number of annoyed individuals, paying to have a private investigator tail high level officers and major shareholders of advertising corporations that engage in this sort of thing 24/7/365 would be fairly inexpensive and amusing.
    • by johanatan (1159309) on Tuesday August 11, 2009 @04:25PM (#29029225)
      I tend to think that it will come to that. In the near future, I expect everyone to record everything. The only question left for courts to decide will be the legitimacy of the material (i.e., whether it is authentic or counterfeit).
      • Re: (Score:3, Insightful)

        by PetriBORG (518266)
        Yeah but in case you hadn't noticed the courts accept a large amount of digital evidence in courts with less then a steller backing, or so it seems to me. As a programmer I know *nothing* on a computer is 100% reliable right down to the CPU microcode (blue pill hacks). It really is turtles all the way down.
        • Yea, but that will surely start to change as controversy arises. Let's say that anyone with knowledge of such (or who has friends with knowledge of such) is involved in a case. Then, these more subtle points will come to light. Really, any case of high enough importance/profile (i.e., with parties of sufficient funding and consequences of sufficient severity) should already raise these questions.
    • Why aren't we doing this!
    • Watch the Watchmen, as it were.
  • by girlintraining (1395911) on Tuesday August 11, 2009 @04:19PM (#29029125)

    "If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies"

    I'm glad we're agreed then. Cookies are used for tracking, so cookies should be regulated. But we won't treat cookies like they're special -- we'll regulate all other forms of tracking as well. That seems fair. In other, unrelated news -- anonymity doesn't exist. Sherlock Holmes may be a fictional character several hundred years dead now, but what he said back then applies today on the internet (which I paraphrase here) "Every place you go, you leave something behind and you take something with you." Tracking, therefore, is just a matter of following the (achem) tracks, and it's something anyone with a bit of skill can do.

    The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.

    • Re: (Score:3, Insightful)

      by Darkness404 (1287218)
      We should not regulate tracking cookies for non-government things any more than we are doing now. Its pathetically easy to clear cookies and anyone with a bit of knowledge can even clear these "impossible to remove" Flash cookies. The problem is, if we try to spread this around we end up with these super-paranoid users which honestly are more of a pain to deal with than those who enjoy running IE 6 on an unpatched XP install. Remember when the media did stuff on normal cookies? There were people who thought
    • Cookies are used for tracking, so cookies should be regulated.

      Whatever happened to "if it's not the only thing it's used for, we shouldn't treat it like it is"?

      If "p2p is used for piracy, so p2p should be regulated" were ever uttered around here, someone would get shot. Cookies should not be regulated. Cookies themselves are harmless, just like p2p itself is harmless. It's nefarious uses of either that people have problems with.

    • by Synchis (191050) on Tuesday August 11, 2009 @04:53PM (#29029709) Homepage Journal

      The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.

      I disagree with this. I've spent a long time in the industry, and am pretty much the only "tech enabled" person in amongst many friends and family. Many of them use the computer recreationally, and without a care as to what harms may become of them. To the layman, the computer is just a tool, and to most of them, there is no perceived risk to themselves. Thus, when I try to inform them of the risks they take, or try to teach them safer browsing habits, good housekeeping, etc. It is often met with indifference, and sometimes hostility. People don't like to be told they are wrong, especially when most people use the computer in the way they think is correct, and in most cases, the only way they know how.

      Many people are intimidated by computers, and to have somebody who is deeply involved in computers try to teach them best-practices, is sometimes insulting.

      So yeah, we may feel we have a responsibility to protect those that know less than us, but in reality, instilling that knowledge is not always easy, practical, or even sometimes possible.

      So no, I don't agree, I don't think we've failed. I think we're doing the best job we know how to do, in the face of at times massive and gross ignorance. Resistance does not mean I've given up. But I have learned over time which people are worth taking the time to teach, and which people are not worth the effort.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      What the man means is that you shouldn't regulate the tool but the problem. In other words, if tracking is a problem, make laws/agreements/whatever for those, instead of prohibiting the use of cookies.
      The same anology applies to p2p, terrorism and what-not.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      People don't know better because they don't give a fuck. Try preaching to a layman about GPG sometime. They don't understand key exchange issues, but they understand the purpose of encryption, and their reply is: "I don't care if they are watching me."

      These are the same people who still vote for Republicrats. You keep hitting them over the head with Clinton, Bush (and maybe some day Obama, though I try not to cynically damn him yet), and they keep voting for more. They're lazier than hippies (who will a

      • Re: (Score:1, Insightful)

        by Anonymous Coward
        Yes. People don't care. That is why software/browsers should be secure and ensure privacy without configuration.
    • Re: (Score:3, Interesting)

      by causality (777677)

      The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.

      I am all for spreading the word and teaching anyone who is willing to learn about these things. It's an

    • Cookies are used for tracking, so cookies should be regulated. But we won't treat cookies like they're special -- we'll regulate all other forms of tracking as well.

      No -- just regulate tracking. If you regulate the method, then when a new method comes it's legal. If you just regulate tracking, then you get the same results for all forms.

    • We are supposed to be a representative Constitutional Republic which means that we can dictate what the government can and can't do to us. Just because what we do can be easily tracked and traced whether on the Internet or not doesn't mean we should lay back and let them do it. We have the right to tell them to screw themselves.

      If we don't want a corporation to do something we have the power to tell them no by the power of the purse (i.e. don't give them your money) and the power to create voluntary assoc

    • The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will.

      Are you blaming Us or them?

      Because its not that I don't want to teach them. I mean, I'm no different from the next guy, I hate explaining to my mother that what she has is MALWARE and NOT a real antivirus.

      But it's because they don't want to have to worry about it. Most people either want:
      A) An automated Security system set up by a professional which requires the least amount of user interaction possible
      or B) Nothing of the sort to slow down their computer.

      If someone ASKED (and they do on the rare occaison)

  • 'If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,' Soltani said."

    Really, I can't think of a single good reason for the government to use tracking cookies. There are a few simi-legitimate reasons for third-parties to use tracking cookies, but they should not be regulated. If you don't want cookies either

    A) Configure your browser to reject certain cookies
    B) Clear cookies
    C) Clear your Flash cookies
    D) Write to a few OSS developers and tell them if you want a privacy program, or add on

    Seriously, if people are -that- paranoid they should do the research to figu

  • Firstly what business have Clearspring and QuantCast doing anything on your machine? Block them in your hosts file.

    Then block Flash for hosts you haven't explicitly allowed.

    Optional third step: Block javascript for hosts you haven't explicitly allowed.

    Finally, not many people know about this, there's a Firefox extension (mentioned in a post above) for deleting Flash cookies every time you close the browser. This should be a standard feature.

    • by Zerth (26112)

      VirtualBox/vmware + Seamless mode + Revert State on Exit. Take a snapshot just after opening a browser, treat it like the browser alone.

      Every time you close/restart your "browser", you get the ultimate reset button.

  • There are some Firefox add-ons that supposedly delete these "super" cookies. Here [mozilla.org] is one example.

    I have no idea how well they actually work.
    • by jginspace (678908)
      For Flashblock to run you've got to have javascript enabled. Flashblock is of limited use, particularly with the nasty domains mentioned in the summary. Best to not run anything from those domains.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        Use Flashblock and NoScript. When you allow scripts on the page, then Flashblock fires up and puts in the place holders.

  • by wile_e8 (958263) on Tuesday August 11, 2009 @04:39PM (#29029471)
    Go here [macromedia.com] to see all the flash cookies and delete any and all you don't want. Might not be as easy as deleting a directory, but I don't necessarily want to delete them all.
    • Re: (Score:1, Informative)

      by Anonymous Coward

      This content requires Flash

      Download the free Flash Player now!

    • > Go here [macromedia.com] to see all the flash cookies... ...that Adobe wants you to see (and that their buggy software can detect).

  • by gurps_npc (621217) on Tuesday August 11, 2009 @04:47PM (#29029633) Homepage
    In Firefox, the "Better Privacy" addon deletes flash cookies. Any browser that doesn't offer that kind of control is not worth getting. In my opinion, Firefox without "TACO" (auto creates a bunch of "opt out" cookies without any identifing details), "Better Privacy" (removes flash cookies)and "NoScript" (prevents unwanted scripts - including site-jacking stuff), is not fully installed.
    • by gad_zuki! (70830)

      >Any browser that doesn't offer that kind of control is not worth getting.

      Well, without that add-on Firefox doesnt either. The question here is why doesnt Firefox do this natively?

      • by BenoitRen (998927)

        Firefox doesn't do it natively because Flash is a plug-in that has full control. There is no way to stop the placement of Flash cookies. BetterPrivacy is a specific band-aid.

        • by gad_zuki! (70830)

          That makes no sense to me. Whatever code that add-on can run, Firefox can run. The firefox maintainers just dont want it.

          • by BenoitRen (998927)

            Once you add code for a specific plug-in to clean up its mess, the foot is in the door, and then you'd have to do it for others too (eg Silverlight).

      • Re: (Score:3, Insightful)

        by TopSpin (753) *

        The question here is why doesnt Firefox do this natively?

        The answer is that the browser is ignorant of what Flash is doing with the hard drive. HTML cookies and Flash cookies (LSOs) are not related. Firefox is not aware of and has no mechanism to control what Flash does with your disk.

        Flash Player (for Mozilla/Firefox) is based on the ancient and crufty NPAPI. This interface provides no generic "clear your temporary crap" hook for the host (browser.) It should; it's 2009 and this browser thing has been going on for 15 years now...

        IE 7 has a feature in "Delete

  • You can view/delete your flash cookies here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html [macromedia.com]

    There's also a firefox plug-in: http://objection.mozdev.org/ [mozdev.org]

    I agree, regular tracking regardless of the technology used.

    • by j-stroy (640921)
      MOD PARENT UP. THANK YOU SO MUCH!!! There are several tabs which have essential settings.
  • Why can't the cookie blocker and/or cookie cleaner take these out as well? This is presented that only some arcane going to the Adobe website can deal with them. Why are they so hard to kill otherwise?
    • Because Flash is a giant security hole that does an end run around the browser and stores it's own cookies completely separately. Your browser has no better idea of what flash cookies you are storing than it does what word processor documents you saved last week.

      The security settings on Flash are simply obnoxious - changing them in any permanent manner is tedious, fragile and difficult. It's the main reason I have no flash plugin in my default browser (if I want to use flash I open the page in a different

      • by Kalriath (849904) *

        Personally, I use 64 bit IE. Not only do I not have Flash installed in the browser, the browser isn't capable of running 99% of malware (because who compiles their "toolbars" in 64 bit?)

  • /dev/null (Score:3, Informative)

    by dtschmitz (1601217) on Tuesday August 11, 2009 @05:45PM (#29030385)
    What I do: #remove the existing macromedia directory and set a link to /dev/null
    $cd && rm -rf .macromedia && ln -s /dev/null .macromedia
    Be Safe!

    Dietrich T. Schmitz & Associates [dtschmitz.com]
    Cloud Computing Services
  • by fast turtle (1118037) on Tuesday August 11, 2009 @08:40PM (#29032287) Journal

    flash wants to grant access to my mic and camera to every damn website in the fucking world? Shouldn't it be denied by default and ask the user before granting that permission? To me this would certainly cut down on some of the flash vulnerabilities because now it's accessing other subsystems such as the MS Speech setup.

  • i would like to remind that ANY kind of law is a regulation. including the laws that ban and punish murder, including the laws that prevents people from funding private armies, or cutting other people's heads.

    if you dont oppose such laws, you shouldnt oppose proper regulations.

    and no. there are no differences in between 'regulation' and 'laws'. that's some delusion that hordes of republicans have created in america through endless yelping.

  • Read the article and all the comments, installed BetterPrivacy and it works great. Using the default configuration, it deleted 140 Flash Cookies/LSOs. No problems with any of the sites I normally use. I also use Flashblock, Ghostery, and NoScript.

Programmers do it bit by bit.

Working...