Local shared object

Local Shared Objects (LSO), commonly called flash cookies (due to their similarities with HTTP cookies) are pieces of data that websites which use Adobe Flash may store on a user's computer. Local Shared Objects are used by all versions of Adobe Flash Player and Version 6 and above of Macromedia's now-obsolete Flash Player.[1]

While websites may use Local Shared Objects for purposes such as storing user preferences, there have been privacy concerns regarding Local Shared Objects.

Contents

Storage

Local Shared Objects contain data stored by individual websites. With the default settings, the Flash Player does not seek the user's permission to store Local Shared Objects on the hard disk. By default, a SWF application running in Flash Player from version 9 to 11 (as of Sept 1, 2011) may store up to 100 kB of data to user's hard drive. If the application attempts to store more data than the allotted default, the user is shown a dialog to allow or deny the request for more storage space.[2]

Adobe Flash Player does not allow 3rd-party Local Shared Objects to be shared across domains. For example, a Local Shared Object from "www.example.com" cannot be read by the domain "www.example2.com".[1] However the first party website can always pass data to third party via some settings found in the dedicated XML file and passing the data in the request to the third party. Also third party LSO are allowed to store data by default.[3][4]

User control

Users can disable Local Shared Objects using the Global Storage Settings panel of the online Settings Manager at Adobe's website.[5]. However, using this feature will permanently place a flash cookie on the user's computer, informing all other websites that the user does not want flash cookies stored on their computer. Users can also opt-out of them on a per-site basis by right-clicking the Flash player and selecting 'Settings' or using Website Storage Settings panel. The latter also allows users to delete Local Shared Objects.[6]

Users may also delete Local Shared Objects either manually or using third-party software. For instance, BetterPrivacy,[7] a Firefox add-on, or CCleaner, a standalone computer program for Microsoft Windows, allow users to delete Local Shared Objects on demand.

Browser control

Browser control refers to the web browser's ability to delete Local Shared Objects and to prevent the creation of persistent Local Shared Objects when privacy mode is enabled. As for the former, Internet Explorer 8, released on 19 March 2009,[8] implements an API that allows browser extensions to co-operate with the browser and delete their persistent data stored when user issues a Delete Browsing History command.[9] However, two years passed since its introduction until Adobe, on 7 March 2011, announced that Flash Player v10.3, which was still in development at the time, supports co-operating with Internet Explorer 8 or later to delete Local Shared Objects.[10]

Also on 5 January 2011, Adobe Systems, Google Inc., and Mozilla Foundation finalized a new browser API (dubbed NPAPI ClearSiteData). This will allow browsers implementing the API to clear Local Shared Objects.[11] Four months later, Adobe announced that Flash Player 10.3 enables Mozilla Firefox 4 and "future releases of Apple Safari and Google Chrome" to delete Local Shared Objects.[10] The actual use of this new feature in Firefox remained consistent for all versions up to and including Mozilla Firefox 7: it changed the cookie concept to include LSOs, and therefore the same rules for deletion that in previous versions applied only to HTTP Cookies, would now apply to Flash LSOs as well.[12][13]

This caused loss of data and backward-incompatible flash application behavior[14] for those Firefox and Flash users which used HTTP cookies and Flash Local Shared Objects for different goals. Mainly this had an impact on the flash gaming community, which relies heavily on Flash LSOs to store saved games.[15][16] The resulting support requests cannot be solved favorably for the Mozilla Firefox users without changes to the browser, because of the introduced equivalence between HTTP and Adobe Flash cookies.[12] [13]. Currently the workaround in use is to either configure the browser to never clear history data and cookies, or to revert the part of the changes affecting this use case, using third-party patches.[17]

As for the behavior in browser's privacy mode, Adobe Flash Player 10.1, released on 10 June 2010, supports the privacy modes of Internet Explorer, Mozilla Firefox, Google Chrome and Safari. Local Shared Objects created in privacy are discarded at the end of the session. Those created in a regular session are also not accessible in privacy mode.[11][18]

File locations

The default storage location for Local Shared Objects is operating system-dependent.

On Microsoft Windows NT 5.x, they are stored in:[19]

On Microsoft Windows NT 6.x, they are stored in:[19]

On Mac OS X, they are stored in:

On Linux or Unix, they are stored in:

For Linux and Unix systems, if the open-source Gnash plugin is being used instead of the official Adobe Flash, they will instead be found at:

Privacy concerns

As with HTTP cookies, Local Shared Objects can be used by web sites to collect information on how people navigate those web sites even if people believe they have restricted the data collection.[20] Online banks, merchants or advertisers may use Local Shared Objects for tracking purposes.[21]

On 10 August 2009, Wired magazine reported that more than half of the top websites used Local Shared Objects to track users and store information about them but only four of them mentioned it in their privacy policy. "Flash cookies are relatively unknown to web users," it said, "even if a user thinks they have cleared their computer of tracking objects, they most likely have not." The article further asserts that some websites use Flash cookies as hidden backups, so that they can revive HTTP cookies when user deletes them.[22]

According to New York Times, since July 2010, there had been at least five class-action lawsuits in the United States against media companies for using Local Shared Objects.[23]

In certain countries it is illegal to track users without their knowledge and consent. For example, in the United Kingdom, customers must consent to use of cookies/Local Shared Objects:[24][25]

Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
  • is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
  • is given the opportunity to refuse the storage of, or access to, that information.

—Information Commissioner's Office

Local Shared Objects were the first subject to be discussed in the Federal Trade Commission roundtable in January 2010.[26] FTC Chairman Jon Leibowitz has been talking with Adobe about what it describes as "the Flash problem." [27]

Editors and toolkits

Software Developer Operating system First public release Latest stable version License
Cookie Stumbler WriteIt! Studios Ltd. Mac OS X 10.6 - 10.7. 2011 1.4.1. Shareware
BetterPrivacy Ingo Krüger Linux, BSD, Mac OS X, Windows (Firefox/SeaMonkey addon)  ? 1.63  ?
Dojo Toolkit Dojo Foundation OS-Independent 2004 1.3.2 (2009-7-16) BSD, AFL
MAXA Cookie Manager Maxa Research Windows ? 3.2 (2009-02-02) Shareware
.minerva Gabriel Mariani OS-Independent (Adobe Air) ? 3.3.0 (2011-03-27) BSD
PyAMF Nick Joyce OS-Independent 2007-10-07 0.6b (2010-08-11) MIT
.sol Editor Alexis Isaac Windows 2005-02 1.1.0.1 (2005-02-21) MPL
SOLReader Alessandro Crugnola Windows ? ? ?
SolVE Darron Schall Windows, Mac OS X 2004-09 0.2 (2004-10-15) CPL
s2x Aral Balkan OS-Independent 2005-07-15 N/A Freeware
Click&Clean ? Linux, BSD, Mac OS X, Windows (Firefox/SeaMonkey addon) ? ? ?

References

  1. ^ a b "What are local shared objects?". Security and privacy. Adobe Systems. http://www.adobe.com/products/flashplayer/articles/lso/. Retrieved 2007-12-05. 
  2. ^ "ActionScript Documentation Reference for Adobe Flash Platform". Adobe Systems. 2011-08-22. http://help.adobe.com/en_US/FlashPlatform/beta/reference/actionscript/3/flash/net/SharedObject.html. Retrieved 2011-09-02. 
  3. ^ "What Are Third-Party Local Shared Objects?". Security and privacy. Adobe Systems. Archived from the original on 2010-05-29. http://web.archive.org/web/20100529082424/http://www.adobe.com/products/flashplayer/articles/thirdpartylso/. Retrieved 2011-08-15. 
  4. ^ "How to disable third-party local shared objects". Support. Adobe Systems. http://kb2.adobe.com/cps/546/4c68e546.html. Retrieved 2011-08-15. 
  5. ^ "Global Storage Settings panel". Flash Player Help. Adobe Systems. 2009-07-14. http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html. Retrieved 2011-05-05. 
  6. ^ "Website Storage Settings panel". Flash Player Help. Adobe Systems. 2009-07-14. http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html. Retrieved 2011-05-05. 
  7. ^ Guarino, Joseph (2010-03-12). "Seven Firefox add-ons that improve online privacy". Macworld. Mac Publishing, LLC. http://www.macworld.com/article/147054/2010/03/firefox_privacy.html?lsrc=nl_mwweek_h_cbstories. Retrieved 2010-05-24. 
  8. ^ "Microsoft Announces Availability of Internet Explorer 8". PR Newswire (Redmond, Washington: PR Newswire Association LLC). 2009-03-19. http://news.prnewswire.com/ViewContent.aspx?ACCT=109&STORY=/www/story/03-19-2009/0004991142&EDATE=. Retrieved 2011-05-05. 
  9. ^ "Deleting “Flash Cookies” Made Easier". IEBlog. TechNet Blogs (Microsoft Corporation). 2011-05-03. http://blogs.msdn.com/b/ie/archive/2011/05/03/deleting-flash-cookies-made-easier.aspx. Retrieved 2011-05-05. 
  10. ^ a b Imbert, Thibault (2011-03-07). "Introduced Flash Player 10.3 beta!". Adobe AIR and Adobe Flash Player Team Blog. Adobe Blogs (Adobe Systems). http://blogs.adobe.com/flashplayer/2011/03/introducing-flash-player-10-3-beta.html. Retrieved 2011-05-05. "Integration with browser privacy controls for managing local storage – Users will have a simpler way to clear local storage from the browser settings interface – similar to how users clear their browser cookies today." 
  11. ^ a b Huang, Emmy (2011-01-12). "On Improving Privacy: Managing Local Storage in Flash Player". Adobe Flash Platform Blog. Adobe Blogs (Adobe Systems). http://blogs.adobe.com/flashplatform/2011/01/on-improving-privacy-managing-local-storage-in-flash-player.html. Retrieved 2011-05-05. "Representatives from several key companies, including Adobe, Mozilla and Google have been working together to define a new browser API (NPAPI ClearSiteData) for clearing local data, which was approved for implementation on January 5, 2011. Any browser that implements the API will be able to clear local storage for any plugin that also implements the API." 
  12. ^ a b Mike Beltzner (2011-01-13). "Bugzilla entry 625495 - Clear Adobe Flash Cookies (LSOs) when Clear Cookies is selected in the Privacy > Custom > Clear History". https://bugzilla.mozilla.org/show_bug.cgi?id=625495. Retrieved 2011-09-28. "Change to the "on close" firefox behavior to use the new NPAPI ClearSiteData API." 
  13. ^ a b Mike Beltzner (2011-01-13). "Bugzilla entry 625496 - Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent History". https://bugzilla.mozilla.org/show_bug.cgi?id=625496. Retrieved 2011-09-28. "Change to the "clear recent history" firefox behavior to use the new NPAPI ClearSiteData API." 
  14. ^ Claudio Fontana (2011-07-17). "Bugzilla entry 672107 - Add configuration option to treat web cookies and flash shared local objects (LSOs) differently; destructive upgrade from older Firefox versions". https://bugzilla.mozilla.org/show_bug.cgi?id=672107. Retrieved 2011-09-28. "Loss of data on upgrade bug report, feature request for treating HTTP Cookies and Flash Local Shared Objects differently." 
  15. ^ ""All my saved games are gone" discussion on kongregate". 2011-06-30. http://www.kongregate.com/forums/7-technical-support/topics/181599-all-my-saved-games-are-gone?page=1. Retrieved 2011-09-28. "example Kongregate discussion about users losing data as a result of the new browser behavior." 
  16. ^ "Mozilla support question: How do I stop "delete cookies" from deleting saved games of a flash based game?". 2011-06. https://support.mozilla.com/en-US/questions/823400. Retrieved 2011-09-28. "Mozilla support question and follow-ups: How do I stop "delete cookies" from deleting saved games of a flash based game?" 
  17. ^ Claudio Fontana (2011-07-11). "firefox flash LSO revert patch". http://www.niceties.it/flash_LSO/flash_LSO.html. Retrieved 2011-09-28. "Third party patch to revert the firefox cookie semantic change" 
  18. ^ Betlem, Paul (2010-06-10). "Flash Player 10.1 Now Available for Windows, Mac, and Linux". Adobe AIR and Adobe Flash Player Team Blog. Adobe Blogs (Adobe Systems). http://blogs.adobe.com/flashplayer/2010/06/flash_player_101_now_available.html. Retrieved 2011-05-07. 
  19. ^ Kirk, Jeremy (2009-08-11). "Adobe Flash cookies pose vexing privacy questions". Network World. IDG News Service (Network World, Inc). http://www.networkworld.com/news/2009/081109-study-adobe-flash-cookies-pose.html. Retrieved 2009-04-10. 
  20. ^ Cohn, Michael (2005-03-15). "Flash Player Worries Privacy Advocates". InformationWeek (UBM Techweb). http://www.informationweek.com/news/showArticle.jhtml?articleID=160901743. Retrieved 2007-12-05. 
  21. ^ Singel, Ryan (2009-08-10). "You Deleted Your Cookies? Think Again". Wired (Condé Nast Digital). http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/. Retrieved 2009-08-22. 
  22. ^ Vega, Tanzina (2010-09-21). "Code That Tracks Users’ Browsing Prompts Lawsuits". New York Times (The New York Times Company). http://www.nytimes.com/2010/09/21/technology/21cookie.html. Retrieved 2011-05-05. 
  23. ^ "Part 2: Security, confidentiality, traffic and location data, itemised billing, CLI and directories" (PDF). Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003 (3.4 ed.). United Kingdom: Information Commissioner’s Office. 2006-11-30. http://www.ico.gov.uk/upload/documents/library/privacy_and_electronic/detailed_specialist_guides/pecr_guidance_part2_1206.pdf. Retrieved 2011-05-05. 
  24. ^ "Confidentiality of communications". Guide to the Privacy and Electronic Communications Regulations. United Kingdom: Information Commissioner’s Office. http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx. Retrieved 2011-05-05. 
  25. ^ James Temple (2010-01-29). "All eyes on online privacy". San Francisco Cronicle. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/01/29/BUMN1BP4MN.DTL. Retrieved 11 February 2011. 
  26. ^ Donald Melanson (2010-12-04). "FTC says it's talking to Adobe about the problem with 'Flash cookies'". Engadget. http://www.engadget.com/2010/12/04/ftc-says-its-talking-to-adobe-about-the-problem-with-flash-cook/. Retrieved 11 February 2011. 

External links

File formats
Software
Viewers
Authoring tools
Server-side software
Related topics