A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies

Abstract

Website developers can use Adobe’s Flash Player product to store information locally on users ’ disks with Local Shared Objects (LSOs). LSOs can be used to store state information and user identifiers, and thus can be used for similar purposes as HTTP cookies. In a paper by Soltani et al, researchers documented at least four instances of “respawning, ” where users deleted their HTTP cookies only to have the HTTP cookies recreated based on LSO data. In addition, the Soltani team found half of the 100 most popular websites used Flash technologies to store information about users. Both respawning and using LSOs to store data about users can reduce online privacy. One year later, we visited popular websites plus 500 randomly-selected websites to determine if respawning still occurs. We found no instances at all of respawning in a randomly-selected group of 500 websites. We found two instances of respawning in the most popular 100 websites. While our methods are different from the Soltani team and we cannot compare directly, our results suggest respawning is not increasing, and may be waning. As in the Soltani study, we found LSOs with unique identifiers. In the 100 most popular websites, LSOs were set at 20, and 9 used their LSOs to store unique identifiers. In 500 randomly selected sites, LSOs were set at 41, and 17 used their LSOs to store unique identifiers. Unique identifiers may, or may not, be key