Privacy of Flash CookiesQuentin Mayo, Chris Hoofnagle, JD Ashkan Soltani, MIMS

April 22, 2023

Flash cookies are emerging as a new consumer tracking technology.  Flash cookies, also known as Local Shared Objects, are similar to HTML cookies, but they can store more information and they are more persistent.  Privacy issues are intensified by Flash cookies because they are not controlled by the browser, and because consumers are likely to be unaware of their presence. This study focuses on the presence and operation of Flash cookies on the top 100 websites.

• Determine how flash cookies are being used on the web

• What were the most frequently appearing ad companies that are using flash

• Check if any companies use flash to bypass user settings or to contravene user expectations

Data came from Quantcast Top 100 July 1, 20095 five additional “Government Websites” were studied• LSO files stored Set by Adobe, Domain, and Third Party Companies in the macromedia folder. Holds IDs, preferences and other values• Cache Temporary storage for data needed to be frequently access.• SWF (small web files) files Embedded into WebPages for multimedia and advertisements.• Standard Cookies• Basic string values access by a domain

Results:

Overlapping Cookies?

Means that some of the same key values/tags inside the Flash Cookies also are found in HTML Cookies. These values could include user IDs or unique strings

Overlapping Cookies

2241%32

59% IDs Overlap

No Overlap

46 of the top 100 sites stored flash cookies

46%54%

Sites that had solfilesSites without solfiles

goog

le.co

m

msn.co

m

yahoo

.com

live.c

om

faceb

ook.c

om

wikipe

dia.or

g

youtub

e.com

micros

oft.co

m

myspa

ce.co

m

ebay.c

om

aol.c

om

ask.c

om

blogs

pot.co

m

craigs

list.o

rg

abou

t.com

amaz

on.co

m

mapqu

est.c

om

answ

ers.co

m

window

s.com

photo

buck

et.co

m0

20

40

60

80

Top 20 sitesRatio Flash Vs. HTML Stored On User's Computer

HTTP Cookies Flash Cookies

Cookie Respawning• Flash cookies are present on more than

half of the top 100 sites, and instead of being used to store preferences, some appear to be tracking individuals because they have settings mirroring ordinary HTML .

• We demonstrated some of top 100 sites are using Flash cookies to respawn deleted HTML cookies, from both first party and third party domains.  This circumvents user attempts to prevent tracking.

Future Work and Importance

• Raise awareness of the emergence of Flash's tracking capabilities.  Analyze more domains for cookie respawning or other tracking activities

012345678

Goverment Site: LSO/HTTP Content

HTTP Cookies

Sol Stored

Sites #SharedObjects Obtain from Government site

cdc.gov None

data.gov Clearspring.sol

dhs.gov Clearspring.sol

irs.gov None

nasa.gov None

whitehouse.gov Clearspring.solSoudData.sol (Youtube LSO file)Videostats.sol (Youtube LSO file)

1. No Data Modified. One HTML Cookie contains same string value

as Clearspring’s LSO.

2.HTML Cookies deleted but left Clearspring’s LSO file

3.Visited same webpage. Two HTML Cookies created. Both contained

different values.

4. After surfing domain, the HTML cookie is rewritten, establishing the

original flash cookie value

Abstract

Conclusions

Data Collected

Research and Purpose