How to murder a Flash cookie zombie

Flash cookies can be used to track you across the Web without telling you. Here's how to cut their heads off.

The more I use Adobe Flash, the more I understand why Steve Jobs hates it. I can't tell you how many times a misbehaving Flash video has crashed my browser and/or slowed my system to sludge. Happens at least once a week.

Well, here's another good reason to hate Flash: Advertisers are using it to track your movements across the Web.

Or so claims a lawsuit filed by privacy attorney Joseph Malley, one of three he's filed in the last two months against some of the biggest media heavyweights in the world -- Disney, ABC, NBC, MTV, and a host of others.

[ See also: Beware of 'Free' Apple iPad scams on Facebook ]

All use them employ Web ad companies like Quantcast, Specificmedia, and Clearspring to deliver Flash ads, and all of those ads store Flash cookies on your hard drive.

So what's wrong with that? For one thing, most people aren't aware Flash even stores cookies. These cookie files are ridiculously hard to find and manage: You can't get at them from your browser, and they're buried several layers deep inside your Application Data folder on Windows PCs. They can store up to 100K of data per cookie, or about 25 times what a browser cookie can store. And they can be used to recreate tracking cookies you've deleted.

In other words, if you've told an advertiser you don't want to be followed around the Web by deleting its tracking cookie, that advertiser can use Flash to 'respawn' that deleted cookie without telling you -- and continue to track you in secret. Thus Malley's lawsuits, which accuse all of those companies of breaking federal laws against computer intrusion and surveillance.

That respawning bit is why Flash cookies are also called "zombie" cookies. However, like real zombies, they can be stopped -- and you don't even have to cut off their heads (or use cricket bats and vinyl LPs, like in Shaun of the Dead). You just need to use Adobe's Flash Player Settings Manager.

Though you access that control panel via the Web, it's an app that runs on your PC. Naturally, the Adobe tool uses Flash -- and (naturally) the first six times I tried to run the app it crashed my browser. In fact, the Settings Manager was blinking so wildly I feared it might induce an epileptic fit. But eventually, after way too much trial and error, I got it to work.

Here you can change Flash's privacy settings for Webcams, how often you're notified when Adobe has updated its Flash Player, where you store DRM licenses, and the like. But it also shows you which sites have deposited Flash cookies and limit how much space they're taking up.

More important, you can tell Flash to stop storing these cookies. Here's how:  Make sure you've selected "Global Storage Settings panel" in the list on the left, find the box that says "Allow third-party Flash content to store data on your computer" and unselect it.

adobe flash settings manager

Want to get rid of the Flash cookies you already have? You'll need to select "Website Storage Settings panel," where you can delete them one by one (if you're like me and have thousands of these suckers, that will take a while) or select the "Delete all sites" option.

delete adobe flash cookies

That's it. Pretty simple really, assuming you can ever get that damned Flash app to load. What happens after that? Good question. Note that nuking your Flash cookies could mean video and other media play at the wrong volume or load more slowly. As an experiment, I deleted the Flash cookie for Sonypictures.com, and then loaded a video preview from the site. Playback was extremely jumpy -- but whether that was due to the lack of Flash cookies, my Internet connection, browser, or the phase of the moon is kind of impossible to determine.

So, as usual, you should assume there's a cost associated with increasing your privacy. Kind of like killing zombies -- it's hard to do it without getting brains all over you.

UPDATE: Shortly after this post appeared I heard from Joe Malley, the attorney who's suing the pants off NBC, Disney, et al for using Flash zombie cookies. He'd like to hear from aggrieved users about other sites that use this technology to track them. Email him at his gmail address, malleylaw@. And if you end up getting a nice check from a class action settlement, please remember who sent ya.

ITworld TY4NS blogger Dan Tynan often feels like one of the undead. Catch his brand of juvenile snark at eSarcasm (Geek Humor Gone Wild) or follow him on Twitter: @tynan_on_tech.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies