Adobe Flash Cookies Raising Privacy Questions Again 103
Nearly a year after we discussed the privacy implications of Flash cookies, they are in the news again as the US government considers revising its cookie policy. Wired covers a study out of UC Berkeley exposing questionable practices used by many of the Internet's most-visited Web sites (abstract). The most questionable activity the report exposes is known as "respawning": after a user has deleted browser tracking cookies, some sites will use information in Flash cookies to recreate them. The report names two companies, Clearspring and QuantCast, whose technologies reinstate cookies for other Web sites. "Federal websites have traditionally been banned from using tracking cookies, despite being common around the web — a situation the Obama administration is proposing to change as part of an attempt to modernize government websites. But the debate shouldn't be about allowing browser cookies or not, according Ashkan Soltani, a UC Berkeley graduate student who helped lead the study. 'If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,' Soltani said."
Re:All i can say is (Score:5, Informative)
MOD +5 this (Score:2)
Re:All i can say is (Score:5, Informative)
And a way to view what you currently have..
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html [macromedia.com]
Adobe needs a new CEO. (Score:1, Interesting)
Adobe has become an evil, badly managed company, in my opinion. Buy Creative Suite, and the new DVD requires a download of more than 300 Megabytes to bring it up to date.
Re: (Score:2)
> Thanks for the link! Note: That does not clean multiple installations of Opera, or clean other browsers.
Agreed...great extension but limited. What we need is something like CCleaner for Linux. Anything out there like that?
Re: (Score:3, Informative)
Actually found one:
Bleachbit - http://bleachbit-project.appspot.com/ [appspot.com]
Open-Source and for Linux and Windows.
Still would love to find a command-line version of something like it to run on shutdown and/or from cron.
Re: (Score:1)
Oh, sure, another website that requires Flash to function! I shouldn't need Flash just to delete my Flash cookies!</sarcasm>
Re: (Score:2, Redundant)
BETTER PRIVACY PLUGIN.
https://addons.mozilla.org/en-US/firefox/addon/6623 [mozilla.org]
100% compatible with Firefox 3.5*
Please do not ask me about missing updates here, read FAQ at the bottom of this page.
Better Privacy serves to protect against not deletable longterm cookies, a new generation of 'Super-Cookie', which silently conquered the internet. This new cookie generation offers unlimited user tracking to industry and market research. Concerning privacy Flash- and DOM Storage objects are most critical.
This addon was
Re: (Score:3, Informative)
Isn't this a way to permanently disable Flash cookies?
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html [macromedia.com]
Note that this isn't just documentation. If you have Flash installed, the first what looks like a screenshot is actually the Flash config panel.
Adobe could improve it by adding "Clear all cookies on exit".
Re: (Score:2)
For that user using that profile for that browser. Now consider a typical home computer with 2 or three users each with Firefox and IE or Firefox and Safari. Oh and guess where it stores that you do not wish to accept flash cookies?
Gnash is the solution, just rm -rf the correct dir when you are finished.
Re:All i can say is (Score:4, Informative)
I just started using bp last week and here is something important. The version on the Firefox addon site is not the latest. I got 1.41 at
http://netticat.ath.cx/BetterPrivacy/BetterPrivacy.htm [netticat.ath.cx]
because it added a bit of functionality. Specifically in the way it treats DOM storage.
DOM storage is not flash cookies (LSOs), it is a separate way sites can store data on your computer I had not heard about. The old version could only disable DS, but now BP can now treat DS like LSOs so it stays on but the data gets deleted on FF shutdown. Some sites like cnn video need DS turned on.
Also I set it to delete the default LSO. That one stores a list of every flash site you visit. Even if you turn Flash local storage completely off using:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html [macromedia.com]
you will see a list of visited sites on the last tab on that control. Deleting the default cookie gets rid of that list.
Re:All i can say is (Score:4, Informative)
The version on the Firefox addon site is not the latest.
I wish the AMO folks would update BetterPrivacy to the latest version but I cannot do anything to accelerate that procedure. Thanks for your important note, I found it accidently while searching for related websites. NettiCat (author of BetterPrivacy, http://netticat.ath.cx/ [netticat.ath.cx]
Re: (Score:2)
Re: (Score:2)
Yeah, thanks NettiCat. I also like and use your BabelFish addon.
Re: (Score:2)
> The version on the Firefox addon site is not the latest. I got 1.41 at [...]
The for me most important feature of the new version is the integration of LSO removal in the regular "Clear History when Firefox closes" config options. Simply check it there and LSO's get deleted on browser exit like it should be.
Speaking of which: FF 3.5+ got rid of the option to show the Clear History window on exit. I liked having it there simply to see it in action and also to override certain defaults when desired. Is th
Re: (Score:2, Funny)
Attempting to install the newer version of BetterPrivacy [netticat.ath.cx], an addon that protects you from certain types of cookies to maintain privacy:
Umm...
Re: (Score:2)
I've used BetterPrivacy for a little while. I'm using the options below, and I've never had a problem with any websites that I could trace to it:
- Delete Flash cookies on Firefox exit
- Also delete settings.sol
- Also delete empty cookie folders
- Disable DOMStorage
- Disable Ping Tracking
When I first ran it, I was surprised to discover Flash cookies from websites I hadn't visited in years. Thanks Netticat!
Re: (Score:2)
All I can say is I hate Flash anyway. But it's just something I have to put up with if I want to see video. I wish a software company could get big without being evil; disallowing one to get rid of cookies is just pathetically evil.
Perhaps someone in a country with real privacy laws (not mine unfortunately) could file suit against adobe?
Piece of cake... (Score:1, Interesting)
ln -s /dev/null ~/.macromedia
Re:Piece of cake... (Score:4, Informative)
Or on Windows, go to 'Document and Settings' (Users on Vista/7 if I am not mistaken), 'Application Data\Macromedia\Flash Player'.
Remove '#SharedObjects' folder, create a file with same name on it. Remove all security rights on it. Do same with 'macromedia.com' folder.
Problem solved. To test it, go to Youtube, set your volume to a certain level. Close browser, re-open and see if Youtube maintained the volume level. It shouldn't.
Re:Piece of cake... (Score:5, Insightful)
An even better solution is on Adobe's own web site: How to uninstall the Adobe Flash Player plug-in and ActiveX control [adobe.com]
Re: (Score:3, Informative)
BAD solution! Some sites will break if you do this and you won't be able to watch videos.
There are many better solutions. Using an init or crond script is one to remove the directory regularly. Another is to mount ~/.macromedia to /tmp or a ramdisk which is what I do. Those cookies never even get to smell my hard drive and it's not like I'm doing anything better with the RAM.
Re: (Score:2)
I've got a batch script for deleting these as part of my development toolset, it wouldn't take too much to set it as a Startup item.
Stick the following .bat file in C:\Documents and Settings\*USERNAME*\Application Data\Macromedia\Flash Player\ (Windows XP)
run it whenever you want to delete shared objects
Re: (Score:2)
I've been running this for several years and never had any problems with it breaking any sites.
Re: (Score:1)
It should work in any shell where ln is installed... n00b
Re: (Score:2)
Although I've had trouble getting it to work properly on a couple of machines, it seems to do what it says on the tin most of the time.
Re: (Score:1)
Unfortunately, linking to /dev/null makes some sites not work, though I forget which, it's been a while since I tried that method. I ended up setting a daily cron job to delete the .adobe and .macromedia directories from users' home directories. It's not ideal, but it does the trick.
Re: (Score:1)
"Windows cannot find 'ln'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and the click Search"
huh... For the MAJORITY of operating systems out there your technique doesn't work
go figure!
Re: (Score:2, Informative)
Doesn't Adobe's Flash settings widget [macromedia.com] work in Linux? It seems a bit drastic disabling Flash cookies for the whole internet when you can set preferences individually for each website you visit.
Confusion at Adobe? Bad management? (Score:2)
The Flash updating tool is very buggy. It may update only your installation of Opera, instead of Opera and Firefox. If you have multiple installations of Opera, it will update only one of them.
In Windows, it is necessary to use the Replace.exe command [microsoft.com] to replace all instances of flashplayer.xpt, NPSWF32.dll, and NPSWF32_FlashUtil.exe. The latest version of th
Re: (Score:1)
The different URLs (containing the numbers 02, 03, 04, 06 and 07) are just part of the same widget. Click the tabs at the top to access them.
(Incidentally, there's another one at settings_manager05.html that doesn't appear to be accessible by clicking the tabs.)
Bad management policy (Score:2)
Re: (Score:2, Insightful)
Perhaps we should surveil the surveyors... (Score:5, Interesting)
Re:Perhaps we should surveil the surveyors... (Score:4, Insightful)
Re: (Score:3, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
And who would survey the surveyor's surveyor?
Re: (Score:2)
Unintended reinterpretation. (Score:4, Insightful)
"If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies"
I'm glad we're agreed then. Cookies are used for tracking, so cookies should be regulated. But we won't treat cookies like they're special -- we'll regulate all other forms of tracking as well. That seems fair. In other, unrelated news -- anonymity doesn't exist. Sherlock Holmes may be a fictional character several hundred years dead now, but what he said back then applies today on the internet (which I paraphrase here) "Every place you go, you leave something behind and you take something with you." Tracking, therefore, is just a matter of following the (achem) tracks, and it's something anyone with a bit of skill can do.
The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.
Re: (Score:3, Insightful)
Re: (Score:2)
Re:Unintended reinterpretation. (Score:4, Insightful)
The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.
I disagree with this. I've spent a long time in the industry, and am pretty much the only "tech enabled" person in amongst many friends and family. Many of them use the computer recreationally, and without a care as to what harms may become of them. To the layman, the computer is just a tool, and to most of them, there is no perceived risk to themselves. Thus, when I try to inform them of the risks they take, or try to teach them safer browsing habits, good housekeeping, etc. It is often met with indifference, and sometimes hostility. People don't like to be told they are wrong, especially when most people use the computer in the way they think is correct, and in most cases, the only way they know how.
Many people are intimidated by computers, and to have somebody who is deeply involved in computers try to teach them best-practices, is sometimes insulting.
So yeah, we may feel we have a responsibility to protect those that know less than us, but in reality, instilling that knowledge is not always easy, practical, or even sometimes possible.
So no, I don't agree, I don't think we've failed. I think we're doing the best job we know how to do, in the face of at times massive and gross ignorance. Resistance does not mean I've given up. But I have learned over time which people are worth taking the time to teach, and which people are not worth the effort.
Re: (Score:1, Insightful)
What the man means is that you shouldn't regulate the tool but the problem. In other words, if tracking is a problem, make laws/agreements/whatever for those, instead of prohibiting the use of cookies.
The same anology applies to p2p, terrorism and what-not.
Re: (Score:1, Insightful)
People don't know better because they don't give a fuck. Try preaching to a layman about GPG sometime. They don't understand key exchange issues, but they understand the purpose of encryption, and their reply is: "I don't care if they are watching me."
These are the same people who still vote for Republicrats. You keep hitting them over the head with Clinton, Bush (and maybe some day Obama, though I try not to cynically damn him yet), and they keep voting for more. They're lazier than hippies (who will a
Re: (Score:1, Insightful)
Re: (Score:3, Interesting)
I am all for spreading the word and teaching anyone who is willing to learn about these things. It's an
Re: (Score:2)
Cookies are used for tracking, so cookies should be regulated. But we won't treat cookies like they're special -- we'll regulate all other forms of tracking as well.
No -- just regulate tracking. If you regulate the method, then when a new method comes it's legal. If you just regulate tracking, then you get the same results for all forms.
Re: (Score:2)
If we don't want a corporation to do something we have the power to tell them no by the power of the purse (i.e. don't give them your money) and the power to create voluntary assoc
Re: (Score:1)
The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will.
Are you blaming Us or them?
Because its not that I don't want to teach them. I mean, I'm no different from the next guy, I hate explaining to my mother that what she has is MALWARE and NOT a real antivirus.
But it's because they don't want to have to worry about it. Most people either want:
A) An automated Security system set up by a professional which requires the least amount of user interaction possible
or B) Nothing of the sort to slow down their computer.
If someone ASKED (and they do on the rare occaison)
No.... (Score:2)
'If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,' Soltani said."
Really, I can't think of a single good reason for the government to use tracking cookies. There are a few simi-legitimate reasons for third-parties to use tracking cookies, but they should not be regulated. If you don't want cookies either
A) Configure your browser to reject certain cookies
B) Clear cookies
C) Clear your Flash cookies
D) Write to a few OSS developers and tell them if you want a privacy program, or add on
Seriously, if people are -that- paranoid they should do the research to figu
Re: (Score:3, Insightful)
Really, not one good reason? Like the ability to create login sessions that allow both a logout function and the use of the back button? Or login sessions that do not re-submit your password with each new request? Or the ability to remember you search terms if you browse away from the search engine and then back?
Certainly there's the potential for more nefarious use, and it's worthwhile to offer protections against that, but there are 1001 legitimate uses for sessions tracking, most of which are widely in use on almost every non-government website in the world; the no cookies rule is a result of the original cookies scare from 15 years ago, when you could create global cookies to track every website a user visited, and the rule is just as outdated as the scare.
True but session cookies can arrange all of that. The case for persistent/permanently stored cookies is much harder to make.
Flash, hosts, javascript, (Score:2)
Firstly what business have Clearspring and QuantCast doing anything on your machine? Block them in your hosts file.
Then block Flash for hosts you haven't explicitly allowed.
Optional third step: Block javascript for hosts you haven't explicitly allowed.
Finally, not many people know about this, there's a Firefox extension (mentioned in a post above) for deleting Flash cookies every time you close the browser. This should be a standard feature.
Re: (Score:2)
VirtualBox/vmware + Seamless mode + Revert State on Exit. Take a snapshot just after opening a browser, treat it like the browser alone.
Every time you close/restart your "browser", you get the ultimate reset button.
Better cookie deleters (Score:1)
I have no idea how well they actually work.
Yet another reason for flashblock (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Use Flashblock and NoScript. When you allow scripts on the page, then Flashblock fires up and puts in the place holders.
Flash Website Storage Settings (Score:5, Informative)
Re: (Score:1, Informative)
This content requires Flash
Download the free Flash Player now!
Re: (Score:2)
> Go here [macromedia.com] to see all the flash cookies... ...that Adobe wants you to see (and that their buggy software can detect).
Good browsers let the user choose (Score:4, Informative)
Re: (Score:2)
>Any browser that doesn't offer that kind of control is not worth getting.
Well, without that add-on Firefox doesnt either. The question here is why doesnt Firefox do this natively?
Re: (Score:1)
Firefox doesn't do it natively because Flash is a plug-in that has full control. There is no way to stop the placement of Flash cookies. BetterPrivacy is a specific band-aid.
Re: (Score:2)
That makes no sense to me. Whatever code that add-on can run, Firefox can run. The firefox maintainers just dont want it.
Re: (Score:1)
Once you add code for a specific plug-in to clean up its mess, the foot is in the door, and then you'd have to do it for others too (eg Silverlight).
Re: (Score:3, Insightful)
The question here is why doesnt Firefox do this natively?
The answer is that the browser is ignorant of what Flash is doing with the hard drive. HTML cookies and Flash cookies (LSOs) are not related. Firefox is not aware of and has no mechanism to control what Flash does with your disk.
Flash Player (for Mozilla/Firefox) is based on the ancient and crufty NPAPI. This interface provides no generic "clear your temporary crap" hook for the host (browser.) It should; it's 2009 and this browser thing has been going on for 15 years now...
IE 7 has a feature in "Delete
View/delete your flash cookies (Score:1)
You can view/delete your flash cookies here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html [macromedia.com]
There's also a firefox plug-in: http://objection.mozdev.org/ [mozdev.org]
I agree, regular tracking regardless of the technology used.
Re: (Score:2)
Why can't they be blocked easily? (Score:2)
Re: (Score:2)
Because Flash is a giant security hole that does an end run around the browser and stores it's own cookies completely separately. Your browser has no better idea of what flash cookies you are storing than it does what word processor documents you saved last week.
The security settings on Flash are simply obnoxious - changing them in any permanent manner is tedious, fragile and difficult. It's the main reason I have no flash plugin in my default browser (if I want to use flash I open the page in a different
Re: (Score:2)
Personally, I use 64 bit IE. Not only do I not have Flash installed in the browser, the browser isn't capable of running 99% of malware (because who compiles their "toolbars" in 64 bit?)
/dev/null (Score:3, Informative)
$cd && rm -rf
Be Safe!
Dietrich T. Schmitz & Associates [dtschmitz.com]
Cloud Computing Services
forget the cookies, what I want to know is why (Score:3, Insightful)
flash wants to grant access to my mic and camera to every damn website in the fucking world? Shouldn't it be denied by default and ask the user before granting that permission? To me this would certainly cut down on some of the flash vulnerabilities because now it's accessing other subsystems such as the MS Speech setup.
To any moron who would say 'regulation is bad' (Score:2)
i would like to remind that ANY kind of law is a regulation. including the laws that ban and punish murder, including the laws that prevents people from funding private armies, or cutting other people's heads.
if you dont oppose such laws, you shouldnt oppose proper regulations.
and no. there are no differences in between 'regulation' and 'laws'. that's some delusion that hordes of republicans have created in america through endless yelping.
Good article, thanks! (Score:1)