Is Disney Flashing Minors?

Recently a lawsuit was filed against Walt Disney’s internet subsidiary and some of its partners as well. http://www.theregister.co.uk/2010/08/17/flash_cookie_lawsuit/ At issue is the use of a special kind of cookie that is used in conjunction with Adobe Flash. These “supercookies” are called Local Shared Objects or LSOs for short. LSOs are not deleted when you use the browser to delete your cookies and are also still downloaded when your browser is set to not accept cookies. LSOs can restore the normal cookies that you chose to delete, all of this without your knowledge or consent. An additional attribute of LSOs is that they can be used to track individual users. At issue in the lawsuit against Disney is that they violated their privacy policy, among other things. Many of the users represented are minors as well. The actual complaint http://regmedia.co.uk/2010/08/16/flash_cookie_complaint.pdf alleges that the defendants hacked millions of consumer’s computers.

This is not the only lawsuit of its kind regarding LSOs.  In July 2010 a lawsuit was filed in federal court against many well known companies, such as MySpace, ABC, and ESPN, among others. At issue again is the use of LSOs to override user privacy preferences. In August it was reported that the online ad network Specific Media was being sued over their use of LSOs. In all cases it has been alleged that the LSOs were being used to restore normal cookies that the users had chosen to delete. Users were not made aware that data they had chosen to delete was being recreated on their computers without their consent or knowledge. 

If privacy is important to you, then you will want to control LSOs. The easiest way to do this is probably to use Firefox with the add-on BetterPrivacy. BetterPrivacy allows you to see what LSOs are present and delete them. BetterPrivacy can also be configured to delete the cookies when you close Firefox, as well as at other times. BetterPrivacy does not prevent the creation of LSOs however. In a future blog I will explain a couple of methods you can use to configure the Adobe Flash Player and event prevent LSOs if you wish to.

LSOs can be useful for legitimate purposes, but they are frequently abused by online marketing networks. When you visit a website with ads on it, there is the possibility that an LSO will be written to your hard drive and your browsing habits will be tracked and can be tracked by multiple sites.

(Note: Updated 9/28 to correct LSO is Local Shared Object, not Local Storage Object. Thanks to Otto for the catch)

Randy Abrams
Director of Technical Education
ESET LLC

Author ESET Research, ESET

  • Otto

    Minor correction: LSO actually means "Local Shared Object". It is unique to Adobe Flash.
    This should not be confused with "localStorage" or "DOM Storage" which is an HTML 5 specification and is used by HTML 5 application to store data that they are working with.

    • Randy Abrams

      Ironically, the way you configure “Local Shared Objects” using the Adobe Flash Player Settings Manager is by configuring ” global and website “Storage” settings :)

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.