Somebody ate David Farrar's cookie. | The Jackal

23 Feb 2011

Somebody ate David Farrar's cookie.

If you've visited David Farrar’s Kiwiblog (KB) recently, their Local Shared Object (LSO) super cookie might still be in effect on your computer, tracking your every internet move. An LSO cookie is not a normal cookie, usually you cannot delete it through your browser. Many LSO will re-spawn a normal cookie. The KB LSO is not the DART google cookie.  

Audio version

An LSO's cookie threatens your privacy because they never expire and allow access to your computer. However, such cookies can contain data that you consider useful. For example stored Flash game settings or personal data for automatic log ins. If you decide to delete an LSO make sure not to lose important data by backing up your files.

An LSO is a small programmable token or app if you like, installed secretly onto your system, there will probably be lots of them, so going through and choosing the LSO cookies that are from sites you trust is recommended. LSO or tracking cookies can slow your computer performance/internet connection when they parse information to the programmer’s server.

LSO also use up your broadband, but unless there's lots of them, this effect will not usually be that noticeable. Most LSO allow editing on the fly so can do pretty much anything the programmer wants to do on your computer. LSO have the potential to store and track your activity online which is then accessible by whoever implemented the cookie or who they choose to on-sell that information to. Here's the fix:

Install BetterPrivacy or a similar application. please follow the instructions carefully.

Some flash LSO-cookie properties in short…
- they are never expiring – staying on your computer for an unlimited time.
- browsers are not aware of those cookies, LSO’s usually cannot be removed by browsers.
- via Flash they can access and store highly specific personal and technical information (system, user name, files,…).
- ability to send the stored information to the appropriate server, without user’s permission.
- flash applications do not need to be visible
- there is no easy way to tell which flash-cookie sites are tracking you.
- shared folders allow cross-browser tracking, LSO’s work in every flash-enabled application
- the company doesn’t provide a user-friendly way to manage LSO’s, in fact it’s incredible cumbersome.
- many domains and tracking companies make extensive use of flash-cookies.
These cookies are not harmless.
Unfortunately it's not possible for an add on to get the exact URL’s of the sites that stored those LSO’s. Here’s a simple test to see what LSO belongs to what website:

1. Install Better Privacy to find LSO cookies.
2. Backup LSO folder onto external media.
3. Prevent automatic deletion of trusted LSO using Better Privacy.
4. Delete unchecked LSO from system by restarting Firefox.
5. Revisit Kiwibog and then check LSO cookie list again. Gotcha!

This test will work for any site deploying LSO cookies. I also purged many of the standard cookies through the Firefox preferences and changed the settings in Better Privacy so that it informs me when a site installs an LSO cookie onto my computer, I can then decide if I want to prevent automatic deletion.

Local Shared Objects or .sol can potentially do anything on your computer. It’s mainly used as a tracking device to see where you go on the Internet. It is not a normal cookie and cannot be removed through the browser preferences.

WIRED: You Deleted Your Cookies? Think Again

All modern browsers now include fine-grained controls to let users decide what cookies to accept and which to get rid of, but LSO cookies are handled differently. These are fixed through a web page on Adobe’s site, where the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it is the control, not just a tutorial on how to use the control.

LSOs can be used by web sites to collect information on how people navigate those web sites even if people believe they have restricted data collection. More than half of the Internet’s top websites use LSOs to track users and store information about them. There is relatively little public awareness of LSOs, and they can usually not be deleted by the cookie privacy controls in a web browser. This may lead a web user to believe a computer is cleared of tracking objects, when it is not.

Several services even use LSOs as surreptitious data storage to reinstate traditional cookies that a user deleted, a policy called “re-spawning” in homage to video games where adversaries come back to life even after being “killed”. So, even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as “backup.” In USA, at least five class-action lawsuits have accused media companies of surreptitiously using Flash cookies.

In certain countries it is illegal to track users without their knowledge and consent. For example, in the UK, customers must consent to use of cookies/LSOs as defined in the “Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003”:

Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:

* is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

* is given the opportunity to refuse the storage of, or access to, that information.