Think you are protecting your privacy by pruning or deleting your web browser cookies? Chances are, you are sadly mistaken. According to a recent article on the Wired.com website, “more than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them.”

Flash is installed on something like 98% of the world’s personal computers. If you’ve ever viewed a web page, chances are you’ve encountered Flash in some form. Most videos are displayed with Flash, for example, as are the bulk of those animated ads you’ve trained yourself to ignore.

Problem is, Flash applications can store information on your computer in a widget called a Local Shared Object (LSO). Most of the time, the sort of stuff stored in an LSO is fairly benign, but this capability is also subject to abuse. The most egregious example of LSO abuse is something called “persistent cookies.” This was devised as a workaround to deal with the increasing number of people who, concerned with issues of online privacy, deleted their cookies regularly. A copy of the cookie data is stored in a Flash LSO. If the cookie has been deleted, it is restored using the LSO data.

This persistent cookie trick has been around for several years. When it was first proposed, the objections were so loud and fervent — even Adobe/Macromedia got huffy about it — it seemed the idea died an early death. I wrote it up for a small circle of friends, made some adjustments to prevent it and forgot about it. Evidently, bad things have been happening in the shadows since then and it is time to clean up my notes and post them online.

So, herewith are two straightforward ways to control Flash cookies with a minimum of hassle, as well as some information on when you should not remove Flash cookies…

Method #1:

Bring up the Flash Player Settings Manager web page.

On the second tab from the left, move the slider all the way to the left and place a checkmark next to “Never Ask Again.”

Next, go to the right-most tab and click the “Delete all sites” button.

This procedure starts you with a clean slate and tells Flash that, in the future, sites can create Local Shared Objects, but only with zero length. In other words, a site can create an LSO, but it can’t store anything in it. Pretty sneaky, eh? I’d suggest you periodically revisit the right-hand tab and clear out the accumulated zero-size LSOs.

Advantage: Simplicity. No LSO storage means no Flash cookies.

Disadvantage: Some web sites use Flash LSO storage in a useful way. For example, certain video and audio sites employ LSOs to retain player settings during your visit or to help smooth out streaming video. Also, a very few sites will simply not work if LSOs are disabled. If this is a concern and you are using Firefox as your web browser, consider using Method #2 instead.

Method #2:

The above Settings Manager tweak stomps Flash cookies with minimal hassle and works with any web browser. However, if you are a Firefox user, there’s an add-on giving you finer-grained control. It’s called Better Privacy and can be found at http://netticat.ath.cx/BetterPrivacy/BetterPrivacy.htm. The easiest way to use Better Privacy is to set it to delete all LSOs when you exit Firefox.

Once you’ve installed Better Privacy, go to the Firefox Tools menu and chose “BetterPrivacy”. You’ll get a window that looks something like this:

Click on the “Options & Help” tab. Enable “Delete Flash cookies on Firefox exit”. Optionally, disable (uncheck) “Always ask”. Personally, I always disable the “Always ask” option. Being asked what I wish to do with my Flash cookies every time I exit Firefox is a big nuisance.

If you encounter the rare site that actually requires LSO storage to work properly (I’ve only seen one so far), using the Better Privacy add-on permits the site to allocate some space without the LSO persisting beyond your current browser session. You get the best of both worlds. Web sites are happy because Flash behaves in the expected way; you’re happy because all the Flash trash gets tossed when you exit Firefox.

But wait, there’s more.

Keeping good Flash cookies

Sometimes, you may wish to protect a Flash cookie from deletion. For instance, Flash-based games like the popular Machinarium store game progress and status in an LSO. Unless you thrive on frustration, zapping it would be a Bad Thing. Happily, a small additional tweak to the above Method #2 can accommodate this.

Launch Firefox and chose “BetterPrivacy” from the Tools menu. You’ll get a list of the current Flash LSOs that looks something like this:

Select (click on) the LSO you want to preserve and click the “Prevent automatic LSO deletion” button. The LSO’s status will change from “Not protected” to “Protected Folder.”

Click the “OK” button and you’re done. When you exit Firefox, all Flash cookies will now be deleted, except the ones you’ve protected. Unwanted Flash data still gets sent to that big bit-bucket in the sky, but your hard-won game progress remains undisturbed.

For those of you who came in late, a “cookie” is a scrap of data that may be placed on your computer when you visit a web site. Web sites can only read and write their own cookies.

Used responsibly, cookies are very useful. For instance, most retail sites use cookies to keep track of the contents and status of your shopping cart.

Unfortunately, cookies are also subject to abuse. The most infamous examples are the so-called “tracking cookies.” Many web pages display advertising served up from third-party web sites. These third-party ad networks also deposit cookies on your computer. If you later visit another web site using ads from one of these outfits, they will read and update their cookies, in the process collecting information on what sites you’ve been visiting, what you looked at while you were there, the IP address you are using to access the Internet, the particulars of your web browser and a fair bit of information about your computing environment. The marketing droids say this is harmless and even beneficial because it enables them to provide advertising you are more likely to find useful based on your interests. Personally, I find it creepy that some anonymous outfit is building a profile of my browsing habits.

Some people deal with this by controlling what web sites are allowed to set cookies on their machines and under what circumstances. This gets tedious and often finicky. I prefer an easier approach.

Since its first release, Firefox has had an option to delete all cookies when you close the browser. Web sites can set any cookies they wish; everything works normally. When you exit Firefox, all the cookies disappear. Simple. Here’s how you do it in Firefox 3.5. Earlier versions are similar…

1. From the Firefox Tools menu, Choose “Options…”
2. Select the Privacy tab.
3. In the History section of the Privacy window, tell Firefox to “Use custom settings for history”, put checkmarks next to “Accept cookies from sites” and “Accept third-party cookies”, and select the option to keep cookies until “I close Firefox”. You should end up with a Privacy pane that looks something like this:
   
4. Click the “Show Cookies…” button and go delete all your existing cookies. You may be surprised at how many are stored on your computer.
5. Click the “OK” button to save your changes.

So, what’s the downside? Well, there are still a few web sites out there that store personalization information in cookies. Deleting your cookies every time you close out of Firefox will break these sites. However, this style of “portal” site went out of fashion quite some time ago. These days, most user-customized web sites store the personal settings on their servers and retrieve them when the user logs into the site.

For most people, the “toss your cookies” Firefox setting increases privacy with no significant effect on their web browsing experience.