Flash Cookies

What Is A Flash Cookie?

Flash Cookies, or more correctly Local Shared Objects, are Adobe's proprietary response to the need to maintain state. In concept they are very similar to HTTP cookies in that they are a name value pair which is accessible by content served by the same domain (and only that domain) which initially set the cookie, but unlike standard cookies which are supported by all popular browsers, Local Shared Objects only work on browsers which have Adobe's Flash utility installed. Because they are not core browser functionality, flash cookies have no internal browser controls and aren't always directly visible through standard browser tools, but as of this edit it appears that more browser controls will be available in future browser releases. To access information on your browsers flash cookies you can visit Adobe's site.

How Are Flash Cookies Used

Flash cookies work much like ordinary HTTP cookies but with a potentially larger capacity to store data. In practice there are programming reasons beyond the scope of this site why their use is advantageous over normal cookies for Flash applications. The reason, however, that Flash Cookies have received negative privacy attention is that they may potentially be used by certain practitioners to circumvent user choice either by removing such choice in the first place by virtue of no direct browser controls for Flash Cookies or by using the Flash Cookie itself as a means by which traditional cookies can be reinstated following a consumer deletion. In practice the way this would work would be that a cookie setter, perhaps a 3rd party ad serving system would set both a Flash Cookie and a traditional HTTP cookie storing the same information, e.g. id=abc123. Ad Servers work primarily with HTTP cookies and when they see a request coming to them with no previously set cookie they see 3 possible alternatives:
  1. the browser is proactively blocking HTTP cookies to that domain either by 3rd party controls or otherwise blacklisting the domain. In this case the cookie issuer may circumvent the choice expressed in the browser by using the Flash cookie until such time as the user learns how to manage Flash cookies.
  2. the browser is a new user which has never encountered the ad server before and should have a new cookie set. At this point the HTTP cookie may be mirrored in the Flash cookie allowing for the possibility that if either the HTTP cookie or the Flash cookie is deleted in the future, the other may be reset using the information stored in the surviving cookie.
  3. the ad server has previously set a cookie on this browser and has stored information about this browser but the browser has subsequently deleted such cookie. Now the value stored in the surviving cookie may be used to reinstate the deleted cookie.

The prevalence of cookie deletion for standard HTTP cookies has made maintaining state for periods of time longer than a browser session or overnight increasingly difficult. With deletion rates as high as potentially 15-18% within 24 hours, all parties reliant on cookies to store data for periods longer than that face a significant challenge. The problem is exacerbated by the fact that consumers may not truly know what they are doing when they exercise a generic DELETE ALL cookies choice as such a choice may delete both cookies which store your preferences at your customizable portal or moving listings site or may store data about you referenced by an analytics or ad server. A reasonable argument can (and is) made by sites in the first instance who wish to back up their standard cookie with a Flash Cookie so they may reconstitute your preferences should you "inadvertently" delete their cookie. Of course the rub here is intent and the presumption that a cookie issuer truly knows the consumers intent. While it may be reasonable for a movie listings site to use Flash Cookies to reinstate your zip=90210 cookie it may be a greater stretch to assume the deletion of an ad serving cookie was unintentional and therefore justified by the use of Flash. Particular attention has been paid to the later practice by the US Federal Trade Commission and it remains to be seen how this will play out. At the time of this writing, August 2010, we have come to expect: more consumer friendly tools from Adobe relating to Local Stored Object, advice from the FTC with respect to maintenance of consumer choice and the potential for industry codes of conduct around the use of secondary or back up storage of consumer data.