Adobe’s small step forward on Flash-cookie control

January 29, 2010

As mentioned at today’s FTC Roundtable, Adobe has announced an important privacy improvement in Flash 10.1 (now in beta testing).

Here’s the relevant passage from the release notes (PDF):

Browser privacy mode (desktop only)
Flash Player 10.1 abides by the host browser’s “private browsing” mode, where local data and browsing activity are not persisted locally, providing a consistent private browsing mechanism for SWF and HTML content. Private local shared objects behave like their public variants as long as Flash Player is in memory and local shared objects created during private browsing are removed when returning to public browsing mode. Existing shared objects are preserved but inaccessible until private browsing is turned off. Libraries in the Flash Player cache, like the Flex framework, are unaffected by private mode. Supported in Firefox, Chrome, and Internet Explorer. No developer action required.

This is helpful from a privacy perspective, in that it aligns with the consumer’s reasonable expectation that activities in private-browsing sessions leave no trace and cannot be associated with activities during other browsing sessions.

But it doesn’t really address the more fundamental concerns raised about Flash cookies when used for behavioral targeting. Consumers expect that when they clear their browsing history using native browser controls, they wipe the slate clean with respect to cookies. While the major ad networks have moved away from using Flash cookies for behavioral tracking, you will find quite a few smaller ad delivery companies still using Flash cookies. The failure of Adobe and the major browser makers to align with consumer expectations is truly inexplicable.


2 Responses to “Adobe’s small step forward on Flash-cookie control”

  1. The use of Adobe Flash Player has been instrumental in innovating and forming the Web as we know it today. Adobe proactively encourages our customers to use all Adobe products in responsible, ethical ways. Adobe does not support the use of our products in ways that intentionally ignore the user’s expressed intentions.

    While the vast majority of Web sites and developers use Local Storage capabilities (often incorrectly referred to as “Flash cookies”) to provide a better user experience, Local Storage is sometimes misused by certain Web site operators or ad networks.

    In particular, Adobe condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent. This practice—also referred to as “browser cookie re-spawning”—circumvents the user’s intent to clear browser cookies and should not be used.

    In every case where rich Internet applications are possible, Local Storage is available (and necessary). The Local Storage capability in Adobe Flash Player is equivalent in concept to the emerging Local Storage capabilities in i.e. HTML5 and Silverlight. The fact that Local Storage in these technologies is distinct from the existing browser cookie system and treated as such by the browsers today underscores the need for responsible use of Local Storage in modern Web applications.

    Adobe has approached the major browser companies to determine whether there is an efficient way to provide users the opportunity to control their Flash Local Storage (and all Local Storage for that matter) when they set their browser privacy settings. We will continue to pursue these efforts and encourage browsers companies to work with us to address the needs of our common customers–in particular to ensure that users can set preferences and clear Local Storage (for Adobe Flash Player and other technologies using Local Storage) in the place where they have learned to set their privacy settings. Without this, we could solve the issue for Flash Player and see developers move towards other technologies to accomplish the same type of misuse and abuse that you see with Flash Local Storage today.

    We make these points (and more) in the comment we submitted to the FTC in preparation for today’s privacy roundtable discussions. Our comment should be posted soon to the FTC Web site.

    • Jim Brock Says:

      I’m grateful for your response and your willingness to engage in dialog on this important point. It is unfortunate that you have been unable to reach an accord with any of the major browser makers as to comprehensive LSO controls, as you were able to achieve for private browsing.

      Despite this, I hope you will consider and comment on this suggestion: Why not develop your own browser extensions or add-ons to provide more convenient LSO control? This is technically feasible (we have built such tools for internal PrivacyChoice purposes), without any cooperation from the major browser providers. Nor would you need their cooperation to achieve wide distribution, since you can offer the add-on as an option within your own installation and update processes.

      I recognize that such an approach is not without cost to Adobe. Some users will regularly clear LSOs, as many do with regular browser cookies, choosing a setting to automatically clear them after each browsing session. As a result, the utility and effectiveness of the Flash platform will be degraded for those users, impairing Flash’s value to developers to some inestimable extent.

      In a fair and smart implementation, this cost is manageable. The recommended setting could be to delete only those Flash cookies known to be from tracking-company domains (we’re capturing these in the PrivacyChoice Index). Of course some consumers also would rightly expect an option for complete LSO deletion, but that could fairly be offered as a second choice, framed in the context of the benefits of non-tracking LSOs.

      You’re right to remind us that Flash LSOs are just one variety of local storage technologies that may be abused for tracking. But this makes it even more important that Adobe set a standard for the consumer privacy experience, with or without the direct cooperation of browser manufacturers. Best practices have to start somewhere.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: