• Categories

  • Archives

    « Home

    Update on Adobe Flash Cookies, What Some Call ‘Zombie’ Cookies

    In a post on the company’s blog, Emily Huang, Adobe’s group product manager for the Flash player explained how the company is trying to better protect the privacy of users, notably through changes to “cookies,” which collect data about and can track users’ Internet searches and sites visited. Flash cookies (also called “local shared objects, LSOs”) are separate from the HTTP cookies most people know about.

    To recap: In 2009, researchers at the University of California, Berkeley, released a report revealing that Adobe Flash cookies can “respawn” or “re-create” regular cookies that people have cleared from their browsers. This meant that, even if a person used private browsing mode or manually cleared their HTTP cookies and browsing history, this did not affect Flash cookies, which were stored in a separate location from regular HTTP cookies. So the Flash cookies remained, and they had the ability to re-create the HTTP cookie and other data that consumers thought had been deleted. Some dubbed these “zombie” cookies.  There was public anger about the secret tracking, and a lawsuit. (Related: Wired reported in December that “online tracking firm Quantcast has agreed to pay $2.4 million to settle a class action lawsuit alleging it secretly used Adobe’s ubiquitous Flash plug-in to re-create tracking cookies after users deleted them.”)

    Now, Huang writes that Adobe is making it easier to delete Flash cookies: “[W]e’ve been collaborating with browser vendors to integrate LSO management with the browser [user interface]. The first capability, one that we believe will have the greatest immediate impact, is to allow users to clear LSOs (and any local storage, such as that of HTML5 and other plugin technologies) from the browser settings interface—similar to how users can clear their browser cookies today.”

    The ability to clear local storage from the browser extends the work we did in Flash Player 10.1, which launched with a new private browsing feature integrated with the private browsing mode in major browsers, including Google Chrome, Mozilla’s Firefox, Microsoft’s Internet Explorer, and Apple’s Safari. When you are in a private browsing mode session in your browser, Flash Player will automatically delete any local storage that was written by websites during that browser session once the browser is closed. This ensures that Flash Player can’t be used to store any history or other information from your private session. In striving to ensure a great user experience, we’ve made this seamless and automatic for the user.

    She details further changes from Adobe in the blog post.

    One Response to “Update on Adobe Flash Cookies, What Some Call ‘Zombie’ Cookies”

    1. greg Says:

      even when you are in “private browsing” mode Adobe still writes the zombie cookies and maintains them until your “browser is closed”. That’s not exactly what we mean by “private”!
      Furthermore, nothing has been said about the microphone and web cam:
      Websites can switch on a webcam and a microphone, without necessarily providing any information to the computer user that this has happened. When you install Flash, by default, the Flash player will ask permission before switching them on. However … Unscrupulous websites can alter these settings without the users knowledge, as the Flash player can be remotely configured.
      Adobe has a Flash cookie manager.
      There are several tabs that reveal various interesting options, such as “Click always ask, to require any Website to ask permission if it wants to access your camera and/or microphone.” (!)

    Leave a Reply