Adobe Flash Player: A Risk To Privacy and Security

Adobe Flash Player: a greater risk to privacy and security than you
may realizeDo you know that if you have Adobe's Flash Players plugin
installed on your web browser that your internet activity and history
is potentially being tracked and used without your knowledge or
permission? Just managing your web browser's tracking cookie through
your web browser doesn't prevent your internet browsing activity, and
its history, from being tracked. Additionally, just keeping your
computer current and fully patched with all of Microsoft's critical
updates keeps your computer safe from hackers, think again. Even using
an antivirus program, with the most current virus definitions current
doesn't always prevent your computer and privacy from being at
risk.Recently I came across a news article that caught my eye. It was
a New York Times technology piece with the title "Code that tracks
users' browsing prompts lawsuits" (Vega, 2010). This article reports
about the increasing number of consumers taking legal action against
companies that track their web activity without the consumer's
knowledge or permission. Adobe's Flash Player is the main conduit for
capturing this tracking data. This isn't the first time that Adobe's
Flash player has created legal privacy issues. In 2008, Windows
Secrets Newsletter published an article on Adobe's Flash cookie
privacy issues. Recently they published another article called
"Eliminate Flash-spawned "zombie" cookies" following up on the same
issue (Leonhard, 2010). Adobe has done little to resolve this issue.
These law suits are directed at Adobe and other companies that collect
and sell information about your web browsing activity without your
knowledge or permission. Another ominous contention is that some
companies are surreptitiously using Flash cookies to glean information
from your browser, even though you have your web browser set to reject
tracking cookies.How does this happenAdobe's Flash Player browser
plugin uses and stores Flash cookies on your computer, separate from
your better known browser HTML cookies. Both types of cookies are used
to store browsing and site preferences, along with your browsing
history and tracking information. Flash cookies, like your web browser
cookies, are small bits of data saved by the websites you visit. These
websites use these cookies to store website settings and info (like
your name, preferences, Flash game scores, etc.), to track website
behavior, and to target you for specific advertisements. They can also
create what is known as persistent identification element to uniquely
identify you and track what websites you have visited.Flash cookies
are not managed through your web browser's cookie settings. This same
Flash cookies storage area can also be used to store a copy of your
browser's cookies, allowing Adobe's Flash to recreate cookies that
have been previously deleted from your browser, i.e. spawned 'zombie'
cookies.What to do to protect yourselfAdobe doesn't make it easy for
users to manage Flash cookies. By default, when Flash Player is
installed, it automatically allows third parties to store and access
your computer. To change these settings you need to access Flash's
Global Setting Manager. The easiest, most straight forward way to get
started is to open your web browser and copy the Adobe URL listed in
my references (Ezinearticles does not allow me to place the link
here). Or do a Google search on: "adobe flash player setting manager."
The macromedia.com link should be the first and second items
found.This will take you to the Global Setting panel for Adobe's Flash
Player (see Adobe Flash Player Global Setting Manager below). The
image embedded on the web page is the actual management console, not a
picture. The current version of this panel has eight panels or tabs.
Each tab covers a different aspect of privacy and security. You may
want to add this to your browser's Favorites for future
reference.Adobe Flash Player Global Setting Manager Global Privacy
SettingsThe first tab on the Global Setting Manager is for your
computer's camera and microphone settings. You have the option of
setting this as "Always deny..." or "Always ask..." The "Always
ask..." option forces the Flash Player to ask for your permission
before allowing a third-party to access your computer's camera and
microphone. "Always deny..." does just that, it always denies
permission to access your camera and microphone. You will not receive
any notification that a third-party tried to access either your camera
of microphone with this option.Your current settings are not
displayed. Clicking on "Always deny..." or "Always ask..." overrides
any previous global setting made for this. This setting is for sites
you have not already visited. I recommend that you select the "Always
ask" option. This will allow you the option of using an interactive
flash site, requiring the use of your camera and microphone. You will
be prompted to confirm your selection.You will always be prompted for
your permission at any website requesting access to your camera and
microphone.Global Flash Cookie Storage SettingsThe second tab of the
Global Setting Manager controls how much disk space you will allow for
new web sites (third-parties) to store information, Flash cookies, on
your computer. By denying all, you may prevent some websites from
functioning correctly.This panel determines the amount of disk space
you will automatically allow third-parties to use for websites you
have not already visited. Some websites may not function correctly if
you do not allow some disk space storage. This is the total amount for
each website. If a website needs or wants more you will receive a
prompt to allow or disallow this additional space (see below). Your
installed Flash Player must be version 8, or newer, to have the option
of allowing or disallowing third-party flash content. If your Flash
version is older than version 9, you will not have the option to
allow/disallow storage and sharing of common Flash components.The
suggested settings that work for me are shown above. The Allow
third-party Flash, and Store common Flash, are needed by a lot of
sites to allow them to function correctly.Global Security SettingsThe
third tab is the Global Security Settings panel. This panel controls
how Shockwave Flash (SWF) and Flash Video (FLV) are handled. The
problem with these types of files is that they can contain applets or
computer scripts that can be used to collect and share information
about you without your knowledge or permission. Both SWF and FLV files
can be embedded on web pages. These files can and do exchange audio,
video, and data using Macromedia's Real Time Messaging Protocol. It is
possible for SWF or FLV content stored locally on your computer to
communicate with the Internet without your knowledge of permission.I
recommend setting this to "Always ask." If a website needs to store
Flash cookies on your computer, you will be prompted for permission.
By being prompted, you will be aware of the website's tracking
activity.Global Flash Update Notification SettingThe fourth tab is the
Global Notification Settings panel. This is where you set how often
Flash checks for updates. I recommend enabling this feature and having
Flash check for updates at least every seven days. I strongly
recommended that Flash updates be installed as soon as possible for
security reasons. By keeping your Flash Player updated, you make the
malicious code writers' job just a little harder. The security
vulnerabilities for Flash Player plugins are very well-known.After
installing any Flash updates you should validate that your privacy and
security settings have not changed. With previous Flash updates, the
settings within the Flash manager have reverted back to default, i.e.
wide-open, settings.Protected Content/License SettingsThe fifth tab is
the Protected Content Playback Settings panel. When you purchase or
rent Flash "protected" content, license files are downloaded to your
computer. Sometimes these files become corrupted. By resetting these
files, new licenses can be downloaded. This option should only be used
when protected Flash content is not playing correctly, and a
technician has advised you to reset the licenses files. This will
reset ALL license files stored on your computer; you are not able to
select individual files.If you click on the "Reset License Files"
button you will be prompted to confirm or cancel your
selection.Website Privacy SettingsThe sixth tab is the Website Privacy
Settings panel. This is the list of websites you have granted
permission to store data on your computer. This panel is where you can
"Always ask," "Always allow," or "Always deny" access you your
computer's camera and microphone.The recommended setting is "Always
ask" or "Always deny." You can edit these by highlighting the website
and change the permission or delete the website. You can also remove
all the websites from this list by selecting "Delete all sites." The
settings on this panel override the default setting from the Global
Privacy Settings panel for these particular websites.If you choose to
delete a website from this list you are prompted for
confirmation.Note: The list of websites displayed in this and the
following panels are stored on your computer and displayed to allow
you to view and change your local settings. Adobe claims that it has
no access to this list, or to any of the information that the websites
may have stored on your computer.Website Storage SettingsThe seventh
tab is the Website Storage Settings panel. This lists all the websites
that you have visited that use Flash content, and how much storage
they are using on your computer. You can change the amount of storage
you allow, delete individual websites, or all the websites. This panel
overrides the Global Storage panel settings.On a Windows 7 computer,
the storage location for these files is: C:Usersuser_nameApplication
DataMacromediaFlash Player in a folder called #SharedObjects or a
subfolder of: macromedia.comsupportflashplayersys.Note: Deleting the
website using the Flash Global Settings Manager only removes the
website's storage content; it does not remove the folder created for
the website. An empty folder will remain on your computer.By selecting
a website and using the "Delete website" button, you can delete that
website from the list of visited websites. This also removes all data
that the website has stored from this storage area.Peer-Assisted
Networking SettingsThe last tab is the Peer-Assisted Networking
Settings panel. This is where you allow or disallow users who are
playing the same content to share your bandwidth. If you are not on a
broadband internet connection, you never want to use this option. When
in use, this option increases network traffic on your internet
connection and to your computer.It is recommended that you disable
this option. This will not prevent Flash from working.Other Notes and
ConsiderationsThe current versions of Internet Explorer 8 and Firefox
version 3.6 share the same Flash settings. Changing or updating Flash
through this console makes the changes for both. To verify this,
validate the Flash Management console from within each web browser you
use.After installing any Flash updates you should validate that your
privacy and security settings have not changed. With previous Flash
updates, the settings within the Flash manager have reverted back to
default, i.e. wide-open, settings.On a Windows 7 computer, you can
manually manage Flash cookies by navigating to:
C://Usersuser_nameApplication DataMacromediaFlash Player in a
subfolder located at #SharedObjectsnonsensical-filename and
macromedia.comsupportflashplayersys. Deleting the website using the
Flash Global Settings Manager only removes the website's storage
content; it does not remove the folder created for the website. An
empty folder will remain on your computer in the
C://Usersuser_nameApplication DataMacromediaFlash
Playermacromedia.comsupportflashplayersys folder. The Application Data
folder is a hidden systems folder. You will have to have hidden
directories visible using the "Show hidden files, folders, and drives"
option under the Fold Folder View option. You may also need systems
permission to actually view and navigate these directories on a
Windows 7 computer.Instead of doing this manually, you can also use a
free utility like Flash Cookie Cleaner 1.0, produced by ConsumerSoft
(www. ConsumerSoft.com). This product will clean up and eliminate
unwanted and unneeded Flash cookies in both the #SharedObjects and
macromedia.com subfolders. This is a much simpler and more efficient
way to clean up Flash cookies. You can download this free program
from: http://www.flashcookiecleaner.com/ . This utility is free of
spyware, adware, viruses, and other malicious programs. Download and
save this file to your desktop and run it from there. This is a
stand-along program that does not install itself on your
computer.ReferencesAdobe - Flash Player: Help. (n.d.). Adobe.
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.htmlConsumerSoft
- Freeware Products. (n.d.). ConsumerSoft.Leonhard, W. (2010, August
5.). Eliminate Flash-spawned "zombie" cookies. Windows Secrets.Vega,
T. (2010, September 20.) Code that tracks users' browsing prompts
lawsuits. The New York Times.To request a pdf of the article with
screen shot please visit the Friend Consulting web site and send an
email from there with the Title: Adobe Insecurity.