Flash Player Worries Privacy Advocates

Macromedia's Flash media player is raising concerns among privacy advocates for its little-known ability to store computer users' personal information and assign a unique identifier to their machines.

By Michael Cohn
InternetWeek
April 15, 2005 06:22 PM

Macromedia's Flash media player is raising concerns among privacy advocates for its little-known ability to store computer users' personal information and assign a unique identifier to their machines.

"A lot of media players come with identifiers embedded in them to track content usage and digital rights management," Chris Hoofnagle, director of the Electronic Privacy Information Center's West Coast office, said. "With respect to Windows Media Player and now the Macromedia player, we're realizing that the media players themselves are creating privacy risks."

Flash, popular for its ability to play animation and video clips, employs a technology known as local shared objects to save up to 100KB of information on users' hard drives. By assigning a unique identifier to a computer and preserving it in the space for the local shared object, a website can recognize that someone has already visited the site, and advertisers can use the information to determine that a visitor has previously viewed an ad. Websites that require users to fill out personal information can also associate that data with the identifier.

Macromedia does not view its software as a threat to user privacy.

"The Flash player by its nature doesn't by default gather any information," Jeff Whatcott, vice president of product management at Macromedia, said. " We designed that technology from the beginning to make sure that (computer) users are always in control of their key information."

Macromedia provides instructions on its website for how to disable local shared objects on an individual site or all sites, delete data that is already stored locally, and set the maximum space allowed for storage.

Unfortunately, most Flash users are unaware that the player is storing any information about them at all and are unlikely to see these instructions or understand how to follow them.

"It's really confusing to opt out of Macromedia," Hoofnagle said. "It just goes on and on with all these different preferences. I got frustrated with it and took Flash off my computer altogether. That seemed an easier thing to do."

Flash isn't the only content player with privacy problems.

"Most media players have the capability to monitor what files you play and report that information, as part of a general industry trend toward digital rights management, so a user's consumption can be monitored," Kevin Bankston, an attorney with the Electronic Frontier Foundation, said. "As a civil liberties attorney, that is obviously concerning."

Macromedia emphasized that Flash only stores personal information if computer users elect to fill in the information on a website.

"It only knows information that the users provide," Whatcott said. "It can't dig around and gather information."

Even then, the information is only available to that specific website and is not readily accessible by other websites or rogue software, Whatcott said. Flash stores the information in a random location that can't be easily predicted.

While websites are supposed to safeguard the personal information they gather according to the dictates of their privacy policies, many sites, nevertheless, share customer information widely.

"Sharing is reasonably pervasive," Terry Golesworthy, president of the Customer Respect Group, said. "Not everybody does it, but there's a reasonable amount of sharing that does go on."

Of the 700 to 800 organizations monitored by CRG, 80 percent of the larger organizations that collect data share it within the same company, a practice the organization believes is not a threat to consumers.

"The area that concerns us most is sharing it with business partners and other companies," Golesworthy said. "About a quarter are sharing the data outside their organizations."

Golesworthy points out that it is increasingly difficult for users to exercise control over their personal information, or to delete it once a website has it.

"Flash does collect a lot of data and it's stored on corporate systems," he said. "About 40 percent of companies don't give you good options to control your own data, delete it, edit it, or say you don't want it collected. Seventeen percent give you control. In between are the gray areas."

According to the European Union's Data Protection Act, U.S. websites are deemed an unsafe place to provide data.

Macromedia says it doesn't support the use of Flash to collect personal data without the consent of computer users, and criticized technology that uses local shared objects to preserve cookie information that users delete.

United Virtualities, for example, is a marketing technology vendor that has been leveraging Flash to back up cookies and restore them even after a web surfer deletes them.

Lately, Macromedia has been discussing with browser vendors the creation of a unified privacy and cookie management capability that would be common across browsers and Flash players. Until that happens, users may want to check their settings the next time they visit a Flash-enabled site. To access them, right-click on any Flash video and choose the Settings and then Advanced Settings options.

What is it going to take to stop these people????

If I delete the cookie, I by god expect it to STAY deleted.

That's why proprietary software is so wonderful - your masters can do anything to you and expect you to be helpless.

You could try replacing it with a file of random garbage and making it read-only.

Such as some of my posts to LQ?

I think you mean write-only. LOL

Seriously, though, once I had a Windows virus that was getting in through some file, and until I found the source, I created a blank unwriteable copy with the file name and that fixed it till I could find the real problem. In Linux I guess you'd have to create them with some other userid and make them readable but not writeable to you?

Anyway, why should I worry about Flash giving my details to all and sundry, when C:\WINDOWS\system32\advapi32.dll has a hotline to the NSA (passed on no doubt to MI5)?

Am I the only one who noticed it is 3years old?

Of course not, but Flash is still around and is still a threat. But now we have the choice of different spyware: SilverBlight.

No, I noticed. But I also checked into it a bit and found that - yes - flash is storing info on my computer. I don't recall ever telling it that was OK.

You can use gnash for most flash videos, if only the quality were better I'd use it exclusively. But it does work, so try it out.

In this case it would be nice if someone posted a link to documentation about shutting down this feature. It would be nice also if someone wrote where it stores local data on both linux/windows.

Well, there is a .macromedia directory in your home folder, contains lots of stuff.

and even when you follow the information in the source article to find that control panel thing (which is itself a flash application that you can only find at macromedia, it seems that flash ignores what it is told.

Tell it to save nothing...and it still is saving things. I guess I'll have to set up a cron to periodically delete .macromedia.

Isn't it easier just to "chmod 000 ~/.macromedia" (and possibly also "chown root.root ~/.macromedia")? I think it should be enough.