IPcentral Weblog
  The DACA Blog

Friday, February 19, 2010

Privacy Innovation: Adobe Flash Supports Private Browsing & Deletes Flash Cookies
(previous | next)

At the FTC's second Exploring Privacy roundtable at Berkeley in January, many of the complaints about online advertising centered on how difficult it was to control the settings for Adobe's Flash player, which is used to display ads, videos and a wide variety on other graphic elements on most modern webpages, as well the potential for unscrupulous data collectors to "re-spawn" standard (HTTP) cookies even after a user deleted them simply by referencing the Flash cookie on a user's computer from that domain--thus circumventing the user's attempt to clear out their own cookies. Adobe to the first criticism by promising to include better privacy management features in Flash 10.1 and by condemning such re-spawning and calling for "a mix of technology tools and regulatory efforts" to deal with the problem (including FTC enforcement). (Adobe's filing offers a great history of Flash, a summary of its use and an introduction to Flash Cookies, which Adam Marcus detailed here.)

Earlier this week (and less than three weeks later), Adobe rolled out Flash 10.1, which offers an ingenious solution to the problem of how to manage flash cookies: Flash now simply integrates its privacy controls with Internet Explorer, Firefox and Chrome (and will soon do so with Safari). So when the user turns on "private browsing mode" in these browser, the Flash Cookies will be stored only temporarily, allowing users to use the full functionality of the site, but the Flash Player will "automatically clear any data it might store during a private browsing session, helping to keep your history private." That's a pretty big step and an elegantly simple to the problem of how to empower users to take control of their own privacy. Moreover:

Flash Player separates the local storage used in normal browsing from the local storage used during private browsing. So when you enter private browsing mode, sites that you previously visited will not be able to see information they saved on your computer during normal browsing. For example, if you saved your login and password in a web application powered by Flash during normal browsing, the site won't remember that information when you visit the site under private browsing, keeping your identity private.

Our friends at PrivacyChoice applauded this move but suggest that Adobe ought to take the browser-integration concept one step further such that, when "Consumers ...  clear their browsing history using native browser controls, they wipe the slate clean with respect to cookies." To the extent that Flash Cookies are, indeed, actually being used just like standard cookies for tracking purposes, I think that kind of control would indeed implement the reasonable expectation of consumers. Indeed, Adobe is already working on how to implement this technologically complicated solution (which should fix the re-spawning problem), as they noted in their FTC filing:

Adobe has approached the major browser companies to determine whether there is an efficient way to provide users the opportunity to control their Flash Local Storage (and all Local Storage for that matter) when they set their browser privacy settings. We will continue to pursue these efforts and encourage browsers companies to work with us to address the needs of our common customers-in particular to ensure that users can set preferences and clear Local Storage (for Adobe Flash Player and other technologies using Local Storage) in the place where they have learned to set their privacy settings. Without this, we could solve the issue for Flash Player and see developers move towards other technologies to accomplish the same type of misuse and abuse that you see with Flash Local Storage today.

So, I look forward to seeing Adobe continue its privacy-innovation in a future version of Flash by implementing some kind of a feature in browsers that lets users delete their Flash Cookies along with their HTTP cookies.

A Similar Approach to "Browser Fingerprints"?

Similarly, I look forward to seeing future browsers addressed the problem raised by the eagle-eyed watch dogs at the Electronic Frontier Foundation:
When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint -- a signature that could be used to identify you and your computer. But how effective would this kind of online tracking be?

Peter Eckersley explains how such identification could occurred here.
turns out that, in addition to the commonly discussed "identifying" characteristics of web browsers, like IP addresses and tracking cookies, there are more subtle differences between browsers that can be used to tell them apart.

One significant example is the User-Agent string, which contains the name, operating system and precise version number of the browser, and which is sent every web server you visit. A typical User Agent string looks something like this:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20070725 Firefox/

Check out EFF's Panopticlick Project to see what such information your browser is sending. I won't pretend to be any expert on the technical back-end of this, but I'm pretty optimistic we'll see a solution to this problem implemented at either the browser level or the OS level so that, if you decide you really want to shroud your browsing by using private browsing mode, you at least have the option of making your browsing really private by suppressing transmission of this information or just sending a set of standard answers that don't uniquely identify you. (Of course, some users might actually want to use private browsing mode in a less-private mode that continues to send this information if, for example, the quality of my browsing experience is affected because webpages aren't optimized for my screen resolution, browser version or OS, etc.)

While I'm reasonably confident that the OS and browser makers will eventually solve this problem (which appears to be theoretical at this point, with no evidence that any advertisers are actually doing this sort of identification--say, to re-spawn deleted cookies), I can appreciate that some people might say that solution would be too slow in coming. I'd caution them against giving up on private browsing mode as an inadequate form of user empowerment--and leaping to the conclusion that only regulation can really fix the problem. Regulation comes at a cost, as Adam and I have repeatedly noted, given the benefits to users from data sharing. But moreover, it won't protect anyone from truly bad actors that ignore U.S. regulation--which is a rather large problem since the Internet is a global medium, and we Internet browsers can't just assume we're safe because the U.S. government is regulating data collection.

So even if you think we need regulation, we clearly have to keep working on privacy-enhancing technologies. And if you don't think my suggestion of simply applying Adobe's approach of bolstering private browsing mode is going to happen quickly enough (or at all) and you thus conclude that the government needs to get involved, why assume that the government intervention should be sweeping proscriptive regulation of how data is collected and used online? Why not first start with the "less restrictive" alternative of having the government try to assist in brokering a deal among the key players to make this technology work?

Or perhaps the government could even help to fund the development of such technologies in the same way Secretary Clinton recently announced the State Department would "establish a standing effort that will harness the power of connection technologies and apply them to our diplomatic goals," such as "supporting the development of new tools that enable citizens to exercise their rights of free expression by circumventing politically motivated censorship?" To be sure, we don't want government funding or design in this space to crowd out private innovation, but figuring out how to avoid that problem while doing something constructive to improve privacy enhancing technologies would be far easier than trying to decide how to weigh the trade-offs inherent in data regulation.

And, hey, if I can truly shroud my browsing activity from tracking just by turning on private browsing mode, what's the problem with tracking, again? If you think people don't know enough about how to protect themselves, let's give the FTC money to educate consumers--something they're very good at, as the YouAreHere campaign for teens they launched late last year demonstrates.

posted by Berin Szoka @ 8:48 AM | Advertising & Marketing , Privacy , Privacy Solutions

Share |

Link to this Entry | Printer-Friendly | Email a Comment | Post a Comment(16)


Adobe is unstoppable!!!

Posted by: CT Website Design at July 24, 2010 3:15 PM

i am not frequent user of Flash. But i have heard about Flash 10.1, which offers an original solution for how to manage flash cookies. It is very good news.

Posted by: alexwfix at July 30, 2010 8:26 AM

Supporting privacy and private browsing is all well and good but is it the real problem. Most users systems are infected with adware and spyware and they are "leaching out" more information than they probably dream possible so in these cases private browsing is the least of there problems. Whilst I agree that educating consumers is a viable option surely they need to be educated on computer security in the first instance?

Posted by: Computer Repair Guy at July 31, 2010 9:43 AM

I have to agree Computer Repair Guy on this one.

Posted by: Don Alliance at August 23, 2010 5:12 PM

I applaud Adobe for allowing the integration of privacy controls with flash cookies, but I would like to be able to clear the cache all at once using the applicable browser rather than using adobe software separately.

Posted by: Web Designer Perth at August 29, 2010 1:29 AM

I agree Perth. There's no reason to have to do it separately.

Posted by: Alexanders 17.3 laptop cases at September 29, 2010 5:52 PM

i have to agree to Perth also, but it's like making life easier to common users, because with Flash Player 10.1, the data it might store is automatically cleared during private browsing, helping users keep their history private.

Posted by: Mike@EncinitasComputerRepair at October 9, 2010 11:49 PM

Nice initiative Adobe! This surely benefit non-advanced users for it will help them keep their history private in a jiffy

Posted by: San Marcos computer repair at October 11, 2010 5:37 PM

This will definitely increase important data protection. A good tool for newbies.

Posted by: Computer repair los angeles guy at October 18, 2010 9:45 PM

This will definitely increase important data protection. A good tool for newbies.

Posted by: Computer repair los angeles guy at October 18, 2010 9:45 PM

This is great for Adobe and flash as a small part of providing reliable online tools, but what is Adobe going to do about the fact that Flash is becoming less and less used in creating dynamic websites and WordPress has become the new popular tool for creating websites and even blogs too.

Posted by: Pete the WordPress Designer at January 8, 2011 12:57 PM

Adobe is absolutely unstoppable. All hail Adobe! :)

Posted by: Thomas at January 20, 2011 5:08 AM

Adobe is absolutely unstoppable. All hail Adobe! :)

Posted by: Thomas at January 20, 2011 5:10 AM

Secure browsing can be accomplished when the portable browser is run from an encrypted flash drive and privacy settings are incorporated.

Posted by: Joe Encrypted Flash Drive Guy at February 2, 2011 3:58 PM

Adobe just gets better every time! Data protection should always be a must!

Posted by: Ardham Kelly at March 16, 2012 8:59 AM

when I'am playing face book it stop and tell me that I have to start over so I have to go back and re boot face book and then it does t agan hoe can I stop this couse this is a new lap top I could be it but I donr think so thank you Karen johnson

Posted by: Karen Johnson at July 7, 2014 1:33 PM

Post a Comment:

Blog Main
RSS Feed  
Recent Posts
  EFF-PFF Amicus Brief in Schwarzenegger v. EMA Supreme Court Videogame Violence Case
New OECD Study Finds That Improved IPR Protections Benefit Developing Countries
Hubris, Cowardice, File-sharing, and TechDirt
iPhones, DRM, and Doom-Mongers
"Rogue Archivist" Carl Malamud On How to Fix Gov2.0
Coping with Information Overload: Thoughts on Hamlet's BlackBerry by William Powers
How Many Times Has Michael "Dr. Doom" Copps Forecast an Internet Apocalypse?
Google / Verizon Proposal May Be Important Compromise, But Regulatory Trajectory Concerns Many
Two Schools of Internet Pessimism
GAO: Wireless Prices Plummeting; Public Knowledge: We Must Regulate!
Archives by Month
  September 2010
August 2010
July 2010
June 2010
  - (see all)
Archives by Topic
  - A La Carte
- Add category
- Advertising & Marketing
- Antitrust & Competition Policy
- Appleplectics
- Books & Book Reviews
- Broadband
- Cable
- Campaign Finance Law
- Capitalism
- Capitol Hill
- China
- Commons
- Communications
- Copyright
- Cutting the Video Cord
- Cyber-Security
- Digital Americas
- Digital Europe
- Digital Europe 2006
- Digital TV
- E-commerce
- e-Government & Transparency
- Economics
- Education
- Electricity
- Energy
- Events
- Exaflood
- Free Speech
- Gambling
- General
- Generic Rant
- Global Innovation
- Googlephobia
- Googlephobia
- Human Capital
- Innovation
- Intermediary Deputization & Section 230
- Internet
- Internet Governance
- Internet TV
- Interoperability
- IP
- Local Franchising
- Mass Media
- Media Regulation
- Monetary Policy
- Municipal Ownership
- Net Neutrality
- Neutrality
- Non-PFF Podcasts
- Ongoing Series
- Online Safety & Parental Controls
- Open Source
- PFF Podcasts
- Philosophy / Cyber-Libertarianism
- Privacy
- Privacy Solutions
- Regulation
- Search
- Security
- Software
- Space
- Spectrum
- Sports
- State Policy
- Supreme Court
- Taxes
- The FCC
- The FTC
- The News Frontier
- Think Tanks
- Trade
- Trademark
- Universal Service
- Video Games & Virtual Worlds
- VoIP
- What We're Reading
- Wireless
- Wireline
Archives by Author
PFF Blogosphere Archives
We welcome comments by email - look for a link to the author's email address in the byline of each post. Please let us know if we may publish your remarks.

The Progress & Freedom Foundation