Adobe finally promises to help rein in Flash cookies

Adobe has finally taken some public steps to ameliorate the privacy problem exposed by the zombie cookie debacle

Five months after a string of lawsuits unveiled Flash's complicity in restoring zombie cookies, Adobe Systems has finally promised to do something about it. The operative word is "promised."

Back in August I wrote about Adobe Flash's Local Stored Objects (LSOs, or "Flash cookies") and how they were being used to keep regular cookies alive, even after a user deleted them. The zombie cookie approach landed Disney, ABC, ESPN, MTV, Warner Brothers, MySpace, and NBC Universal, among others, in court for their boorish behavior.

At its heart the trick's pretty simple. A website that wanted to maintain tenacious cookies only needed one extra step. In addition to placing a cookie on the user's PC, they also used the good services of Adobe Flash to keep a backup copy of the cookie. That way, if the user deleted a particular site's cookie, the site could rummage around in Flash's storage to see if there was a backup.

Few users are savvy enough to clear Flash cookies in addition to regular cookies. Browser settings that control regular cookies don't have any sway at all over Flash. It's a technique perfected and promulgated by two data-gathering companies, Quantcast and Clearspring, which also deservedly landed in court.

Adobe has known about the potential of LSO abuse for years. The zombie cookie debacle five months ago merely publicized a technique that was well-known and widely used in privacy-busting circles -- and had been for quite some time. 

I'm happy to say that Adobe has finally taken some public steps to ameliorate the problem. Hey, it only took five months. Writing on the official Adobe blog, Flash Group Product Manager Emmy Huang says that Adobe is pursuing the problem in three different ways.

First -- this actually happened back in June -- Flash 10.1 and later support private browsing in Firefox, Internet Explorer (where it's called "InPrivate Browsing"), Chrome ("Incognito Mode"), and Safari. When you go into private browsing mode, the browser won't remember anything about your session. Flash plays along, as well it should. Imagine the uproar if it didn't.

Second, Adobe has been working with the folks at Firefox and Chrome to come up with a uniform method for browsers to find out if there's private data being squirreled away by a plug-in (such as Flash) and, if such data exists, for the browser to clear it. The so-called NPAPI:ClearSiteData spec allows the browser to acquire a list of all of the sites that have provided data being stored by a plug-in. It also specifies a single function call that zaps all of that data.

Mozilla and Adobe have officially approved the spec, and it looks like Firefox will soon have the ability to delete all of the data being stored by a plug-in -- most notably, the data stored by sites using Flash cookies, er, LSOs. Presumably, at some point in the not-too-distant future, Firefox will have an option that allows you to delete Flash cookies (much as it now has the ability to delete cookies for individual websites) en masse.

As yet, there's been no official acknowledgement from Google about Chrome support, although Adobe promises the feature is coming. It isn't clear if Microsoft was party to the discussions, much less whether IE will suppport the feature.

Third, Adobe promises that some day you'll be able to control Flash cookies directly from within Windows, Mac OS, and Linux. Called the Flash Player Settings Manager, the new utility's supposed to integrate with the Windows Control Panel sometime in the first half of this year. (Call me skeptical, but it could happen.) In the interim, Flash says it's improved the weird online program that it's always pushed for adjusting Flash cookie settings. I don't see any difference from the old version: It still sports a bizarre, convoluted interface that doesn't look like it's doing anything. If you want to see what Flash cookies are stored on your system, go to that weird online program and click the second icon from the right -- bet you'll be amazed.

While it's gratifying to know that Adobe has made some progress in protecting our privacy, the company is clearly playing catchup -- at a rather leisurely pace. I still hold out some hope that the Flash Control Panel applet will do what it's supposed to do. But I won't get my hopes up too high.

This article, "Adobe finally promises to help rein in Flash cookies," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog, and for the latest in business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies