The return of the undead cookies!
(Note: This post mentions web browser cookies. If you don’t know what those are, see the introductory paragraphs of the “Toss your cookies” article.)
Think you are protecting your privacy by pruning or deleting your web browser cookies? Chances are, you are sadly mistaken. According to a recent article on the Wired.com website, “more than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them.”
Flash is installed on something like 98% of the world’s personal computers. If you’ve ever viewed a web page, chances are you’ve encountered Flash in some form. Most videos are displayed with Flash, for example, as are the bulk of those animated ads you’ve trained yourself to ignore.
Problem is, Flash applications can store information on your computer in a widget called a Local Shared Object (LSO). Most of the time, the sort of stuff stored in an LSO is fairly benign, but this capability is also subject to abuse. The most egregious example of LSO abuse is something called “persistent cookies.” This was devised as a workaround to deal with the increasing number of people who, concerned with issues of online privacy, deleted their cookies regularly. A copy of the cookie data is stored in a Flash LSO. If the cookie has been deleted, it is restored using the LSO data.
This persistent cookie trick has been around for several years. When it was first proposed, the objections were so loud and fervent — even Adobe/Macromedia got huffy about it — it seemed the idea died an early death. I wrote it up for a small circle of friends, made some adjustments to prevent it and forgot about it. Evidently, bad things have been happening in the shadows since then and it is time to clean up my notes and post them online.
So, herewith are two straightforward ways to control Flash cookies with a minimum of hassle, as well as some information on when you should not remove Flash cookies…
Method #1:
Bring up the Flash Player Settings Manager web page.
On the second tab from the left, move the slider all the way to the left and place a checkmark next to “Never Ask Again.”
Next, go to the right-most tab and click the “Delete all sites” button.
This procedure starts you with a clean slate and tells Flash that, in the future, sites can create Local Shared Objects, but only with zero length. In other words, a site can create an LSO, but it can’t store anything in it. Pretty sneaky, eh? I’d suggest you periodically revisit the right-hand tab and clear out the accumulated zero-size LSOs.
Advantage: Simplicity. No LSO storage means no Flash cookies.
Disadvantage: Some web sites use Flash LSO storage in a useful way. For example, certain video and audio sites employ LSOs to retain player settings during your visit or to help smooth out streaming video. Also, a very few sites will simply not work if LSOs are disabled. If this is a concern and you are using Firefox as your web browser, consider using Method #2 instead.
Method #2:
The above Settings Manager tweak stomps Flash cookies with minimal hassle and works with any web browser. However, if you are a Firefox user, there’s an add-on giving you finer-grained control. It’s called Better Privacy and can be found at http://netticat.ath.cx/BetterPrivacy/BetterPrivacy.htm. The easiest way to use Better Privacy is to set it to delete all LSOs when you exit Firefox.
Once you’ve installed Better Privacy, go to the Firefox Tools menu and chose “BetterPrivacy”. You’ll get a window that looks something like this:
Click on the “Options & Help” tab. Enable “Delete Flash cookies on Firefox exit”. Optionally, disable (uncheck) “Always ask”. Personally, I always disable the “Always ask” option. Being asked what I wish to do with my Flash cookies every time I exit Firefox is a big nuisance.
If you encounter the rare site that actually requires LSO storage to work properly (I’ve only seen one so far), using the Better Privacy add-on permits the site to allocate some space without the LSO persisting beyond your current browser session. You get the best of both worlds. Web sites are happy because Flash behaves in the expected way; you’re happy because all the Flash trash gets tossed when you exit Firefox.
But wait, there’s more.
Keeping good Flash cookies
Sometimes, you may wish to protect a Flash cookie from deletion. For instance, Flash-based games like the popular Machinarium store game progress and status in an LSO. Unless you thrive on frustration, zapping it would be a Bad Thing. Happily, a small additional tweak to the above Method #2 can accommodate this.
Launch Firefox and chose “BetterPrivacy” from the Tools menu. You’ll get a list of the current Flash LSOs that looks something like this:
Select (click on) the LSO you want to preserve and click the “Prevent automatic LSO deletion” button. The LSO’s status will change from “Not protected” to “Protected Folder.”
Click the “OK” button and you’re done. When you exit Firefox, all Flash cookies will now be deleted, except the ones you’ve protected. Unwanted Flash data still gets sent to that big bit-bucket in the sky, but your hard-won game progress remains undisturbed.