Big Brother has a new secret weapon, and he’s using it to watch your every Internet move. Computer files called Flash cookies may have told him which websites you visited this morning, what purchases you made in the past year, even your credit card number.
More than half of the Internet’s top websites use Flash cookies to store information about their visitors, according to a 2009 report by the University of California, Berkeley. This includes amazon.com, bankofamerica.com and even whitehouse.gov.
Yet Flash cookies are unknown to most Internet users. In fact, of 10 companies advertising computer repair services in the Las Vegas Yellow Pages, the first nine phoned by the Review-Journal had never heard of them.
Standard tracking cookies — known to the majority of savvy surfers — are routinely deposited into your hard drive by commercial Internet sites and their advertisers.
“They can grab data from a porn site, recent search criteria, all sorts of things like that,” says Sal Arango, manager of Las Vegas-based AnyTime Computer Services.
These cookies can be deleted via Internet browser privacy controls, where they also can be blocked entirely (although some sites will not allow access to cookie-blocking computers).
But Flash cookies — quietly rolled out in 2001 — cannot be deleted from your hard drive because they’re not stored there. They exist, permanently, on a remote database maintained by San Francisco-based Adobe, which calls them “local shared objects.” This database identifies, and gives itself access to, every computer that has downloaded its popular Flash Player software (which, according to Adobe, is 98 percent of them).
Adobe’s website says that Flash cookies help sites “provide a more customized experience for you.” Indeed, they save preferences, credit card numbers and bank passwords so you don’t have to type them the next time you visit the same site. They also can store 100 kilobytes of information (including load-heavy graphics and photos) — versus 4 kilobytes for a computer-stored cookie.
“They can be used for good,” Arango says. “But for the most part, they’re definitely leveraged toward the site that issues them versus the consumer.”
This gibes with a use that thousands of websites have found for Flash cookies: to regenerate standard, computer-stored cookies after users go through the trouble of deleting them. (Thus, their nickname: zombie cookies.) Essentially, users who think their privacy is protected still are being tracked.
This summer, Dallas-based privacy attorney Joseph Malley filed separate, multimillion-dollar lawsuits against Specificmedia, Quantcast and Clearspring, alleging that these companies broke federal laws against computer surveillance by using Flash cookies to “respawn” deleted tracking cookies. (Malley is the same attorney who won a $9.5 million settlement from Facebook in March, over software that monitored what users bought or rented from its sponsors.)
To be fair, the current version of Flash does not allow the sharing of Flash cookies across different websites. That means an adult website cannot detect your Bank of America password. However, this does not guarantee against misuse.
“They can be used for a whole bunch of different things,” Arango says. “It’s based on the integrity of the person who writes it.”
According to Arango, for instance, Flash cookies are frequently used as a conduit to install more devious spyware and malware. Some of the worst of these programs can track your every keystroke and lead to identity theft; but even the most harmless will usually slow your computer down.
“One of our common things is to go into a slow computer and clear (the Flash cookies) out to see if that helps,” Arango says. “Usually, it does.”
Adobe’s own website contains the following warning: “Like browser cookies, Flash Player local shared objects are used to create great Web experiences for users, but they might be misused by some advertisers and websites.”
Contact reporter Corey Levitan at clevitan@ reviewjournal.com or 702-383-0456.ZOMBIE KILLERS
Several stakes in the heart of local shared objects are available, including:
Flash Player Settings Manager
Scroll down to, then click on, the “Website Storage Settings” link. Delete all websites you don’t want tracking you. You will probably want to discriminate in your deleting, however. Deleting your banking Flash cookies, for example, will delete any stored passwords and cause your bank’s website to ask you personal security questions in order to regain access.
To permanently ban Flash cookies, along with their advantages, click on the “Global Storage Settings” panel and uncheck “allow third-party Flash content to store data on your computer.”
Better PrivacyAdd-on for PC users with Firefox)
Flush AppProgram for Mac OS X users
LAS VEGAS REVIEW-JOURNAL