New Flash Preference Pane Still Struggles to Help Protect Privacy of Users
Friday, May 13, 2011 at 11:05AM Adobe has added a new Preference Pane for Flash for Mac OSX, which allows you to control Flash Privacy and Update Notification via a standard MacOSX Preference Pane. While this is a good step, the problems which existed with the Setting Manager still exist in the Preference Pane when it comes to the handling of Local Shared Objects (LSO) otherwise know as Flash Cookies. Below we expose the various issues with the Preference Pane, mainly when you select Storage>Delete All and Advance>Delete All site data remains.
The Flash Player Preference Pane
The Flash Player Preference Pane replaces the clumsy Setting Manager for Flash which ran directly from the Browser. One great feature of the pane is the management of Flash updates which was horrible in the Setting Manager. The Advanced tab enables you to determine the version installed and provides a direct link to the About Flash Player page. You also have the capability to set storage and privacy controls for the camera and microphone. "Private Browsing" is supported in Safari 5.0.5, thus private browser session information including Flash content is not stored in the usual directories ~/Library/Preferences/Macromedia/Flash Player/macromedia.com or ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects.
Sounds Good, So What is the Problem
We have discovered that if you visit a site with "Allow sites to save information on this computer" enabled in the Preference Pane or had previous sites that stored information the "Delete All" button does not provide the protection describe here on Adobe's site and below.
After reading this you would expect buttons labeled "Delete All" to perform as advertised and remove all content saved from sites. This is not always the case, and some data remains, similar to the failures in the Setting Manager, thus the "Delete All" does not perform as expected. In our demo we will clearly show that the Flash Player Preference Pane does not work properly resulting in Flash Cookie (LSO) data remaining on the system.
Note : (For our demo we will be using Philipp Kostin Flash Site Demo titled "Flash Cookies: Local Shared Objects" to create the data and Flash Cookie (LSO).)
Follow these steps to duplicate our results in the video that follows:
- Go to ~/Library/Preferences/Macromedia/Flash Player/macromedia.com and leave open.
- Go to ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects and leave open.
- Select System Preferences>Flash Player>Storage and enable "Allow Sites to save information on this computer"
- Visit a site that writes some date via a Flash Cookie (LSO), in our example we used Philipp Kostin Flash Demo.
- Write some information using the demo or from any other Flash Site of your choice.
- Change your settings in System Preferences>Flash Player>Storage to "Block all sites from storing information on this computer."
- Click on "Local Storage Settings by site" and view any site information. Did a site show up?
- Try "Delete All" in System Preferences>Flash Player>Storage and System Preferences>Flash Player>Advanced.
- Notice that the data in the Flash Cookie (LSO) remains.
Wasn't This Always a Problem?
In previous versions of Flash Player for Mac OSXdeleting site storage did not remove all the Flash Cookies (LSO) including the .sol file and a folder with the site name. This was one of the many issues which made using the Setting Manager very frustrating. Flash Cookies (LSO) have raised all kinds of privacy issues since they were first used, and that continues to be the case even if Adobe has introduced a Preference Pane.
In the Flash Player Preference Pane the language is clear so we expect that "Delete All" would do exactly as expected. In our demo this was not the case. The only solution that worked one hundred percent of the time was to manually remove Flash Cookies (LSO) and then enable "Block all sites from storing information on this computer."
Conclusion
In the current state the Flash Player Preference Pane for Mac OSX does not work as advertised, thus it continues to be a work in progress. The Flash Player Preference Pane clearly does not improve the management of Flash content privacy. In fact, the Flash Player Preference Pane will result in users having a false sense of privacy. It is our hope that Adobe was making an attempt at making Flash privacy easy to manage and not trying to layer the issue of privacy in a veil of confused user interaction. Take a chance Adobe, your business goals can be met while providing users and developers with clear dependable controls over Flash Cookies (LSO) and their privacy. The other option is to agree with Steve Jobs and move away from the Flash Platform.
Sean OConnell Public
It does appear that the latest version of Flash Preference Pane does delete site specific saved files from ~/Library/Preferences/Macromedia/.
