Harry Waldron - Corporate IT Security

Pingback from  Luc Ippersiel.com ??? My Geek Life  » Blog Archive   » How-To… Protect Against PIEs

The excerpt below is taken from the Wikipedia's article on PIE. The last two paragraphs reveal how the Flash Control Panel settings are a sham because they can easily be overridden by Visual Basic Script or similar code running on web pages!!!  There is no way for us to stop this without changing some laws!

Internet Privacy/Persistent Identification Elements

See also: Local Shared Object

Flash Player is an application that, while running on a computer that is connected to the internet, is designed to contemporaneously interact with websites containing Flash content that are being visited online. As such, under certain configurations the application has the potential to silently compromise its users' internet privacy, and do so without their knowledge. By default, Flash Player is configured to permit small, otherwise invisible "tracking" files, known as Persistent Identification Elements (PIE)[3] or Local Shared Object files, to be stored on the hard drive of a user's computer. Sent in the background over the internet from websites to which a user is connected, these files work much the way "cookies" do with internet browsers. When stored on a user's computer, PIE (.sol) files are capable of sending personally sensitive data back out over the internet without the user's knowledge to one or more third parties. In addition, Flash Player is also capable of accessing and retrieving audio and video data from any microphone and/or webcams that might be either built in or connected to a user's computer and transmitting it in realtime over the internet (also potentially without the user's knowledge) to one or more third parties.

While these capabilities can all be affirmatively blocked and/or disabled by the user, the Flash Player application does not provide an internally accessible "preferences" panel to accomplish this. Instead access to the various settings panels necessary to manage the application's "Privacy," "Storage," "Security," and "Notifications" settings can be achieved through a web-based "Settings Manager" page located on the "support" section of the Adobe.com website, or by third party tools (see Local Shared Object). Each of the functions can be enabled/disabled either "globally" to cover all websites, or set differently for individual websites depending on how the user desires Flash Player to be able to interact with each one.

Whilst the Flash Control Panel Settings in theory allow users to protect their Privacy it should be remembered that suitably crafted Visual Basic Script or similar code can overwrite any user defined settings before the Flash Player Plug-in is called by a Webpage.

In addition to cookies, many banks and other financial institutions also routinely install Persistent Identification Elements using Flash Player on users' hard drives when they establish and access their accounts, as do other interactive sites such as "YouTube" and the like.