Adobe's New Privacy Feature For Flash Clashes With Online Fraud Detection

When Adobe releases Flash Player 10.1 in the next couple of months, users of the application will have clearer, easier-to-set privacy options for their browser cookies. But more user privacy comes at the expense of fraud detection processes: The upgraded software is likely to disrupt some ecommerce and online banking sites that rely on cookies as another layer to authenticate their customers.

The new version of Adobe's Flash, currently in beta, makes its privacy settings more prominent and explicit to the user and also supports private browsing, which lets a user browse without logging his browsing history on his machines.

Adobe says it added these features due to concerns that some websites were using Flash's local storage features to store machine IDs without the user's consent or knowledge. For example, even if a user had cleared his cookies, these sites would keep a backup of them in Flash's Local Storage so he could restore the deleted cookies -- without the user knowing or realizing it.

Many ecommerce and online banking sites use these so-called user "tags" to confirm the user is legitimate and to prevent unauthorized access to legit user accounts on their sites. But Adobe's move to let users wipe Flash cookies clean signals the end of this practice, security experts say, making it obsolete in the next three years.

Adobe maintains that its existing local storage features in Flash weren't meant for storing machine IDs without the user's permission or knowledge. "Protecting end-user privacy is an important issue to Adobe, and we are continuously investigating new ways to help ensure that our customers can control their own information," an Adobe spokesperson said.

But industry analysts say regulatory pressure from the European Union's new privacy laws, as well as the possibility of U.S. Federal Trade Commission rules aimed at companies that track customers online without their consent or knowledge, were the main reasons for Adobe's privacy features in Flash. "This is basically Adobe moving in this direction in response to EU rules and regulations," says Avivah Litan, vice president and distinguished analyst Gartner.

In a letter (PDF) to the Federal Trade Commission earlier this year, Adobe said it will continue to take actions to stop the "misuse of Local Storage to re-spawn cookies after the user has deleted them" and that it has contacted "major browser companies" to figure out how users can easily control their Flash Local Storage when they configure their privacy settings in their browsers.

Meanwhile, Gartner's Litan says the fallout from the new Flash privacy features is another example of how privacy and fraud protection often clash. "A lot of rules protecting consumer privacy are bad for fraud protection," says Litan, who recently wrote a research note regarding the conflict between privacy and fraud detection.

If Flash's new privacy features are widely adopted by users, then it will have a major ripple effect on online banking, she says. "Not only does it make the settings [more prominent], but whenever a website tries to drop a Flash object on a PC...an ominous message comes on the screen and asks, 'Do you really want this code on your PC?' Most users are going to say no," Litan says.

Legitimate users, too, could also feel the pinch if the site can't use their cookies. Ori Eisen, founder and chief innovation officer for 41st Parameter, says it could degrade the user experience. "Up until now, you were a customer for 10 years that was never challenged...you were recognized by your cookie they placed on your [machine] or in Flash. When you invoke this new Flash [privacy] technology, we have to challenge you at the door" if the website doesn't deploy a new form of fraud detection, Eisen says. That will affect both the user experience and the call center that must field complaints, he says.

Eisen predicts that the arrival of the new version of Flash will result in about 5 percent of legitimate customers being challenged: "After June, they're going to have a customer service issue on their hands," he says of websites that still rely on Flash objects.

And businesses will be forced to adopt different fraud prevention approaches, which Litan says is good news for fraud detection: "Banks and others will have to rely on more sophisticated technologies," she says. "Flash objects and cookies are good at identifying good people, but they do nothing to identify bad people. Bad people aren't going to have these objects on their PCs."

Some of the largest financial institutions and ecommerce players already are starting to implement alternative authentication methods, she says. She suggests clientless device identification as well as secure downloads of tagging software users can be prompted to execute.

41st Parameter's Eisen, meanwhile, says it all comes down to the Web's inherent lack of security. "We've been patching it nicely since 1995, but the house of cards is beginning to shake," he says. "We may start to think...about what to do to solve the security problems as an industry."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.