Friday, February 19, 2010 - The Progress & Freedom Foundation Blog

Privacy Innovation: Adobe Flash Supports Private Browsing & Deletes Flash Cookies

At the FTC's second Exploring Privacy roundtable at Berkeley in January, many of the complaints about online advertising centered on how difficult it was to control the settings for Adobe's Flash player, which is used to display ads, videos and a wide variety on other graphic elements on most modern webpages, as well the potential for unscrupulous data collectors to "re-spawn" standard (HTTP) cookies even after a user deleted them simply by referencing the Flash cookie on a user's computer from that domain--thus circumventing the user's attempt to clear out their own cookies. Adobe to the first criticism by promising to include better privacy management features in Flash 10.1 and by condemning such re-spawning and calling for "a mix of technology tools and regulatory efforts" to deal with the problem (including FTC enforcement). (Adobe's filing offers a great history of Flash, a summary of its use and an introduction to Flash Cookies, which Adam Marcus detailed here.)

Earlier this week (and less than three weeks later), Adobe rolled out Flash 10.1, which offers an ingenious solution to the problem of how to manage flash cookies: Flash now simply integrates its privacy controls with Internet Explorer, Firefox and Chrome (and will soon do so with Safari). So when the user turns on "private browsing mode" in these browser, the Flash Cookies will be stored only temporarily, allowing users to use the full functionality of the site, but the Flash Player will "automatically clear any data it might store during a private browsing session, helping to keep your history private." That's a pretty big step and an elegantly simple to the problem of how to empower users to take control of their own privacy. Moreover:

Flash Player separates the local storage used in normal browsing from the local storage used during private browsing. So when you enter private browsing mode, sites that you previously visited will not be able to see information they saved on your computer during normal browsing. For example, if you saved your login and password in a web application powered by Flash during normal browsing, the site won't remember that information when you visit the site under private browsing, keeping your identity private.

Our friends at PrivacyChoice applauded this move but suggest that Adobe ought to take the browser-integration concept one step further such that, when "Consumers ...  clear their browsing history using native browser controls, they wipe the slate clean with respect to cookies." To the extent that Flash Cookies are, indeed, actually being used just like standard cookies for tracking purposes, I think that kind of control would indeed implement the reasonable expectation of consumers. Indeed, Adobe is already working on how to implement this technologically complicated solution (which should fix the re-spawning problem), as they noted in their FTC filing:

Adobe has approached the major browser companies to determine whether there is an efficient way to provide users the opportunity to control their Flash Local Storage (and all Local Storage for that matter) when they set their browser privacy settings. We will continue to pursue these efforts and encourage browsers companies to work with us to address the needs of our common customers-in particular to ensure that users can set preferences and clear Local Storage (for Adobe Flash Player and other technologies using Local Storage) in the place where they have learned to set their privacy settings. Without this, we could solve the issue for Flash Player and see developers move towards other technologies to accomplish the same type of misuse and abuse that you see with Flash Local Storage today.

So, I look forward to seeing Adobe continue its privacy-innovation in a future version of Flash by implementing some kind of a feature in browsers that lets users delete their Flash Cookies along with their HTTP cookies.

A Similar Approach to "Browser Fingerprints"?


Similarly, I look forward to seeing future browsers addressed the problem raised by the eagle-eyed watch dogs at the Electronic Frontier Foundation:
When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint -- a signature that could be used to identify you and your computer. But how effective would this kind of online tracking be?

Peter Eckersley explains how such identification could occurred here.
turns out that, in addition to the commonly discussed "identifying" characteristics of web browsers, like IP addresses and tracking cookies, there are more subtle differences between browsers that can be used to tell them apart.

One significant example is the User-Agent string, which contains the name, operating system and precise version number of the browser, and which is sent every web server you visit. A typical User Agent string looks something like this:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6


Check out EFF's Panopticlick Project to see what such information your browser is sending. I won't pretend to be any expert on the technical back-end of this, but I'm pretty optimistic we'll see a solution to this problem implemented at either the browser level or the OS level so that, if you decide you really want to shroud your browsing by using private browsing mode, you at least have the option of making your browsing really private by suppressing transmission of this information or just sending a set of standard answers that don't uniquely identify you. (Of course, some users might actually want to use private browsing mode in a less-private mode that continues to send this information if, for example, the quality of my browsing experience is affected because webpages aren't optimized for my screen resolution, browser version or OS, etc.)

While I'm reasonably confident that the OS and browser makers will eventually solve this problem (which appears to be theoretical at this point, with no evidence that any advertisers are actually doing this sort of identification--say, to re-spawn deleted cookies), I can appreciate that some people might say that solution would be too slow in coming. I'd caution them against giving up on private browsing mode as an inadequate form of user empowerment--and leaping to the conclusion that only regulation can really fix the problem. Regulation comes at a cost, as Adam and I have repeatedly noted, given the benefits to users from data sharing. But moreover, it won't protect anyone from truly bad actors that ignore U.S. regulation--which is a rather large problem since the Internet is a global medium, and we Internet browsers can't just assume we're safe because the U.S. government is regulating data collection.

So even if you think we need regulation, we clearly have to keep working on privacy-enhancing technologies. And if you don't think my suggestion of simply applying Adobe's approach of bolstering private browsing mode is going to happen quickly enough (or at all) and you thus conclude that the government needs to get involved, why assume that the government intervention should be sweeping proscriptive regulation of how data is collected and used online? Why not first start with the "less restrictive" alternative of having the government try to assist in brokering a deal among the key players to make this technology work?

Or perhaps the government could even help to fund the development of such technologies in the same way Secretary Clinton recently announced the State Department would "establish a standing effort that will harness the power of connection technologies and apply them to our diplomatic goals," such as "supporting the development of new tools that enable citizens to exercise their rights of free expression by circumventing politically motivated censorship?" To be sure, we don't want government funding or design in this space to crowd out private innovation, but figuring out how to avoid that problem while doing something constructive to improve privacy enhancing technologies would be far easier than trying to decide how to weigh the trade-offs inherent in data regulation.

And, hey, if I can truly shroud my browsing activity from tracking just by turning on private browsing mode, what's the problem with tracking, again? If you think people don't know enough about how to protect themselves, let's give the FTC money to educate consumers--something they're very good at, as the YouAreHere campaign for teens they launched late last year demonstrates.

posted by Berin Szoka @ 8:48 AM | Advertising & Marketing , Privacy , Privacy Solutions