LSO (Flash Cookies) – A Serious Attack on Your Privacy

image Crafty business learned long ago that names and the connotations that surround names are important. It just wouldn’t do, for example, to call a piece of computer spyware – “spyware”, or “tracker”, or “privacy invader”. Doing so would be sure to upset the unwitting victim.

So, instead of “tracker”, why not call the item a “cookie”? Good name, good connotations – happy memories of arriving home from school to a plate of cookies and a glass of milk.

Equally as important, from a business perspective, is the need to convince the victim that the questionable item has value, is constructive, and will make their Internet experience a smoother ride. But don’t believe it.

Cookies are there for the benefit of advertisers; not the web site visitor – plain and simple. Keep in mind, that it’s critically important to advertisers to generate advertising that is specific to the web site visitor at the time of the visit – not later, but right then. And cookies are the tool that facilitates this happening.

Luckily, today’s Internet browsers can be set to allow full user control over cookies including accepting, rejecting, or wiping private data which includes wiping cookies. That is, until recently.

It appears that a user’s decision to control cookies in this way is simply not acceptable to advertisers and certain web sites, and so we now have the Flash Cookie (LSO) – Local Shared Objects.

There is a major advantage for an advertiser to employ Flash cookies, not the least of which is; they are virtually unknown to the average user. Equally as important from an advertisers perspective is; they remain active on a system even after the user has cleared cookies and privacy settings. To call this a deceptive practice would be a major understatement. Crooked, immoral, fraudulent, illegal, are just some of the words that come to mind.

If you think this practice is restricted to shady web sites, you’d be wrong. Of the top 100 web sites, 50+ use Flash Cookies. One of the things I’ve learned in my years in technology is; crooks come in every size and shape. So, I was not particularly surprised when I found some of my favorite sites involved in this reprehensible practice.

Quick LSO facts:

Never expire

Can store up to 100 KB of information compared to a text cookie’s 4 KB.

Internet browsers are not aware of those cookies.

LSO’s usually cannot be removed by browsers.

Using Flash they can access and store highly specific personal and technical information (system, user name, files,…).

Can send the stored information to the appropriate server, without user’s permission.

Flash applications do not need to be visible.

There is no easy way to tell which flash-cookie sites are tracking you.

Shared folders allow cross-browser tracking – LSO’s work in every flash-enabled application

No user-friendly way to manage LSO’s, in fact it’s incredible cumbersome.

Many domains and tracking companies make extensive use of flash-cookies.

Without a doubt, you need to control these highly invasive objects, and if you are a Firefox user there is a solution – BetterPrivacy – a free Firefox add-on.

From the BetterPrivacy page:

“Better Privacy serves to protect against not deletable, long-term cookies, a new generation of ‘Super-Cookie’, which silently conquered the internet.

This new cookie generation offers unlimited user tracking to industry and market research. Concerning privacy Flash- and DOM Storage objects are most critical.

This add-on was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them – since browsers are unable to do that for you”.


Download at: Mozilla

Simple HTTP cookies can be subject to attack by cyber criminals, so it won’t be long before flash cookies will be subject to the same manipulation. Better you should learn how to control them now – not later.

I have tried to write this article in a non-technical way, to make it easy for the average computer user to understand. For a more detailed breakdown on flash cookies, and the danger they represent to personal privacy, checkout The Electronic Privacy Information Center.

Update: September 23, 2009 – Professional Tech and regular guest writer, Dave Brooks, has found a solution for IE users at I am Super.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.


Filed under Browser add-ons, Firefox, Firefox Add-ons, Freeware, Geek Software and Tools, Interconnectivity, Internet Paranoia, Internet Security Alerts, Online Safety, Privacy, Software, Surveilance Tools, Surveillance, Windows Tips and Tools

12 responses to “LSO (Flash Cookies) – A Serious Attack on Your Privacy

  1. freewareelite

    What if I use Internet Explorer [7]? How can I delete those “Flash Cookies”? Can CCleaner do it?

  2. Dave Brooks

    Bill, for those of us that use IE (I do, mainly IE x64, very fast!) I did a bit of Googling and found a solution to not only remove existing flash cookies, but prevent them altogether, figured I’d post it for your readers.

  3. Dave Brooks

    People need to keep in mind however, that if you use the instructions at the link I posted, that sites that rely on stored flash content (such as Pandora) will no longer work.

    • Bill Mullins

      I hear ya on this Dave. That’s the very reason I didn’t include this advice. But your original comment made me rethink this. All in all, it is appropriate information.


  4. Dave Brooks

    I’m running in to quite a few sites that won’t work properly when this is disabled, Western Digital’s support site for one.

    • Bill Mullins

      Hey Dave,

      After an average surfing session (2/3 hours), the BetterPrivacy FF add-on removes 25 to 30 LSOs from my machine with just a simple click, and creates no problems. I still can’t believe the high numbers of LSOs I run into.


  5. dar

    -duh, this ol’ mechanic has flash disabled,images too, in opera 90% of the time
    -for most browsing flash isn’t necessary& is a cpu hog as well
    -& now prof Bill reveals it’s a portal for cyber criminals: ThankYou,prof Bill

    • Bill Mullins


      Your setup is certainly good for instances where heightened security is necessary on a particular machine. I doubt if many average users would choose to exclude some very wonderful parts of the web browsing experience, in this way however.

      The real issues are nondisclosure in the use of this type of tracking, and the lack of appropriate tools that make it easy for average users to either accept, or reject the cookie.


  6. Pingback: LSO (Flash Cookies) – A Serious Attack on Your Privacy « Bill … |

  7. TP

    What about the windows 7 users…. where are THEY?!