Flash cookie

from Wikipedia, the free encyclopedia

A Flash Cookie (or Local Shared Object , LSO for short , often imprecisely called Supercookie ) is a cookie tied to the Adobe Flash Player  - i.e. a file in which user-related data on the user's PC for later retrieval when surfing the Internet the website or web application in question . Flash cookies are not easy to manage on the target computer and usually have a longer retention period than normal text cookies. Because large amounts of user-specific data are written into them, which can be read out later, they represent a data protection problem. Although the files are created when surfing with a web browser , they work across browsers and are used by the respective Flash player plug-in which stores the data centrally and browser-independent in the file system structure of the operating system used . Just like the Adobe Flash Player, other Flash players, e.g. B. Gnash , create flash cookies.

Demarcation

In contrast to conventional "HTTP cookies ", this technology enables website operators to save content on the target computer (client) independently of the browser and without an expiration date. For example, data that was written when viewing Flash content (films, streaming media , advertising, etc.) via a specific browser (e.g. Mozilla Firefox ) is also saved when viewing the same website with a different browser (e.g. . Internet Explorer ) to the central computer (host) is sent. The host can then understand the surfing behavior of a local PC. While classic cookies are limited to a size of 4 KB, Flash cookies can store up to 100 KB. If this size is exceeded, the user will be notified. If he agrees, the storage space can be changed in steps (0 kB, 10 kB, 100 kB, 1 MB, 10 MB, unlimited).

Flash cookies can interact with classic cookie by itself if the user has explicitly deleted in their browser, copy it, store and recover at the next visit the relevant website ( English re-spawning 'nachbrüten ).

Handling Flash Cookies

On the data protection side of the user, it is problematic that Flash cookies are not administered by the browser's cookie management, but by the Adobe Flash program itself, which is external to the browser . They can only be managed and deleted in a laborious manner using the Adobe settings manager. They can also be deleted manually or with the help of special software (Flash Cookie Killer, CCleaner ). The Informational self-determination also runs the re-spawning contrary, because it deprives the user control over the cookies.

Locations

Flash cookies are created in the Adobe Flash plug-in under the user folder of the currently logged in user. If the corresponding directories are not available, it is not possible for the user to create and use Flash cookies. Flash cookies usually have a .sol file extension . The applications create a domain folder within the assigned storage location (cookies from Wikipedia, for example, would be stored in a separate folder de.wikipedia.org ). Self-executing Flash programs usually use localhost as the domain (for example for WinXP: Local disk (C:) \ Documents and Settings \ Username \ Application Data \ Macromedia \ Flash Player \ #SharedObjects) - or, as with Adobe AIR, a separate directory for the application created.

Default locations
operating system Location annotation
Windows
  • % APPDATA% \ Macromedia \ Flash Player \ #SharedObjects
  • % APPDATA% \ Macromedia \ Flash Player \ macromedia.com \ support \ flashplayer \ sys
  • % APPDATA% \ [AIR Package ID] \ Local Store \ #SharedObjects \
  • % APPDATA% stands for the user directory
  • Adobe AIR applications store separately in their own folder
macOS
  • ~ / Library / Preferences / Macromedia / Flash Player / # SharedObjects
  • ~ / Library / Preferences / [AIR Package ID]
  • ~ / Library / Preferences / Macromedia / Flash Player / macromedia.com / support / flashplayer / sys
  • ~ stands for the user directory
  • Adobe AIR applications store separately in their own folder
Linux
  • ~ / .macromedia / Macromedia / Flash Player
  • ~ / .macromedia / Flash_Player / # SharedObjects
  • ~ / .gnash / SharedObjects (when using Gnash )
  • ~ / .config / freshwrapper-data / Shockwave Flash / WritableRoot / # SharedObjects / (when using the Freshplayer and Pepperflash plugins)
  • ~ / .config / google-chrome / Default / Pepper Data / Shockwave Flash / WritableRoot / # SharedObjects (with the PepperFlash plug-in in Google Chrome )

Delete / prevent flash cookies

The storage of Flash cookies can be configured with the settings manager of the Flash player, which can be accessed via the control panel or online via the Adobe website.
Without an Internet connection, the user can also manually control the storage of Flash cookies (see table for directories).

  • In Mac OS X, it is sufficient to write-protect the folder. Page-specific setting options of the Flash player are then no longer possible. It is also possible to lock the domain folders separately and to prevent the creation of Flash cookies on individual pages.
  • Under Windows you can delete the directories and replace them with empty, write-protected files of the same name. It is also possible here to “protect” domain folders separately.
  • Under Linux, like Mac OS X, it is possible to revoke write access to folders. With Gnash it is possible to set a different storage location in the configuration file 'gnashrc', e.g. B. / dev / null .
  • To manage Flash cookies, Firefox up to and including version 56 also has browser extensions such as BetterPrivacy  - this extension can be used to automate the deletion of Flash cookies - or the developer extension Objection , which displays detailed information on the individual Flash cookies. However, since Firefox version 57 these are no longer compatible. From version 57 - more precisely: for all Firefox versions that support the WebExtension API - there is the Clear Flash Cookies add-on , but it cannot display any saved Flash cookies.
List of flash cookies on a PC - excerpt from a screenshot by BetterPrivacy
  • Regardless of the browser, there are now many programs that enable the user to remove cookies on the hard drive. The system cleaning program BleachBit is available for Linux and Windows . There are now many programs under Windows that can also remove Flash cookies.

criticism

Due to the advantages of flash cookies (more difficult for the user to delete, more storage space than HTTP cookies), many websites have recognized the flash alternative as a supplement to conventional cookies. A US study from 2009 counted the use of Flash cookies in the 100 most popular websites for the first time and found them in 89 of them, over half of which saved information about the users. In contrast to HTTP cookies, their Flash equivalents can mostly only be deleted by hand or at least a browser extension is required. A flash cookie can also be used as a kind of backup for an HTTP cookie. This means that, even if the user deletes the HTTP cookies, they will be available again on the next visit - based on the data in the Flash cookie. It is also seen as problematic that the Flash cookies act across browsers.

Legal position

Germany

Flash cookies can only contain settings for a website. However, in cases where an identification option ( ID ) is set up in the cookies and this is used to record user behavior, this is personal data. In this case, the consent of the user must be obtained before storage. If this is not done, the operator of the website violates applicable law. According to the EU Cookie Directive , or the amended Article 5 Paragraph 3 of Directive 2002/58 / EC (ePrivacy Directive), the setting of cookies is generally only permitted with the consent of the person concerned.

Lawsuits in the United States

On July 23, 2010, the operators of the websites of MTV , ESPN , Myspace , Hulu , ABC , NBC and Scribd were sued in the United States District Court (Central District of California) because, according to the class action lawsuit , they were using flash cookies used to restore HTTP cookies. This enabled the user's behavior to be followed. The lawsuit ended with a settlement in which the defendants dismiss the allegations and donate US $ 2.5 million to research on data protection on the Internet .

Another class action lawsuit in 2011 was dismissed as inadmissible because the data subjects' data was not assigned a value equivalent to a loss of over $ 5,000 under the Computer Fraud and Abuse Act (CFAA).

Web links

Individual evidence

  1. Flash Player Help, Website Save Settings
  2. Flash Player Help - Global Storage Settings
  3. Archive link ( Memento from December 5, 2010 in the Internet Archive )
  4. http://objection.mozdev.org/
  5. Clear Flash Cookies
  6. a b c Data protection: are Flash cookies allowed on websites? . In: www.datenschutzbeauftragter-online.de . August 3, 2010. Retrieved September 22, 2015.
  7. Soltani, Ashkan and Canty, Shannon and Mayo, Quentin and Thomas, Lauren and Hoofnagle, Chris Jay, Flash Cookies and Privacy (August 10, 2009), doi : 10.2139 / ssrn.1446862 .
  8. http://www.pcfreunde.de/artikel/a61/flash-cookies-datensammler-der-naechsten-generation/
  9. Expert warns of Flash cookies . In: heise online . August 12, 2009. Retrieved September 22, 2015.
  10. Art. 4 No. 1 of the General Data Protection Regulation
  11. ECJ decision of October 01, 2019 on cookies and consent . Retrieved December 12, 2019.
  12. Sebastian Kraska: Data protection: are Flash cookies allowed on websites? . In: The data protection blog www.datenschutzbeauftragter-online.de . August 3, 2010. Retrieved September 23, 2015.
  13. Directive 2009/136 / EC "Cookie Directive"
  14. Edward Valdez v. Quantcast et al. (No. CV10-05484) Application, United States District Court (Central District of California), July 23, 2010
  15. Brian Tarran: Judge approves Quantcast and Clearspring settlement . In: research-live.com . June 20, 2011. Retrieved September 22, 2015.
  16. La Court v. Specific Media, Inc., 2011 (WL 2473399) , United States District Court (Central District of California), April 28, 2011
  17. ^ Shawn E. Tuma: 3 Recent Computer Fraud and Abuse Act Cases Worth Noting . June 12, 2011. Retrieved September 22, 2015.