LSO Super Cookies - The Invisible Spy

Bob Leggitt | Monday, 25 June 2012 |

Most Internet users know a little about what Web cookies are and what they do – especially now the rules on keeping the public informed about cookies have been made more stringent (see the Privacy/Cookies tab at the top of this page for details specific to this site). If you’re still a little in the dark about the general picture, have a look at my Web Cookies & Your Privacy article for a full explanation.

However, there’s another type of ‘cookie’ which isn’t properly covered by cookie regulations, and is still going below the radar when it comes to public consciousness. Why? Because technically, it’s not a cookie at all. It’s a data file for the Adobe Flash motion graphics facility. Officially, its purpose is to enable the smoothest possible running of Flash-based routines. Unofficially, it does exactly what an ordinary text cookie does – placing re-readable information onto your hard drive, so you can be recognised by sites you visit, and virtually stalked.

This Flash file is, however, immune to conventional browser deletion processes – because it doesn’t go in a cookie folder, or conform to the standards of regular cookies. Fundamentally, it’s not a cookie, so it circumvents all of the usual detection and exchange management protocols.

The ‘cookie that isn’t a cookie’ is called a Local Shared Object – often abbreviated to LSO. When used to carry out a similar job to a regular cookie (to spy on you, in plain terms), an LSO may be dubbed a ‘Super Cookie’, a ‘Zombie Cookie’ (if it has regenerative properties), or just a ‘Flash Cookie’, but it’s all basically the same thing. A piece of information stored on your hard drive, which is either directly or indirectly accessible to outsiders on the Internet.

The LSO cookie might be accessed directly by the site which set it in place when a Flash function is active. But alternatively, it might be used to generate a standard cookie, which can then be accessed conventionally – by a multitude of third parties if your browser isn’t blocking third party cookie use. In essence, this means that it’s not enough simply to delete your standard cookies when you see fit. If you don’t specifically block them, and delete the LSOs, then the LSOs can supply replacements for the cookies you’ve deleted, and your tracking history (for the site(s) using LSO tracking) will continue completely unbroken. With a cookie-renewing LSO on your drive, no matter how many times you delete the offending site’s conventional cookie(s) – it, or they, will just keep being reborn.

A LOT of sites and Web presences use LSO cookies. I mean, A LOT – and this is not just confined to adult sites and the get rich quick mongers. Some of the very biggest and best-trusted players on the Net use LSO cookies, and I believe that the spread of them is only likely to get worse now that the public are becoming more aware of conventional cookies and how to control them.


The first method of LSO control advised to me was to use the Global Settings Manager on the Flash Player Help page to deactivate LSO transfer. This works in the immediate term, but is in no way reliable in any longer term sense. The first thing to watch out for with this option is that clean-up utilities designed to keep your computer in good order can reset the flash settings back to the defaults. I believe that my Glary Utilities program has been doing just that, and of course if that can change the settings without me realising it, then other apps can too. Glary is a very good routine in my opinion, and I may even be able to stop it interfering with the flash settings if I go 'beneath the hood' - I haven't checked, but the point is you can't go onto the Adobe Flash Player Help Page, select 'Never Ask Again', and expect your settings to apply forever, unconditionally. I also wonder if some websites might try to interfere with the flash settings. With tracking equating to revenue, you can be sure that if there's a way for a site to get round a block on LSO cookies, an unscrupulous Web presence will do it. So, I’d suggest ignoring the Flash Global Settings Manager as any sort of solution. It proved completely impotent over a longer term during my tests.

The Global Flash Settings Manager as referred to in the main text. Setting the options as above should, and in the immediate term does, block the use of LSO cookies, and deletes all LSO cookies currently on your system. Longer term, however, this is most unreliable.

The second option would be to use the free Tor proxy utility. You can download Tor via THIS LINK. The full Browser Bundle comes with its own custom Firefox browser, which starts up when you open Tor, and once running, is used in the same way you’d use the regular Firefox. The bundle safeguards you against the receipt of LSO cookies because it disables your Flash plugins by default. Tor is highly privacy focused and goes to great (if not 100% infallible) lengths to ensure that your computer can’t be identified, and that you can’t be tracked.

When you use the Tor Browser Bundle, you see this startup screen, afterwhich the browser opens automatically, ready to go. Notice that you can change your identity at any time, making the site(s) you visit think you're a new and separate visitor. The basic idea is that the sites you visit see a proxy's IP address, and not yours, but Tor is also highly aware of LSO cookies and takes firm steps to control them.

The disadvantages of using Tor, however, are considerable. Disabling Flash and Javascript can drastically reduce functionality and make some sites difficult or impossible to properly use. Also, Tor is horrendously slow. It’s almost like going back to browsing in the ‘90s on dial-up. Plus, Google often rejects your searches via Tor because too many hits from the same server (which of course a lot of other surfers are using) triggers Goog’s bot protection. In short, you need to be really, really bothered about tracking, recognition and privacy to use Tor, but that said, if you are, and you can put up with the hassle, it’s a remarkable and incredibly thorough privacy system.

The third option would be to use a free add-on for Firefox called Better Privacy. You simply install Better Privacy straight into Firefox as you would Adblock Plus or whatever, and it’s active whenever you use that browser. This is my favourite option because it doesn’t noticeably slow you down, and by default it reports the number of LSO cookies on your system each time you shut down the browser – allowing you to delete them with the click of a button.

The great thing about using Better Privacy is that you can tell who’s putting the LSO cookies on your system. You can even then choose to avoid those sites in future. However, be warned, it’s almost certain there’ll be one or two you’ll feel you’re unable to avoid.

With Better privacy, you’re not blocking LSOs from being placed on your drive. But you’re made aware of when they’re there and who’s setting them, and that’s a good education. After using Better Privacy for a month or two I dare say you’ll have a better understanding of who’s doing what (or trying to) than I could ever convey in a blog post.

There are other programs which profess to control LSO cookies, but I'd recommend extreme caution with some of them. One I downloaded had the most ridiculous trade-off in which you essentially 'paid' for the removal of the LSOs by turning over what looked like your entire hard drive to the manufacturer for scanning and data-mining. You'd be far better off just leaving the LSOs alone than using something like that. There's a more detailed account of that experience in my Recommended Spyware article. Better Privacy for Firefox looks reputable though, and it's recommended by Tor, which is as good an endorsement as you'll get on a privacy product.

Remember though, however you go about it, killing LSO cookies is pointless if you’re not going to set up a comprehensive block on regular cookies (there are instructions for that in my Web Cookies article). You need to cut off both routes if you’re to stop the dogged scourge of invasive tracking. And even then, I get the depressing sense that the giants of the Web are still a step ahead, and almost certainly know more about us than we think they do…

Planet Botch is contactable only via Twitter.