A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies (CMU-CyLab-11-001)

Website developers can use Adobe’s Flash Player product to store information locally on users’ disks with Local Shared Objects (LSOs). LSOs can be used to store state information and user identifiers, and thus can be used for similar purposes as HTTP cookies. In a paper by Soltani et al, researchers documented at least four instances of “respawning,” where users deleted their HTTP cookies only to have the HTTP cookies recreated based on LSO data. In addition, the Soltani team found half of the 100 most popular websites used Flash technologies to store information about users. Both respawning and using LSOs to store data about users can reduce online privacy. One year later, we visited popular websites plus 500 randomly-selected websites to determine if respawning still occurs. We found no instances at all of respawning in a randomly-selected group of 500 websites. We found two instances of respawning in the most popular 100 websites. While our methods are different from the Soltani team and we cannot compare directly, our results suggest respawning is not increasing, and may be waning. As in the Soltani study, we found LSOs with unique identifiers. In the 100 most popular websites, LSOs were set at 20, and 9 used their LSOs to store unique identifiers. In 500 randomly selected sites, LSOs were set at 41, and 17 used their LSOs to store unique identifiers. Unique identifiers may, or may not, be keys into back-end databases to perform cookie-style tracking. However, unique identifiers could be benign, for example, uniquely identifying a specific animation or music clip. While we can use contextual information like variable names to guess what a given unique identifier is for, using our study methods we cannot conclusively determine how companies use unique identifiers. We cannot quantify how many, if any, sites are using unique identifiers in LSOs for any purpose that might have privacy implications. Even assuming a pessimistic worst case where all websites with unique identifiers in LSOs are using them to track users, the percentage of such sites studied is low—9% of the top 100, and only 3.4% of the randomly-selected 500 sites we studied. However, over 40% of the LSOs in each data set used unique identifiers, and especially with the top 100 sites, many people could be affected. Because we found sites using LSOs as unique identifiers, we believe further study is needed to determine if these sites are using LSOs to evade users’ choices. However, without visibility into back-end databases, it is difficult to determine how unique identifiers are used. We conclude our paper with policy options and a discussion of implications for industry self-regulation of Internet privacy.