As mentioned at today’s FTC Roundtable, Adobe has announced an important privacy improvement in Flash 10.1 (now in beta testing).
Here’s the relevant passage from the release notes (PDF):
Browser privacy mode (desktop only)Flash Player 10.1 abides by the host browser’s “private browsing” mode, where local data and browsing activity are not persisted locally, providing a consistent private browsing mechanism for SWF and HTML content. Private local shared objects behave like their public variants as long as Flash Player is in memory and local shared objects created during private browsing are removed when returning to public browsing mode. Existing shared objects are preserved but inaccessible until private browsing is turned off. Libraries in the Flash Player cache, like the Flex framework, are unaffected by private mode. Supported in Firefox, Chrome, and Internet Explorer. No developer action required.
This is helpful from a privacy perspective, in that it aligns with the consumer’s reasonable expectation that activities in private-browsing sessions leave no trace and cannot be associated with activities during other browsing sessions.
But it doesn’t really address the more fundamental concerns raised about Flash cookies when used for behavioral targeting. Consumers expect that when they clear their browsing history using native browser controls, they wipe the slate clean with respect to cookies. While the major ad networks have moved away from using Flash cookies for behavioral tracking, you will find quite a few smaller ad delivery companies still using Flash cookies. The failure of Adobe and the major browser makers to align with consumer expectations is truly inexplicable.