Local shared object

Storage

Local shared objects contain data stored by individual websites. Data is stored in the Action Message Format. With the default settings, the Flash Player does not seek the user's permission to store local shared objects on the hard disk. By default, an SWF application running in Flash Player from version 9 to 11 (as of Sept 1, 2011) may store up to 100 kB of data to the user's hard drive. If the application attempts to store more, a dialog asks the user whether to allow or deny the request.{{cite web |access-date=2011-09-02

Adobe Flash Player does not allow third-party local shared objects to be shared across domains. For example, a local shared object from "www.example.com" cannot be read by the domain "www.example.net". However, the first-party website can always pass data to a third-party via some settings found in the dedicated XML file and passing the data in the request to the third party. Also, third-party LSOs are allowed to store data by default.{{cite web |archive-url = https://web.archive.org/web/20100529082424/http://www.adobe.com/products/flashplayer/articles/thirdpartylso/ |archive-date = 2010-05-29 |access-date = 2011-08-15 |access-date = 2011-08-15

• A visitor accesses a site using their Firefox browser, then views a page displaying a specific product, then closes the Firefox browser, the information about that product can be stored in the LSO.
• If that same visitor, using the same machine now opens an Internet Explorer browser and visits any page from the site viewed in Firefox, the site can read the LSO value(s) in the Internet Explorer browser, and display dynamic content or otherwise target the visitor.

This is distinct from cookies which have directory isolated storage paths for saved cookies while LSOs use a common directory path for all browsers on a single machine.

Application to games

Flash games may use LSO files to store the user's personal game data, such as user preferences and actual game progress. Backing up files such as these requires some technical understanding of software. However, both browser updates and programs designed to remove unused files may delete this data.

To prevent cheating, games may be designed to render LSO files unusable if acquired from another location.

Privacy concerns

As with HTTP cookies, local shared objects can be used by websites to collect information on how people navigate them, although users have taken steps to restrict data collection.{{cite news |archive-url=https://web.archive.org/web/20140404201520/http://www.networkworld.com/news/2009/081109-study-adobe-flash-cookies-pose.html |archive-date=2014-04-04 |access-date=2009-04-10 |access-date = 2007-12-05

On 10 August 2009, Wired magazine reported that more than half of the top websites used local shared objects to track users and store information about them, but only four of them mentioned it in their privacy policy. "Flash cookies are relatively unknown to web users," the article said, "even if a user thinks they have cleared their computer of tracking objects, they most likely have not." The article further says that some websites use Flash cookies as hidden backups so that they can restore HTTP cookies deleted by users.{{cite magazine |access-date=2009-08-22

According to the New York Times, by July 2010 there had been at least five class-action lawsuits in the United States against media companies for using local shared objects.{{Cite news |author-link = Tanzina Vega |access-date = 2011-05-05

In certain countries, it is illegal to track users without their knowledge and consent. For example, in the United Kingdom, customers must consent to the use of cookies/local shared objects:{{Cite book |chapter-url = http://www.ico.gov.uk/upload/documents/library/privacy_and_electronic/detailed_specialist_guides/pecr_guidance_part2_1206.pdf |access-date = 2011-05-05 |access-date = 2011-05-05 |url-status = dead |archive-url = https://web.archive.org/web/20110224183417/http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx |archive-date = 2011-02-24

• is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
• is given the opportunity to refuse the storage of, or access to, that information.

Local shared objects were the first subject to be discussed in the Federal Trade Commission (FTC) roundtable in January 2010. FTC Chairman Jon Leibowitz has been talking with Adobe about what it describes as "the Flash problem."

User control

Users can disable local shared objects using the Global Storage Settings panel of the online Settings Manager at Adobe's website.{{cite web |access-date = 2011-05-05 |access-date = 2011-05-05

Users may also delete local shared objects either manually or using third-party software. For instance, CCleaner, a standalone computer program for Microsoft Windows and Mac OS X, allows users to delete local shared objects on demand. There is also a Firefox add-on, Clear Flash Cookies, which will automatically clear out all LSOs each time the browser is restarted.

Since version 10.3 of Flash, the Online Settings Manager (letting users configure privacy and security permissions via Adobe's website) is superseded by the Local Settings Manager on Windows, Mac, and Linux platforms. It can be accessed via the Windows Control Panel or Mac OS System Preferences.{{cite web |access-date = 2012-04-14

Browser control

Browser control refers to the web browser's ability to delete local shared objects and to prevent the creation of persistent local shared objects when privacy mode is enabled. As for the former, Internet Explorer 8, released on March 19, 2009,{{Cite news |access-date=2011-05-05 |url-status=dead |archive-url=https://web.archive.org/web/20090323020859/http://news.prnewswire.com/ViewContent.aspx?ACCT=109&STORY=%2Fwww%2Fstory%2F03-19-2009%2F0004991142&EDATE= |archive-date=2009-03-23 |access-date=2011-05-05 |access-date=2011-05-05

Also on January 5, 2011, Adobe Systems, Google Inc., and Mozilla Foundation finalized a new browser API (dubbed NPAPI ClearSiteData). This will allow browsers implementing the API to clear local shared objects.{{cite news |access-date = 2011-05-05 |access-date = 2011-09-28 |access-date = 2011-09-28 |access-date = 2011-09-28 |access-date = 2011-09-28 |access-date = 2011-09-28 |access-date = 2011-09-28

As for the behavior in browser's privacy mode, Adobe Flash Player 10.1, released on June 10, 2010, supports the privacy modes of Internet Explorer, Mozilla Firefox, Google Chrome, and Safari. Local shared objects created in privacy are discarded at the end of the session. Those created in a regular session are also not accessible in privacy mode.{{cite news |access-date = 2011-05-05 |access-date=2011-05-07 |archive-url=https://web.archive.org/web/20110511095927/http://blogs.adobe.com/flashplayer/2010/06/flash_player_101_now_available.html |archive-date=2011-05-11 |url-status=dead

Third-party software

Viewers and editors

Libraries and frameworks

Cleaners

References

References

1. (2014-10-04). "When the cookies crumbled, so did your web anonymity".
2. James Temple. (2010-01-29). "All eyes on online privacy". San Francisco Chronicle.
3. Donald Melanson. (2010-12-04). "FTC says it's talking to Adobe about the problem with 'Flash cookies'". Engadget.
4. (November 20, 2017). "Clear Flash Cookies – Add-ons for Firefox". [[Mozilla]].