delivering administrator solutions for your website...
This two part article explores the question, "What is an LSO?" for the website administrator and the layman. We will point to some authoritive information on exactly how the Flash Cookie or the Flash Super Cookie works and on how they can be managed or removed by the end user from his or her personal computer. We will also explore how we can deny or limit further collection of personal information which is being stored on other computers to which the user has no access. It is noted that removal of any previously collected data stored on these third party computer systems is beyond any simple measures to access and delete. Though these surreptitious Superior Cookies are not 'new', they are indeed becoming more prevalent in the communal cyberspace landscape.
You would probably understand an online newspaper following your footsteps on their website as you go from page to page to see the type of articles you prefer, or a shopping site following you to see what groups of products you explore, or a music site following you through the various genres you consider popular. But what if there was another individual that was following you through not one, but all of these places and everywhere else you went as well!
In the real world, you would quickly offer this person up to the police as an obvious stalker. And he could tell them your favorite band, your favorite author, what perfume you buy, your favorite hobbies and eating houses, where you hang out and with what friends etc. It is just plain creepy and an invasion most of us would not like to endure. But there some that could answer all these questions on you and much more. And this can be done with a little piece of hidden code known as a cookie. And perhaps companies that use the cookie in this exact manner will soon earn themselves a deserved title like the Merchants of StalkerWare or some such.
Before we examine the Local Shared Object, it is best to make sure we understand and have under control it's forerunner, the HTTP cookie. The LSO is mostly used in the same manner as the common "cookie", which is more correctly called a HTTP cookie but can also be known as a web cookie or a browser cookie. When a website uses a cookie, the sole purpose is to uniquely identify you from any other visitor on that given website. And the purpose of that person wanting to individualize you in this manner is unique to that person or organization which codes the page with the cookie.
Among the most popular of reasons for assigning cookies is that the cookie can be used to track your personal progress through the website and keep track of various individual things you like or want such as each item you add to your shopping cart or your preferred custom webpage settings, or in on-line game settings, remembering passwords, etc.
document.cookie="CookieName=Cookie Text;domain=SomeWebsite.com;expires=Mon, 24-Dec-2012 11:59:59 GMT;path=/";
Your garden variety cookie is usually quite tiny and defaults at 4kb in size, but are often larger, this is reflective of the amount of information stored with-in. It is unintelligible to the eye but when deciphered is similar to the code above. It is the Cookie Text part which holds the specific data on you, like preferred settings or other information. The domain part can help share the information but can do so only with other website sub-domains that the webpage is on. The general rule is that only the website which laid the cookie can read or write to the cookie.
There can be two (or more) cookies set from one webpage if that webpage is coded to introduce another's website which lays it's own seperate cookie. These second cookies are known as a third party cookie. So, the thirdy party cookie is basically set at the same time, but this second cookie is actually from a different website to the one you are currently visiting, hence the term Third Party. This extra website can also do the same thing and thus extend the cookie laying to a 4th party etc. (though still called a 3rd party). And if any third party websites can also set a hidden cookie from the next website you visit, (simply by reading and adding each time to the cookie they first laid into your computer), and then do that again in the next website your visit and so on, then this third party website has begun to track your movements across the web. And when a website can do this with you across many, many websites, (and that of all your bffs -best friends forever- at the same time) the door is well and truly opened into the wholesale monitoring or tracking of many movements of the masses.
Many people wipe all cookies from their system regularly. They will still allow cookies (but usually not the third party cookie) and thus they are free to use all of their favorite websites, like perhaps eBay or hotmail etc. This is easy if you have a program or an internet browser like Firefox for example, which has the option to wipe all cookies each time the user closes their Firefox browser. See the Keep Until: option in the fig 01 image below with the "Clear History" box checked. This feature depends on what you have selected in the corresponding "Settings" button.
You can follow this procedure to set this up using Firefox: (Note: To only clean cookies, you would only check that one option [see fig 02]. You can see that Firefox allows for other options which give you even more privacy in this menu. I personally would wipe the lot. But make sure you know or have access to your passwords if you plan to check the Saved Passwords box here.) You might also note that we uncheck the Accept Third Party Cookie option in fig. 01.
Having wiped all your cookies causes you to appear as a first-time visitor the next time you return to a favorite website. Most people feel no love is lost in this scenario because many do not personalize any websites they visit and are happy to use the offered standard default presentation. Note: The settings menu [fig 02] has the "Privacy Plus" option installed which allows us to also wipe any new Flash Local Stored Cookies from your system. This option is one of the FireFox only add-ons we will explore later in this article. Also, please note this is not the only thing we need to do to control the LSO beast, so please read on.
FireFox Tools/Options and Settings Window
[ Fig 01 & Fig 02 ]
Cookie control in Internet Explorer
If you are using Internet Explorer, cookies are controlled from:
Firefox has long been the better browser of the two when it comes to user privacy and flexibility. Deleting cookies through Firefox will not delete them for Internet Explorer and vice versa.
Various browsers and versions store cookies in different locations on your hard drive. It is easier to have a "cleaner" program to help you remove cookies from your computer, especially if you use more than one internet browser. An example would be the free Cookie Monster program available from ampsoft.net which also empowers you by giving you control over which cookies you may want to keep. This is pretty simple to understand with this program.
If you have never cleaned cookies from your hard drive before, this list is probably staggering in size.
On an XP computer using firefox, one of the easiest ways to find cookies is to use your computer's search function to locate the folder called "Cookies". This is the storehouse for HTTP cookies on your hard drive. The cookies folder will be found in the following location: C:\Documents and Settings folder, but you will also need to browse to the users log-on identity name folder to see it. This identity name (user name) is the same name you login with at windows start-up and is displayed on the top of the "start" menu when you click it.
If you plan to research the science behind just how to interpret and use data collected with cookies, a great place to start would be to google; "Behavioral Targeting", "Behavioral Monitoring", "Behavioral Tracking" or perhaps "Behavioral Management ".
It is not that extrapolation of any such data is with out merit. The newspaper, the shopping mall or the music store would learn what type of products are more in demand and can better serve their visitors etc. So on a small scale or over a handful of sites, the invasion is easier to tolerate and is more of an annoyance than an issue. But more recently, it is the evidence of an extreme depth of reach coupled with a persistent and stealth like manner striving for continual discovery that many find insolent and hence sobering. The stock and trade of the online stalker is the cookie and it's clones. And there are other clones aborning.
If you are new to the subject of cookies, then minimumly, you have also been allowing the third party cookie craze to influence the various image and advertising content being served to your web browser for quite some time.
It is also possible that newer computer users are completely unaware they are accepting cookies and third party cookies as most browsers set this option to "accept" for them during the installation process, or during the operating system installation process. Many simply hope the automatic software installation is optimumly configured to best to protect their private interests with respect to the laws of the land. Certainly being no expert on the subject of privacy laws, and to hazard a guess, most countries would bulk at the cookie intrusion only if it went the other way. That is, if you were to track all the internet paths made by any major organization during its course of business for any length of time, we would probably see some laws against the activity very quickly (or foolproof software to prevent it). But if major business wanted to track all the internet paths of any number of individuals over any length of time, well... and as a couple of the above links suggest, it makes for good business.
But then again, maybe not, many businesses have been on line long enough for a thorough data inspection to be compiled into a nice itemized report which could list close to all of their online product sources and online clients.
And as we have now seen, some websites you visit also help other websites set cookies on your machine to collate similar and/or other data. And as many cookie savvy people have no interest in allowing others to collect their personal data through this use of the 3rd party cookie, they purposely disable the 3rd party cookie function in their cookie settings in their web browsers (see fig 01 and fig 02 above) and clean their system of all other non-important cookies often.
But this was where the real fun lays for those that covet as much other people's personal data as is possible and of which, under normal circumstance, they would not be privy to. And so a solution was needed to find another way to gather this data on you. It would be a bonus if you could not easily wipe the past history too and it would be preferable if you were also kept in the dark on this and any other new method for a few more years yet. And so the need for another form of behavioral stalkerware began to grow.
And the Adobe Flash Local Shared Object can offer precisely what a cookie does and more.
I would guess the primary motivation of this invasive urge could be summed up as "the brute force method of technically prospecting for consumers of products and services". Or "I have more right to hock my wares than you, plus i am bigger and smarter than you!" If we were to place a The Simpson's image here, it would be one of Monty Burns' Slant Drilling Co where he usurps the financial glory away from the impoverished local elementary school by covertly drilling their oil right out from under their noses, simply because he secretly can and the belief that he has more entitlement to the riches than any other.
And so it is that our Local Shared Object can and is used in very much the same way as the common HTTP cookie and mostly for very similar purposes. And the icing is that you can also have Third Party Local Shared Objects with both forms being much harder to delete, and these can stay on your system forever. The cookie must have an expiry date, the LSO does not.
The LSO was developed in the days when Flash was a Macrovision owned product and introduced with the Flash Communication Server MX 1.0 & Flash Player 6 releases. A subsequent release of Flash Player 8, saw a greater accessibility for the end user to have some control over the LSO with thanks to public demand at that time. Thankfully, for those that enjoy flash, Adobe have maintained access for the end user to have some control over the LSO as we will discover shortly.
As an aside here, it must be very annoying for any stalkerware groups that apple plan on offering no support for flash in iPhone, iPod, and iPad products leaving the supporters of flash to scramble in an attempt to (and perhaps ignorantly) try and develop a hack solution to work around this. But the fact remains, HTML 5 promises to make embedding of efficient movies a simple trick and the need for flash will dwindle as HTML5 becomes the apple in apple's eye and for many other HTML coders looking to embed movies into websites.
Current public awareness of the increasing utilization of the LSO as a cookie is still not high, but growing. And there are those that want to know more about you and usually for your own good if you will just let them. And so we have now arrived at a place where, and only for those who have flash object support installed in their internet browsers (about 99% of us), we have a new super cookie with attitude.
And what do you call a cookie that you have deleted, which then magically comes back to life to stalk you yet again? With all the data you thought was deleted! These re-spawning quote, zombie cookies unquote, have attracted a bit of media attention from the UK's BBC newsroom recently over a trial citing online organizations using a Quantcast Flash application to restore deleted cookies. The BBC also have a couple of other interesting articles linked at the bottom of that page for those wishing for a little more information too. But for now, let's select the link below and learn how to do something about the LSO in Part Two of our article, the next page.