LSO MANAGEMENT: What They Are and What to Do About Them
A TUTORIAL

by Al Swilling
SENAA International
12 February 2010

NOTE TO INTERNET EXPLORER USERS: This tutorial was originally written for users of Firefox browser, but it can be used very effectively in conjunction with Internet Explorer. At this time, there is no add-on for Internet Explorer (IE) to control or delete Local Shared Objects (LSOs). LSOs are hidden from the user by IE until the browser is closed, then they are written to the default storage folders noted in this tutorial. Although IE provides no means of controlling, limiting, or deleting LSOs, installing and running Firefox and its BetterPrivacy add-on will delete LSOs from your machine while browsing with IE. For that reason, it is recommended that IE loyalists install the newest version of Firefox and install the BetterPrivacy add-on, even if you don't plan to use it for browsing. After installation, launch Firefox, complete this tutorial, close and restart Firefox, then minimize Firefox while using IE. Firefox and BetterPrivacy will function very well as an improvised Flash cookie remover to delete LSOs that are stored on your machine through IE.

Before You Begin: This tutorial is most effective if it is downloaded to your computer and opened from your hard drive. Opening it from your hard drive will ensure that no additional LSOs are placed on your hard drive while following the tutorial. The Zip file contains this page and all graphic files. The file is guaranteed to contain no viruses, Trojans, Worms, spyware, malware, or adware. When extracting the contents, be sure the "Use folder names" option is checked so it will create the "HomePage" folder to contain all the files. It is recommended that you extract the file to your C: drive. The only restrictions are that the HTML page, text, and/or graphics may not be published elsewhere, redistributed, or sold without the written permission of the copyright owner, Al Swilling, SENAA International.   

Download: LSOMgt.zip (2.0 MB)

Alternately, you may download the page and graphics individually by creating a "HomePage" directory on your hard drive and saving this page and its graphics into it. Save the page by going to "File > Save Page As... > Save as type: Web page, HTML, only; and saving it as LSO_Management.html. Right click the graphics, one by one, click "Save as...", and save as the default filename.

Tip: To save time and download the graphics much faster, install the "DownThemAll!" Firefox add-on, set it to save the graphics (blue/orange/yellow arrow icon, Pictures and Embedded tab) from the Web page to the "HomePage" folder, and let it download the graphics for you ("Start!" button).

Caution: Do not download this page using the "Save Page As... > "Web Page, complete" option. If you do, the graphics will be saved into a separate folder, and the page may not display correctly. Also, if "DownThemAll" is used, set the "Renaming Mask" field to the "*name*.*ext*" option, so the filenames will be preserved during download. Save graphics and this page in the same folder.

 

Introduction

The computing public is becoming increasingly aware of the existence of Local Shared Objects (LSOs), also called "Flash cookies" or "Persistent Identification Elements" (PIEs), the dangers they pose, and the unethical ways that they are placed on our machines. LSOs are the busybodies of the Internet, sticking their noses in your personal business at every opportunity without your knowledge or consent; and like most busybodies, they're being found out.

With growing public awareness of LSOs comes a growing demand for effective, real time control of them. Most LSO management solutions offer management or deletion of LSOs after potentially malicious ones have had time to do their damage. Stand-alone LSO management utilities do not offer real time protection, either. This tutorial provides real-time management of LSOs.

Not All LSOs Are Bad, but...

Not all LSOs are bad, but even trusted sites should not be allowed to place LSOs on the hard drive until it is known what data will be stored, the origin of that data, what privileges the LSO will enable, and what personal data will be gathered. If you know that a site you're about to visit has Flash content, always read the Privacy Policy for that site before allowing it to place any LSOs on your machine.

Some Flash applications, such as full episode playback on TV network sites like Sci-Fi Channel, etc., require that some data be stored on the hard drive before they will function correctly. Other sites, such as YouTube, place LSOs on the hard drive; but the absence of those LSOs has no effect whatsoever on the playback or functionality of the embedded Flash player, subscription to channels, or any other function on the Web site. Until it is determined that even an otherwise trusted site needs the LSOs to function properly, the settings in this tutorial should be left in place. If a site is adversely affected by the absence of the LSOs, then BetterPrivacy's "Delete Flash cookies by timer" option can be unchecked and permissions granted. The BetterPrivacy setting can be enabled again after leaving the site, and the LSOs left behind will be deleted. See the end of this tutorial for more information.

Close the Back Door

A lot of tutorials and articles have been written on how to limit or even eliminate LSOs from the hard drive and prevent sites from storing them on the computer, but they all leave out something and do not offer a means of achieving complete protection.

Simply setting the Global Settings on Adobe's Web site does not give full or lasting protection, and it does not stop Web sites from placing on the computer LSOs that give them access to the camera and microphone and grant permissions that were expressly denied in the global settings.

All but one of the available Firefox add-ons give a false sense of security, because they do not delete all the LSOs.

"Flashblock" add-on gives the user no protection. Flashblock will block flash content, such as ads, videos, and games; but LSOs will still be placed on your hard drive.

There is only one Firefox add-on, so far, that is capable of vanquishing LSOs; but with its default settings, it leaves a back door open for LSOs to propagate and allows them to continue to spy on us without our knowledge or consent. That add-on is BetterPrivacy. In spite of the flaw in its default settings, by taking one additional step not contained in the preferences or mentioned by the developer, BetterPrivacy is capable of protecting both Firefox and Internet Explorer users from the threat of LSOs.

What almost no one knows—until now—is that vendors who place LSOs on our machines are actively trying to prevent us from deleting them. Even though Adobe has provided the general public with a means of controlling the amount of data that LSOs can gather from or store on our computers, vendors who place them on our machines have developed ways to evade attempts to detect and delete them from our hard drives and are even overwriting the global settings. LSOs are behaving more and more like Trojans and viruses and less and less like "cookies".

To illustrate: BetterPrivacy, a user configurable Firefox add-on specifically designed to detect and delete LSOs, monitors a folder named "#SharedObjects" by default, which is the default folder where LSOs are usually placed by various Web sites. When the user goes to Adobe's Web page to set global settings, the site places an LSO with those settings in a second folder named "sys". The "sys" and the "#SharedObjects" folders are the two folders in which LSOs are placed.

Web sites now attempt to circumvent BetterPrivacy and avoid deletion by detecting which folder BetterPrivacy is set to monitor and placing their LSOs in the other folder or within a subfolder. If BetterPrivacy is set to monitor the "#SharedObjects" folder, then the LSOs are written to the "sys" folder. If the user changes BetterPrivacy to monitor the "sys" folder, then the same Web sites will place their LSOs in the "#SharedObjects" folder.

Some Web sites also overwrite the global settings LSO, named "settings.sol", with counterfeits that contain the global settings that the site owners want us to have. When exiting the site, the new settings file stays behind, and the user's global settings have been changed without the user's knowledge or consent, even with BetterPrivacy active.

It's frustrating and seems pointless to even bother with BetterPrivacy and just delete all the LSOs manually. However, there is a way to foil attempts to evade BetterPrivacy's detection, and there is a way to stop individual Web sites from overwriting the global settings LSO. This tutorial tells how with step-by-step instructions.

The Need for Regulation and Restrictions

Clearly there is a need for the regulation and restriction of LSOs; not just to restrict how sites may use LSOs but to require that each site that uses them also make it known to the public that it is using them, what each one contains, the capabilities of each, the type of information that each one gathers; and provide the public with a means of accepting or rejecting LSOs on a site-by-site, LSO-by-LSO basis.

Adobe should also be more responsible by programming its Flash Player with the ability to set global preferences locally instead of having to go to a special Web site to do it. An onboard global settings manager should also provide the option of write protecting the global settings from overwrite attempts by individual Web sites.

Gaining compliance with public demand, however, would require either a massive boycott by Internet users until there is compliance, or legislation by each nation individually and some sort of international governance to regulate Web sites' ethical use of Flash cookies.

Restriction of LSOs should not be limited to disclosure. There must be a clearly defined limit to the kind of information that may be gathered and the control that may be exercised over computer devices such as the camera and microphone.

There is no honest, ethical reason in the world for a site-specific LSO to gather personal information from an individual's computer. For example, there is no reason why credit card numbers that are entered into an order form on a shopping Web site should be gathered by an LSO. There is no reason for the Social Security number, name, date of birth, or any other personal information to be contained in or gathered by an LSO; but LSOs certainly have the capability of gathering such information if it is on the user's computer or if the information is entered into form fields on a shopping site.

Frankly, until the public became aware that Flash cookies even existed, no one except the ones putting them on our hard drives knew what they were doing or how much information they were gathering. It still is not entirely clear, because the sites that use LSOs are not forthcoming or honest about what exactly is going on.

Before there were such things as LSOs, people were successfully doing business online, placing orders, giving credit card info over secure connections. The difference between doing business before LSOs and after is that before LSOs, there were no covertly installed apps collecting that information and selling it to unknown third parties without our knowledge or consent. There is absolutely no good reason, except playing games, for LSOs to be on our computers. YouTube videos do not depend on any LSOs in order to play or otherwise function properly, yet YouTube places no less than three LSOs on the user's computer for each video that is watched on their site.

It would be wonderful to once again have an Internet free of government interference or regulation, but the truth is, unless and until public concerns can be addressed and the users of LSOs can guarantee that our privacy will be respected and maintained, and that no personally identifiable information will be gathered, used, or sold, it is in our own best interest to do whatever we need to do to block LSOs and any other data mining and tracking application from our computers. If online businesses cannot suppress their urge to get into our personal business, then control will have to come from outside.

If we value our privacy and security, then we, the everyday users of the Internet, should form coalitions and boycott those businesses who use LSOs and other covert means to gather our personal information and track our movements without our knowledge and consent.

If sites try to do with LSOs what they now do with standard cookies, such as denying access unless the LSO is accepted, then we should thwart their attempted coercion by refusing to accept their terms and leaving the site. If every online business site tries such tactics, then they should be shunned, too. It wouldn't take long for them to get the message and clean up their act. Loss of money because online shoppers will not tolerate their unethical behavior is a powerful motivational tool for acting responsibly. Before we can expect online businesses to act responsibly, though, we have to act responsibly by taking charge of our own computers and private information by limiting who, if anyone, has access to it and only giving out the information we want to give out under our own terms. Too many online businesses act as though they are somehow entitled to our information. Their use of LSOs is proof of that. They are not entitled to it, and we have to get that across to them. We are the ones who are entitled to our privacy, which entitles us to do whatever it takes to stop their underhanded practices.

Until online businesses start to act ethically and responsibly and finally get their noses out of our business, this tutorial will enable those who value their privacy to protect it.

If new means of stealing our data are implemented, then we will implement new means of foiling their attempts.

      

THE TUTORIAL:
Configure Firefox and BetterPrivacy

Follow the steps below to find, delete, and block LSOs from being stored and propagating on your hard drive.

1. You have already completed Step 1 by opening this page in Firefox. If you are using Internet Explorer, download and install Firefox and install the BetterPrivacy add-on. Next you should temporarily set this page as your home page until this tutorial has been completed.

Using this page as your home page serves two purposes:

  1. It puts the tutorial in front of you for your convenience, and
  2. It ensures that no LSOs are set on your computer while the browser is open for this tutorial.

After you have completed this tutorial, you may change your home page back as it was before.
  

MAKE THIS PAGE YOUR TEMPORARY HOME PAGE

2. On the Firefox tool bar, click the "Tools" drop-down menu.
    Click "Options..." (FIG. I).

FIG. I:
  
3. Click the Main tab if it is not already selected.
     In the "Home Page:" field, highlight the URL for your home page (FIG. II).

FIG. II:  

  
4. Key in, or copy and paste: "C:\LSOs\LSO_Management.html" into the field.
    Click "OK" to save the setting and exit the Options menu (FIG. III).

FIG. III:
  
CLEAR RECENT HISTORY

5. Next, from the Tools menu, click "Clear Recent History..." (FIG. IV):

FIG. IV:
  
7. In the "Clear Recent History" dialog box, click the "Clear Now" button.
    The box will close when all is cleared (FIG. V).

FIG. V:
  
BETTER PRIVACY PREFERENCES

8. From the Tools menu, click "BetterPrivacy" (FIG. VI). The BetterPrivacy settings window will open (FIG. VII).

FIG. VI:
FIG. VII:
   

9. Under the "LSO Manager" tab, in the "Flash-Data Directory" field (FIG. VIII, A), key the file path for the "Flash Player" directory found in your profile's Application Data folder. The file path should be the same as the path shown here, substituting your profile name for "Owner.TSALAGI2". You should only have to delete "\#SharedObjects" from the file path.

A list of LSOs stored on your computer will be listed in the LSO display field (FIG. VIII, B). Remove all LSOs by clicking the "Remove All LSOs" button (FIG. VIII, C). This step will rid your computer of any malicious LSOs and will help avoid confusion about which LSO contains your global settings, once they are set.

FIG. VIII:
   

10. Under the "Options & Help" tab, FIG. IX should reflect your initial settings. Leave these settings as they are until after you have set your global settings. Click the "Ok" button to keep the current settings and exit the BetterPrivacy settings panel.

FIG. IX:
   
11. Visually check the folders where LSOs are stored.

Leave Firefox open to this temporary home page, minimize it, and open Windows Explorer. To find and open Windows Explorer, click HERE (opens in a new tab); or double click the "My Computer" icon and click the "Folders" icon on the tool bar if necessary.

The following graphics are geared to Windows XP. Not having Windows Vista or Windows 7 as a guide, graphics for those versions are not available.

In Windows Vista, a search in drive "C:" for "Files and Folders", with "Macromedia" in the search field, should locate the directory.

For Windows 7 users, where the instructions below vary from Windows 7, differences are noted in italics.
  
12. When Windows Explorer opens, click the Folders button (FIG. X, A) to go to folders view, then expand drive C: (FIG. X, B):

FIG. X:
   
13. Expand "Documents and Settings" (FIG. XI), then expand your profile (Owner. Name) folder (FIG. XII).

In Windows 7, user accounts are found in the "Users" directory. Navigate to C:\Users, then expand your account folder (Owner'sName)

FIG. XI:
FIG. XII:
  
14. Expand the "Application Data" and "Macromedia" folders (FIG. XIII, XIV).

In Windows 7, expand the "Application Data", "Roaming", and "Macromedia" folders in that order.

FIG. XIII:
FIG. XIV:
   
15. Expand the "Flash Player" folder (FIG. XV).

FIG. XV:
   
16. Expand the "#SharedObjects" and "macromedia.com" folders.

There may or may not be a subfolder inside the "#SharedObjects" folder. The folder name will vary. If there is, click on it and delete any LSOs that it contains. If there is no subfolder, check the "#SharedObjects" folder and delete any LSOs there (FIG. XVI). 

17. Expand the "macromedia.com", "support", and "flashplayer" folders; and click the "sys" folder. Delete all LSOs and subfolders containing LSOs that are found there (FIG. XVII).

FIG. XVI:
FIG. XVII:
   

18. There are two alternate locations that may or may not contain LSOs. Those locations, under "Documents and Settings", are the "LocalService"  and "NetworkService" profiles. To check them, expand each profile, as shown in FIG. XVIII and XIX, and check the #SharedObjects and "sys" folders in each. Delete any LSOs found there:

In Windows 7, the "#SharedObjects" and "macromedia.com" folders may or may not exist in these directories. If not, ignore this step.

FIG. XVIII:
FIG. XIX:
   
After deleting all LSOs from your Macromedia folders,
minimize Windows Explorer and bring up Firefox.

19. Open and select a new tab. Key in or copy and paste the URL for
Adobe's (Macromedia's) Global Settings page (FIG. XX), located at
(this link will open in a new tab):
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

20. Beginning with the leftmost tab in the settings box,
click each in turn and apply the following settings (FIG. XX-A through XX-F):
   

FIG. XX:
   
FIG. XX-A: (Always deny)
   
FIG. XX-B: FIG. XX-C:
FIG. XX-D: FIG. XX-E:
FIG. XX-F:  
 
   
WRITE PROTECT GLOBAL SETTINGS

21. After specifying your settings, exit Adobe's settings page and minimize Firefox.

22. Open Windows Explorer and return to the "sys" folder in your profile's "Macromedia\Flash Player\..." directory (FIG. XXI)

FIG. XXI:

   

23. Right click on the "settings.sol" file and click "Properties." Tick the "Read only" option in the "Attributes" section near the bottom of the Properties dialog box. Click "OK" and close Windows Explorer (FIG. XXII).

You have just write protected the global settings file that you created at Adobe's Web site. This will foil attempts by third parties (underhanded Web sites) to overwrite it with a counterfeit "settings.sol" file. Make note of this file's size and the date and time that it was created and modified for future reference. A text file containing that info may be stored in the same location with the "settings.sol" file.

FIG. XXII:
   
MODIFY SETTINGS IN BETTERPRIVACY'S "OPTIONS & HELP" TAB

24. Click Firefox on the taskbar to open the browser window. Click "Tools > BetterPrivacy to open the settings window. Click the "Options & Help" tab. Set the options as shown in FIG. XXIII. Be sure that the option, "Also delete Flashplayer default cookie...." is not checked.

NOTE: If you are interested in seeing which sites use LSOs and how many each site tries to place on your machine, leave the "Notify if new LSO is stored." A notification bar will open below the tab bar each time an attempt is made to store an LSO on your machine. If this proves too aggravating, simply uncheck the option and no more notifications will be given. BetterPrivacy will then do its job quietly. I also recommend clearing private data upon each exit from Firefox or as often as you feel you should. The browser can be set to clear regular session and tracking cookies on shut-down in "Tools > Options > Privacy (tab)".

Click "Ok". 

FIG. XXIII:
   
NOTE: Internet Explorer users only skip this step.
25. Open Tools > Options > Main and reset your home page to your previous home page.
  

INTERNET EXPLORER USERS:
     

26. Internet Explorer users  should follow the following three steps when using Firefox/BetterPrivacy for LSO control:

  1. A "home page" should be created on the hard drive, saved in a "home page" folder, and set as Firefox's home page. It can be a blank page or a page containing links to your favorite Web sites. The goal is to have Firefox open but not actively engaged on an online Web page.
      

  2. Whenever using Internet Explorer, open Firefox browser before opening Internet Explorer; then minimize Firefox to the task bar. With Firefox open and minimized, Internet Explorer can now be used with confidence that the LSOs  encountered are being deleted.
       

  3. When finished, close Internet Explorer first, and then close Firefox.

 

FIG. XXIV:
   
27. Check the "sys" folder for the file, "settings.sxx" and delete it.

When  a Web site you've visited has tried to overwrite the global settings LSO, "settings.sol", that you have write protected, it will be unable to do so, but it will write an LSO named, "settings.sxx" to the "sys" folder (FIG. XXV). BetterPrivacy does not recognize this file extension, and will not delete the file. If the file exists, delete it using Shift+Delete to bypass the Recycle Bin. It is unclear whether or not the file extension ".sxx" can be read and used to alter global settings. This tutorial will be updated when more information is available. Until then, it is better to delete the file.

FIG. XXV:
   
28. Allowing a site to temporarily place LSOs

There will be times when you will want to allow a site to place LSOs on your hard drive. Some functions, such as watching episodes of TV shows you've missed from the network's Web site, simply do not function properly without one or more LSOs to assist in setting player behavior and other functions.

Although that is more by design than real necessity, if you want to enjoy the service, then you'll have to play the game, so to speak. You are ultimately responsible for allowing or disallowing the LSOs onto your machine. Caution and restraint should always be used. Only sites that you trust should ever be allowed such access. A big name doesn't guarantee ethical behavior. Read the site's "Privacy Policy" to see what sort of data will be stored, what sort of personal data will be gathered, whence the data will be gathered, why it will be gathered, and how the site owners plan to use your personal data. Only allow the site to place its LSOs if you are willing to compromise your privacy to the extent that the Privacy Policy reveals. Keep in mind, too, that any and all data that the site gathers will be sold to anyone who wants it.

Such sites typically will ask to store up to 10KB of data on your computer (one LSO), then it will ask to store up to 100 KB of data (a second LSO); then a third LSO will be place on the hard drive, which is a third party settings LSO named "settings.sol" that will completely overwrite any unprotected global settings that you set at Adobe's settings pages. If you have write protected your global settings LSO according to previous instructions (step 23, FIG. XXII), it should be moved. Do not remove the "read only" setting. Instead, temporarily move the protected "settings.sol" file to a different folder until after your business at the site is finished (FIG. XXVI).

After moving the protected settings file, you may have to reload the page to allow the site to load its own "settings.sol" file and load the Flash content correctly.

When you are ready to leave the Web page, deselect BetterPrivacy's option, "On cookie deletion, also delete empty cookie folders", delete all the LSOs that the site placed on your machine (some sites will clean up after themselves as you close the page or navigate away from the site), and move your write protected "settings.sol" file back into the "sys" directory. Reconfigure BetterPrivacy's settings (FIG. XXVII).

A workaround to prevent the deletion of empty "sys" and "#SharedObjects" folders and retain your BetterPrivacy setting would be to place a small text file in the folders (one or two words of your choice saved as a ".txt" file is fine). If there is anything at all in the folder other than LSOs, BetterPrivacy will not delete the folder. This will allow the automatic deletion of any subfolders that the site created for its LSOs without altering the Flash Player file structure. Making the text files "read only" will ensure that they aren't deleted.

FIG. XXVI:
FIG. XXVII:
   
FIG. XXVIII:
  
FURTHER READING:

This concludes this tutorial. For more about LSOs and PIEs (Persistent Identification Elements) and their potential for abuse, invasion of privacy, and worse, visit the following links:

Company Bypasses Cookie-Deleting Consumers

How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)

Flash Player Worries Privacy Advocates

The Web cookie is crumbling – and marketers feel the fallout

New Cookie Technologies: Harder to See and Remove, Widely Used to Track You

How Flash Cookies Threaten Your Privacy

Flash Cookies and Privacy

Sites pulling sneaky Flash cookie-snoop; Academics fret over privacy threat

Flash Cookie Researchers Spark Quantcast Change

Video: Delete Flash cookies to protect online privacy

Flash Cookies? What are Flash Cookies?

Flash cookies: What's new with online privacy

CCleaner v2.28

What’s The Danger In Flash Cookies On Your Mac?

Top websites using Flash cookies to track user behavior

Local Shared Object

Local Shared Objects -- "Flash Cookies"

How to manage and disable Local Shared Objects

Flash Cookies: The Silent Privacy Killer

You Deleted Your Cookies? Think Again

 
© 2010 by Al Swilling, Hixson, TN 37343. All Rights Reserved.
Permission is not required to link to this article at this Web site.		   For Permission to Publish this article on or distribute from your Web site,
Contact Al Swilling at senaa@senaa.org