Is your browsing behavior being tracked?

After reading about the topic of my previous post (your browser history not being secure), I decided to take a look at the various security plugins that you can get for Firefox (my browser of choice). I came across the plugin BetterPrivacy that referenced Local Shared Objects (or LSO).

LSO are basically Flash cookies (some people call them super-cookies), and from what I have read any Flash app that gets loaded (including those annoying adds you get everywhere, or perhaps a hidden app that you don’t even see) can store a set amount of data on your hard drive (the default is 100k). When you clear your browser’s temporary files the LSO don’t get deleted, in fact there’s nothing in your browser settings that can get rid of them! On an app by app basic you can (sometimes) access the settings through the context menu (right clicking on the app) which allows you to configure the amount of data that particular app can store… setting that to 0k will stop it from storing anything. Of course when a website has an “invisible” Flash app for the purpose of tracking you, you have no way of knowing about it

So what can you do to prevent this from biting you in the ass, while still being able to run Flash apps?

If you use Firefox (which I really recommend) you can start by installing the NoScript plugin. This plugin by default disables all Javascript and plugins (such as Flash and Java). You can enable Javascript on a domain basis, which in practice you should then only allow domains you trust (basically the sites that you visit from which you require the Javascript functionality to work, and that you don’t expect to act shadily). You can even take it a step further, in the NoScript options you can configure the addon to ensure that even for whitelisted sites (domains that you have enabled) the embedded apps do not run automatically. When you do need to run one of these Flash apps you can simply click on the app to temporarily activate it. If you do this all, then those hidden Flash apps won’t ever run

So what else can you do? Adobe offers a website that you can use to change the global settings of the Flash player plugin: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html. With the global settings manager you can configure that by default a Flash app may not store anything on your hard drive, when you do have a Flash app for which you want to enable this (perhaps an online game that you play which stores your progress on your hard disk, or something similar) then you can right click on that app and change the settings for that particular domain. Additionally you can use the Flash player global settings manager to delete whatever LSO you already have on your system (to clean up whatever garbage you have collected up to this point in time).

If you are running Firefox you can in addition to the above also install the earlier mentioned BetterPrivacy addon if you like, although I am not certain if that is necessary if you have already installed NoScript, configured it to disallow all embedded apps unless specifically enabled and set the global Flash settings ad described above.

If you apply the above on your system you should have reasonable protection against LSO abuse