Monday, April 04, 2005

Cookies and PIE - Flash Security Introduction

Cookies and PIE - An Introduction to Flash Security

by Trevor Bauknight © April 2005

Web-enabled consumers are tossing their cookies in greater numbers; and although this phenomenon is related to the stomach-churning activities of some Internet marketers and their offerings, it has more to do with taking back control of their Web browsing, and less to do with violent physiological reactions to bad snack food.

JupiterResearch reported that 58% of Internet users have deleted their cookies in the last year, and that 39% of consumers are deleting them monthly from their primary computers. And while I find these numbers suspect, the increased awareness and use of anti-malware software tools, which sometimes identify cookies as problematic, may be contributing heavily to the trend. So maybe the numbers are accurate, even if consumers are deleting cookies unwittingly.

Last week brought news (see that a New York company called United Virtualities has begun offering technology that allows Internet marketers to undermine the increasing number of Internet-savvy consumers concerned enough about their privacy to take control of cookies, the little bits of text left behind by some websites to track your visits and preferences. They're offering PIE as a substitute.

What is PIE?

According to United Virtualities, a persistent identification element is a Flash object that a bit of JavaScript can tag to the browser of a visitor to a PIE-enabled website in order to restore deleted cookies and act as a cookie backup. It uses a Flash MX feature called local shared objects that are less familiar to browsers and, hence, not as likely to be disabled. Shared objects are, essentially, the Flash equivalent of cookies, and yet, being Flash, are a good deal more capable because of their ability to gather information from other websites and to communicate with other Flash applications that may be running.

Mookie Tanembaum, founder and CEO of United Virtualities, justifies his company's technology by suggesting that he's simply trying to help out consumers who are too stupid to know what they want to control: "The user is not proficient enough in technology to know if the cookie is good or bad, or how it works," he is reported to have said. He also said, apparently with a straight-face, that he discourages the abuse of PIE technology to thwart the end-user: "We believe people should use this technology responsibly. If people don't want cookies in place, then (their browsers) shouldn't be tagged." Uh-huh...I'm not sure who he thinks his market is. The company charges marketers $.03 per 1000 impressions (CPM) for use of its "platform".

Who's vulnerable?

Vulnerability, with regard to cookies, is relative. We actually support the responsible use of cookies to better serve visitors to your website; but that support begins and ends at your site and we recognize that cookies can be and have been abused by rogue Internet marketers and other website operators. With that in mind, let's take a look at who might be impacted by the use of PIE technology:

You, more than likely. The makers of Flash, Macromedia, Inc., claim that some 98% of Internet-enabled computers are equipped with the ability to view Flash, so security vulnerabilities associated with the technology should be a primary concern for anyone, especially as Flash seems to be emerging as the premier vehicle for building great user interfaces for rich Web applications.

Macromedia has established a website with a hideously long URL ( dedicated to securing your local Flash-player installation, and even though we use Flash extensively here at Cafe ID for parts of our own application's user interface, we had never really explored checking to see that the security settings of our Flash Players were locked down until United Virtualities forced the issue. And because we use Flash, we're keenly interested in any abuse of Flash technology that may cause antipathy toward it and, by extension, us.

How do you avoid PIE?

One way to avoid having PIE attach itself to your browser is to simply jack up your security settings under IE to the highest level available. Unfortunately, this is less than desirable, as it will cause many other, non-PIE-enabled websites to become inoperable. This is like bricking up your windows and doors to keep out thieves.

You may have experienced a pop-up asking questions about privacy or storage space when visiting sites with Flash content, and this is the way most people see their Flash Player settings for the first time. But a visit to the Macromedia site above shows you how to access your Flash player's settings directly and describes the settings in some detail. That's a great place to start, so let's run through a few of the settings you may find particularly useful:

The Settings Manager tool that loads displays a five-tabbed interface across the top. Clicking on the tabs doesn't give you a great deal of feedback, but it does allow you to move between them. (Note that these panels allow you to control the behavior of the Flash Player in your future visits to Flash-based sites. To control the behavior of websites you have already specified settings for or are visiting currently, simply right-click in the window while the Flash application is running and choose Settings... from there.)

The first tab brings up the Global Privacy Settings Panel. Here, you can select whether websites will be allowed to ask you to use your computer's camera and microphone. At least there's no "Always Allow" setting -- that would make for some interesting viewing at the other end, no doubt.

The second tab brings up the Global Storage Settings Panel, on which you can specify how much of your local drive space you want to allow Flash applications to use to store information about you. Pushing the slider all the way to the left causes Flash to ask you each time an application wants to store information. Pushing it all the way to right gives Flash unlimited space to store information, and there are intermediate levels between the extremes. We recommend having Flash ask, if for no other reason than to make sure you know when information about you is being stored.

The third tab is the Global Security Settings Panel. Here, you can specify whether Flash authors are able to use an older technology to get information from other sites. The recommendation, as usual, is to always ask, as the other options either provide no control or no desired functionality.

The fourth tab is the detailed Website Privacy Settings Panel which works a good deal like your browser's cookie manager. It shows you all the websites that currently are storing information about you and allows you to set your camera and microphone preferences on a per-website basis. The fifth tab, similarly to the fourth, allows you to set your storage-space preferences on a per-website basis.

You can also access the Global Notifications Settings Panel via the link to it on the left, where you can control how often Flash checks with Macromedia to see if updates are available.

The Way Forward

For your part, it's just one more thing with which to concern yourself in your daily browsing. Ask yourself how much you want your online travels tracked and analyzed by Internet marketers and set your browser and Flash Players accordingly. There are plenty of resources available to show you how, and we try to maintain an up-to-date collection of them at

Macromedia, for its part, is in discussion with both Microsoft and the Mozilla Foundation, makers of the wildly popular new Firefox browser, to provide an interface for controlling shared objects and cookies in one place in future versions of their respective browsers. After all, like cookies, shared objects are useful technology that carry the potential for being abused, and we'd hate to see either go away.

Macromedia's stance and actions on the matter are a welcomed step in the right direction; but what we'd like to see is the regulation of Internet marketers who seem to have inexplicably decided that the way to generate interest in the products and services they're marketing is to actively foil any and all consumer attempts to avoid that marketing. The suggestion that consumers are not technologically-savvy enough to determine whether or not they want to be tracked and monitored is nothing short of outrageous. Mookie Tanembaum ought to be ashamed; but shame isn't a strong motivator among the Internet's purveyors of malware.


About the Author

Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at Stop by for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.

Save To    Digg! Digg This!
posted by RealitySEO at 4:08 PM


Post a Comment

<< Home