Adobe Flash Cookies Raising Privacy Questions Again

Nearly a year after we discussed the privacy implications of Flash cookies, they are in the news again as the US government considers revising its cookie policy. Wired covers a study out of UC Berkeley exposing questionable practices used by many of the Internet's most-visited Web sites (abstract). The most questionable activity the report exposes is known as "respawning": after a user has deleted browser tracking cookies, some sites will use information in Flash cookies to recreate them. The report names two companies, Clearspring and QuantCast, whose technologies reinstate cookies for other Web sites. "Federal websites have traditionally been banned from using tracking cookies, despite being common around the web — a situation the Obama administration is proposing to change as part of an attempt to modernize government websites. But the debate shouldn't be about allowing browser cookies or not, according Ashkan Soltani, a UC Berkeley graduate student who helped lead the study. 'If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,' Soltani said."

Unintended reinterpretation.

[girlintraining]

"If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies"

I'm glad we're agreed then. Cookies are used for tracking, so cookies should be regulated. But we won't treat cookies like they're special -- we'll regulate all other forms of tracking as well. That seems fair. In other, unrelated news -- anonymity doesn't exist. Sherlock Holmes may be a fictional character several hundred years dead now, but what he said back then applies today on the internet (which I paraphrase here) "Every place you go, you leave something behind and you take something with you." Tracking, therefore, is just a matter of following the (achem) tracks, and it's something anyone with a bit of skill can do.

The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.

Re:Perhaps we should surveil the surveyors...

[johanatan]

I tend to think that it will come to that. In the near future, I expect everyone to record everything. The only question left for courts to decide will be the legitimacy of the material (i.e., whether it is authentic or counterfeit).

Re:Perhaps we should surveil the surveyors...

[PetriBORG]

Yeah but in case you hadn't noticed the courts accept a large amount of digital evidence in courts with less then a steller backing, or so it seems to me. As a programmer I know *nothing* on a computer is 100% reliable right down to the CPU microcode (blue pill hacks). It really is turtles all the way down.

Re:Unintended reinterpretation.

[Darkness404]

We should not regulate tracking cookies for non-government things any more than we are doing now. Its pathetically easy to clear cookies and anyone with a bit of knowledge can even clear these "impossible to remove" Flash cookies. The problem is, if we try to spread this around we end up with these super-paranoid users which honestly are more of a pain to deal with than those who enjoy running IE 6 on an unpatched XP install. Remember when the media did stuff on normal cookies? There were people who thought a cookie, a plain text file contained viruses! All this media paranoia has given rise to people who think that -anything- has viruses, that the .pdf on a trusted site -MUST- have a virus, that Firefox -MUST- be a virus, that anything -MUST- be a virus, and that even though they admit you know more about computers than them, you -MUST- be breaking their computers whenever you navigate to a site other than Google and a handful of others.

Re:Unintended reinterpretation.

[Synchis]

The problem is, we're failing society as professionals in the IT field -- part of our work (which most likely isn't earning you money) is teaching our friends, family, and interested parties about these problems and how to protect themselves from it because nobody else can or will. That's what has allowed this kind of crap to permeate into the mainstream... It wouldn't be tolerated if people knew better.

I disagree with this. I've spent a long time in the industry, and am pretty much the only "tech enabled" person in amongst many friends and family. Many of them use the computer recreationally, and without a care as to what harms may become of them. To the layman, the computer is just a tool, and to most of them, there is no perceived risk to themselves. Thus, when I try to inform them of the risks they take, or try to teach them safer browsing habits, good housekeeping, etc. It is often met with indifference, and sometimes hostility. People don't like to be told they are wrong, especially when most people use the computer in the way they think is correct, and in most cases, the only way they know how.

Many people are intimidated by computers, and to have somebody who is deeply involved in computers try to teach them best-practices, is sometimes insulting.

So yeah, we may feel we have a responsibility to protect those that know less than us, but in reality, instilling that knowledge is not always easy, practical, or even sometimes possible.

So no, I don't agree, I don't think we've failed. I think we're doing the best job we know how to do, in the face of at times massive and gross ignorance. Resistance does not mean I've given up. But I have learned over time which people are worth taking the time to teach, and which people are not worth the effort.

Re:Unintended reinterpretation.

[Anonymous Coward]

What the man means is that you shouldn't regulate the tool but the problem. In other words, if tracking is a problem, make laws/agreements/whatever for those, instead of prohibiting the use of cookies.
The same anology applies to p2p, terrorism and what-not.

Re:Piece of cake...

[Anonymous Coward]

See, this is just a downright lie. Making a mediocre cake might be easy, but to make a superb cake requires refined knowledge of baking chemistry and experience. You can't just follow most recipes because they make all measurements by volume when you really should be making them by weight.

Re:Unintended reinterpretation.

[Anonymous Coward]

People don't know better because they don't give a fuck. Try preaching to a layman about GPG sometime. They don't understand key exchange issues, but they understand the purpose of encryption, and their reply is: "I don't care if they are watching me."

These are the same people who still vote for Republicrats. You keep hitting them over the head with Clinton, Bush (and maybe some day Obama, though I try not to cynically damn him yet), and they keep voting for more. They're lazier than hippies (who will at least protest The Man).

Lazier than hippies! (Think about that.)

They can't be saved. They don't want it. They don't care. When people don't care what happens to them, then there isn't really a line between being led to the slaughter, and active suicide. It takes some will to live. Make them fucking show they've got it before you cry over the poor bastards. Because face it: they really are bastards, and they sure wouldn't lift a finger to help you.

Re:No....

[causality]

Really, not one good reason? Like the ability to create login sessions that allow both a logout function and the use of the back button? Or login sessions that do not re-submit your password with each new request? Or the ability to remember you search terms if you browse away from the search engine and then back?

Certainly there's the potential for more nefarious use, and it's worthwhile to offer protections against that, but there are 1001 legitimate uses for sessions tracking, most of which are widely in use on almost every non-government website in the world; the no cookies rule is a result of the original cookies scare from 15 years ago, when you could create global cookies to track every website a user visited, and the rule is just as outdated as the scare.

True but session cookies can arrange all of that. The case for persistent/permanently stored cookies is much harder to make.

Re:Piece of cake...

[jo42]

An even better solution is on Adobe's own web site: How to uninstall the Adobe Flash Player plug-in and ActiveX control [adobe.com]

Re:Good browsers let the user choose

[TopSpin]

The question here is why doesnt Firefox do this natively?

The answer is that the browser is ignorant of what Flash is doing with the hard drive. HTML cookies and Flash cookies (LSOs) are not related. Firefox is not aware of and has no mechanism to control what Flash does with your disk.

Flash Player (for Mozilla/Firefox) is based on the ancient and crufty NPAPI. This interface provides no generic "clear your temporary crap" hook for the host (browser.) It should; it's 2009 and this browser thing has been going on for 15 years now...

IE 7 has a feature in "Delete Browsing History" that prompts the user to delete "files and settings stored by add-ons." I've never confirmed whether this means "flash cookies" (because I don't rely on IE for anything...) but that is what is implied, so this isn't some novel idea unheard of in the traditions of the Internets.

Dear Mozilla,
    It is incumbent upon you as the present keeper of the NPAPI specification, such as it is, to extend said specification to provide a generic mechanism to monitor and control any and all storage utilized by third party plug-ins, and then encourage third parties (nasty warnings on plug-in invocation would work...) to adopt this extension. Please do so THIS decade. Do not continue to delay the obvious because NPAPI is an unholy mess; privacy trumps engineering elegance.
Thanks!

forget the cookies, what I want to know is why

[fast turtle]

flash wants to grant access to my mic and camera to every damn website in the fucking world? Shouldn't it be denied by default and ask the user before granting that permission? To me this would certainly cut down on some of the flash vulnerabilities because now it's accessing other subsystems such as the MS Speech setup.

Re:Unintended reinterpretation.

[Anonymous Coward]

Yes. People don't care. That is why software/browsers should be secure and ensure privacy without configuration.