Website Administrator

    delivering administrator solutions for your website...


Date added: 20 July 2010
Last Mod: 31 Dec 2010
© 2010 Steve Campisi

Website Administrator Know How Articles

The Flash Super Cookie - The Local Shared Object (LSO Cookies).

(review part 02 - Removing the LSO Cookie)


Flash and the Local Shared Object ( LSO). The Flash Super Cookie. StalkerWare.

This two part article explores the question, "What is an LSO?" for the website administrator and the layman. We will point to some authoritive information on exactly how the Flash Cookie or the Flash Super Cookie works and on how they can be managed or removed by the end user from his or her personal computer. We will also explore how we can deny or limit further collection of personal information which is being stored on other computers to which the user has no access. It is noted that removal of any previously collected data stored on these third party computer systems is beyond any simple measures to access and delete. Though these surreptitious Superior Cookies are not 'new', they are indeed becoming more prevalent in the communal cyberspace landscape.

Introduction to the cookie

You would probably understand an online newspaper following your footsteps on their website as you go from page to page to see the type of articles you prefer, or a shopping site following you to see what groups of products you explore, or a music site following you through the various genres you consider popular. But what if there was another individual that was following you through not one, but all of these places and everywhere else you went as well!

In the real world, you would quickly offer this person up to the police as an obvious stalker. And he could tell them your favorite band, your favorite author, what perfume you buy, your favorite hobbies and eating houses, where you hang out and with what friends etc. It is just plain creepy and an invasion most of us would not like to endure. But there some that could answer all these questions on you and much more. And this can be done with a little piece of hidden code known as a cookie. And perhaps companies that use the cookie in this exact manner will soon earn themselves a deserved title like the Merchants of StalkerWare or some such.

What good is a Cookie or a Local Shared Object.

Before we examine the Local Shared Object, it is best to make sure we understand and have under control it's forerunner, the HTTP cookie. The LSO is mostly used in the same manner as the common "cookie", which is more correctly called a HTTP cookie but can also be known as a web cookie or a browser cookie. When a website uses a cookie, the sole purpose is to uniquely identify you from any other visitor on that given website. And the purpose of that person wanting to individualize you in this manner is unique to that person or organization which codes the page with the cookie.

Among the most popular of reasons for assigning cookies is that the cookie can be used to track your personal progress through the website and keep track of various individual things you like or want such as each item you add to your shopping cart or your preferred custom webpage settings, or in on-line game settings, remembering passwords, etc.

Because Cookies can also store your IP number, and what website or webpage you just came from they are also often used by many Website Administrators to better understand how visitors travel through his website. He can gain an understanding of what pages are worth adding to or need improving or hold no interest for his visitors. These are all just some examples on how cookies are used and so we can see cookies are not without legitimate uses and can be used to improve a website experience for the website user and be a testament to the effectiveness of the website's administrator or the website's on-line game coder.

The general format of a cookie.

document.cookie="CookieName=Cookie Text;domain=SomeWebsite.com;expires=Mon, 24-Dec-2012 11:59:59 GMT;path=/";

Your garden variety cookie is usually quite tiny and defaults at 4kb in size, but are often larger, this is reflective of the amount of information stored with-in. It is unintelligible to the eye but when deciphered is similar to the code above. It is the Cookie Text part which holds the specific data on you, like preferred settings or other information. The domain part can help share the information but can do so only with other website sub-domains that the webpage is on. The general rule is that only the website which laid the cookie can read or write to the cookie.

How do I place cookies on my website? I want to add website cookies with Dreamweaver and PHP.

So learning how to use cookies can enable the Website Administrator or Developer to create his own statistics or add features to his website like auto login and remember me buttons or shopping carts etc. If you use Dreamweaver 8, CS3 or CS4, the Cookies Toolkit is a popular and simple means to insert server side cookies with you PHP version software.

What is a third party cookie.

Protect Your Privacy

There can be two (or more) cookies set from one webpage if that webpage is coded to introduce another's website which lays it's own seperate cookie. These second cookies are known as a third party cookie. So, the thirdy party cookie is basically set at the same time, but this second cookie is actually from a different website to the one you are currently visiting, hence the term Third Party. This extra website can also do the same thing and thus extend the cookie laying to a 4th party etc. (though still called a 3rd party). And if any third party websites can also set a hidden cookie from the next website you visit, (simply by reading and adding each time to the cookie they first laid into your computer), and then do that again in the next website your visit and so on, then this third party website has begun to track your movements across the web. And when a website can do this with you across many, many websites, (and that of all your bffs -best friends forever- at the same time) the door is well and truly opened into the wholesale monitoring or tracking of many movements of the masses.

See this image example of laying a 3rd Party Cookie from the adspecs domain of yahoo.co.uk for an illustrated example. This is their advertising model and Yahoo are one of the few organizations that takes the time to try to explain it to the visitor with a picture model. (They also have policy which limits how others use cookies if using the Yahoo ad service.) We can use their image for our educational purposes, and we can see the process doesn't require all 6 steps. We can simply have "1 and 2" which is followed by either "3 and 4", or "5 and 6". You'll note that the last step can include a Flash component which of course can then lay an LSO.

What if i choose not to use cookies.

You can of course happily browse the internet with no cookies. This is only a problem if you want to use sites that demand you must use cookies or else you can not log into that website and make use of their services.

Many people wipe all cookies from their system regularly. They will still allow cookies (but usually not the third party cookie) and thus they are free to use all of their favorite websites, like perhaps eBay or hotmail etc. This is easy if you have a program or an internet browser like Firefox for example, which has the option to wipe all cookies each time the user closes their Firefox browser. See the Keep Until: option in the fig 01 image below with the "Clear History" box checked. This feature depends on what you have selected in the corresponding "Settings" button.

You can follow this procedure to set this up using Firefox: (Note: To only clean cookies, you would only check that one option [see fig 02]. You can see that Firefox allows for other options which give you even more privacy in this menu. I personally would wipe the lot. But make sure you know or have access to your passwords if you plan to check the Saved Passwords box here.) You might also note that we uncheck the Accept Third Party Cookie option in fig. 01.

  1. 1. Tools
  2. 2. Options - [see fig 01]
  3. 3. Privacy
  4. 4. [check] Clear History when Firefox Closes
  5. 5. Settings (button) - [see fig 02]
  6. 6. Select items you want cleaned each time Firefox closes.

Having wiped all your cookies causes you to appear as a first-time visitor the next time you return to a favorite website. Most people feel no love is lost in this scenario because many do not personalize any websites they visit and are happy to use the offered standard default presentation. Note: The settings menu [fig 02] has the "Privacy Plus" option installed which allows us to also wipe any new Flash Local Stored Cookies from your system. This option is one of the FireFox only add-ons we will explore later in this article. Also, please note this is not the only thing we need to do to control the LSO beast, so please read on.

FireFox Tools/Options and Settings Window
[ Fig 01   &   Fig 02 ]

FireFox Settings Tab PicFireFox Settings Tab

Cookie control in Internet Explorer

If you are using Internet Explorer, cookies are controlled from:

  1. 1. Tools
  2. 2. Internet Options
  3. 3. Privacy
  4. 4. Select the "advanced" button (near the middle of that window -Not the tab at the top right corner!).
  5. 5. Choose "Override Automatic Cookie Handling" (box should be checked)
  6. 6. Select "Block All Third Party Cookies" (as a minimum privacy measure).

Firefox has long been the better browser of the two when it comes to user privacy and flexibility. Deleting cookies through Firefox will not delete them for Internet Explorer and vice versa.

Where are cookies stored on my computer and how do i remove them.

Various browsers and versions store cookies in different locations on your hard drive. It is easier to have a "cleaner" program to help you remove cookies from your computer, especially if you use more than one internet browser. An example would be the free Cookie Monster program available from ampsoft.net which also empowers you by giving you control over which cookies you may want to keep. This is pretty simple to understand with this program.

If you have never cleaned cookies from your hard drive before, this list is probably staggering in size.

On an XP computer using firefox, one of the easiest ways to find cookies is to use your computer's search function to locate the folder called "Cookies". This is the storehouse for HTTP cookies on your hard drive. The cookies folder will be found in the following location: C:\Documents and Settings folder, but you will also need to browse to the users log-on identity name folder to see it. This identity name (user name) is the same name you login with at windows start-up and is displayed on the top of the "start" menu when you click it.

Why do i have so many cookies on my computer.

Over the years we have become accustomed to the heavy use of the HTTP cookie thanks to the many extremely popular web services that demand you accept cookies else you can not use that service or feature they have on offer. An extremely popular example might be microsoft's hotmail. And even though there are other fully featured free online email sites that do not use cookies, many still make use of these "cookie only access" websites for services and agree to enable cookies. And there are many, many examples of popular sites that use cookies. eBay, Amazon, Bing, Google, Yahoo, and the list goes on and on. (you can also check your cookies list to see who you know that uses cookies).

Here is an old but interesting article from pcworld.com discussing the govt. use in allowing a 3rd party cookie to be placed on video visitors to their website which also demonstrates that a flagrant use of cookies can motivate the tech savvy into action and question whether attention should be given to the moderation of this field.

How thorough can cookie tracking be?

Do not underestimate the value of the cookie. The best way to explain the thoroughness of cookie tracking is to see for yourself just how much raw data can be amassed from what you have also freely given and which companies can then on-sell. See for example, Beencounter who do a wonderful job of compiling data for internet businesses and their service also sums up pretty well just how invasive the cookie can be, as does the Amazon company, Alexa. We also have the Microsoft group of companies that have long been a pace setter in cookie cutting for many a year and have fantastic reach as does google with their "google ads". Be sure to view the public privacy pages where any company that deploys them, will vaguely explain the use of cookies as it applies to their organizations.

If you plan to research the science behind just how to interpret and use data collected with cookies, a great place to start would be to google; "Behavioral Targeting", "Behavioral Monitoring", "Behavioral Tracking" or perhaps "Behavioral Management ".

It is not that extrapolation of any such data is with out merit. The newspaper, the shopping mall or the music store would learn what type of products are more in demand and can better serve their visitors etc. So on a small scale or over a handful of sites, the invasion is easier to tolerate and is more of an annoyance than an issue. But more recently, it is the evidence of an extreme depth of reach coupled with a persistent and stealth like manner striving for continual discovery that many find insolent and hence sobering. The stock and trade of the online stalker is the cookie and it's clones. And there are other clones aborning.

But i never knew i was accepting cookies!

If you are new to the subject of cookies, then minimumly, you have also been allowing the third party cookie craze to influence the various image and advertising content being served to your web browser for quite some time.

It is also possible that newer computer users are completely unaware they are accepting cookies and third party cookies as most browsers set this option to "accept" for them during the installation process, or during the operating system installation process. Many simply hope the automatic software installation is optimumly configured to best to protect their private interests with respect to the laws of the land. Certainly being no expert on the subject of privacy laws, and to hazard a guess, most countries would bulk at the cookie intrusion only if it went the other way. That is, if you were to track all the internet paths made by any major organization during its course of business for any length of time, we would probably see some laws against the activity very quickly (or foolproof software to prevent it). But if major business wanted to track all the internet paths of any number of individuals over any length of time, well... and as a couple of the above links suggest, it makes for good business.

But then again, maybe not, many businesses have been on line long enough for a thorough data inspection to be compiled into a nice itemized report which could list close to all of their online product sources and online clients.

Re-cloaking the Third Party Cookie

And as we have now seen, some websites you visit also help other websites set cookies on your machine to collate similar and/or other data. And as many cookie savvy people have no interest in allowing others to collect their personal data through this use of the 3rd party cookie, they purposely disable the 3rd party cookie function in their cookie settings in their web browsers (see fig 01 and fig 02 above) and clean their system of all other non-important cookies often.

But this was where the real fun lays for those that covet as much other people's personal data as is possible and of which, under normal circumstance, they would not be privy to. And so a solution was needed to find another way to gather this data on you. It would be a bonus if you could not easily wipe the past history too and it would be preferable if you were also kept in the dark on this and any other new method for a few more years yet. And so the need for another form of behavioral stalkerware began to grow.

The Local Shared Object, aka the flash cookie takes the stage.

And the Adobe Flash Local Shared Object can offer precisely what a cookie does and more.

I would guess the primary motivation of this invasive urge could be summed up as "the brute force method of technically prospecting for consumers of products and services". Or "I have more right to hock my wares than you, plus i am bigger and smarter than you!" If we were to place a The Simpson's image here, it would be one of Monty Burns' Slant Drilling Co where he usurps the financial glory away from the impoverished local elementary school by covertly drilling their oil right out from under their noses, simply because he secretly can and the belief that he has more entitlement to the riches than any other.

And so it is that our Local Shared Object can and is used in very much the same way as the common HTTP cookie and mostly for very similar purposes. And the icing is that you can also have Third Party Local Shared Objects with both forms being much harder to delete, and these can stay on your system forever. The cookie must have an expiry date, the LSO does not.

The LSO was developed in the days when Flash was a Macrovision owned product and introduced with the Flash Communication Server MX 1.0 & Flash Player 6 releases. A subsequent release of Flash Player 8, saw a greater accessibility for the end user to have some control over the LSO with thanks to public demand at that time. Thankfully, for those that enjoy flash, Adobe have maintained access for the end user to have some control over the LSO as we will discover shortly.

As an aside here, it must be very annoying for any stalkerware groups that apple plan on offering no support for flash in iPhone, iPod, and iPad products leaving the supporters of flash to scramble in an attempt to (and perhaps ignorantly) try and develop a hack solution to work around this. But the fact remains, HTML 5 promises to make embedding of efficient movies a simple trick and the need for flash will dwindle as HTML5 becomes the apple in apple's eye and for many other HTML coders looking to embed movies into websites.

Current public awareness of the increasing utilization of the LSO as a cookie is still not high, but growing. And there are those that want to know more about you and usually for your own good if you will just let them. And so we have now arrived at a place where, and only for those who have flash object support installed in their internet browsers (about 99% of us), we have a new super cookie with attitude.

cookie free web surfing

Zombie Cookies

And what do you call a cookie that you have deleted, which then magically comes back to life to stalk you yet again? With all the data you thought was deleted! These re-spawning quote, zombie cookies unquote, have attracted a bit of media attention from the UK's BBC newsroom recently over a trial citing online organizations using a Quantcast Flash application to restore deleted cookies. The BBC also have a couple of other interesting articles linked at the bottom of that page for those wishing for a little more information too. But for now, let's select the link below and learn how to do something about the LSO in Part Two of our article, the next page.

Next Page: Local Shared Object Handling - What to do and how to do it.

Hook this article/post into:
Delicious Digg Facebook Google StumbleUpon Technorati Twitter Yahoo

| downloads | home | articles index |