Flash on iPhone: Video Dream or Privacy Nightmare?

iphone_flash_rumor_smasher.jpg

The internet in your pocket. That’s what Steve Jobs and Apple advertising have promised us since Macworld 2007. Not the watered-down WAP internet, the server-pre-rendered kinda-sorta-internet, or the stunted mobile internet. Just... the internet.

In large part, they’ve succeeded. By promoting open, standards-based support for HTML (hyper-text markup language) structure, CSS (cascading style sheet) design, Javascript actions, and the hybrid interactive richness of AJaX (Asynchronous Javascript and XML) that enable WebApps, Apple has brought us the closest thing yet to a desktop-class browsing experience on our mobiles.

About the only thing missing, many would argue, is Flash.

Adobe’s ubiquitous interactive, multi-media technology powers everything from online office apps to easily embedded video clips to in-our-face banner adds. It also powers it’s own “cookie” (online state-saving and tracking) system. Didn’t know that? Advertisers do. They already exploit Flash cookies on the desktop. And as much as we want our videos clips on the iPhone, they want their cookies more. After all, the iPhone is the “next generation mobile” devices -- the one that know everything about us, including who we are and where we are, with all of our private contacts and secure contents just there for the tracking, aggregating, and selling.

The Good, the Bad, and the Flashy

Flash’s general pros and cons have been debated up and down the web. On the pro side, countless users clamor for access to the gigantic online video libraries (both popular and “adult”) that leverage Flash for deployment, as well as web-based applications that use Flash as a development environment. For the cons, the proprietary nature (Adobe owned), accessibility issues, DRM, search engine un-friendliness, and standards non-compliance, along with the history of resource issues with OS X (memory and CPU) raise red flags galore.

Even Steve Jobs, whose company makes and markets both the iPhone and the arguably competitive QuickTime technology, has weighed in: Flash desktop too heavy, Flash Lite not heavy enough, and what iPhone needs just plain missing in between.

But the one issue we haven’t heard much debate about is also potentially the most troubling: Privacy.

The Cookie Conundrum

Most of us are familiar with bowser cookies, those little text strings placed on our systems by many (if not most) modern websites.

Cookies were originally designed to innocently preserve state (the current condition(s) of the browser). For example, when we log into a website a cookie is placed on our system so that the website can keep us logged in as we browse from page to page. This benefits us because it makes our lives easier -- we don’t have to login over and over again each time we change pages. Likewise, we benefit from cookies that maintain our preferences or keep track of our secure connections.

Online advertisers quickly saw benefits of their own. With cookies, advertisers can track us not only through their own sites but across the web. And they can use that data to more specifically target their advertising to us, and they can package our data (aggregated with the data of thousands or millions of others) and sell it for their own profit. While we (consumers) may benefit from this in certain narrow cases (Amazon providing better recommendations when we visit the site, or loyalty programs offering discounts on purchases), we are not formally compensated (they don’t share revenue), and it can be difficult or impossible for us to opt-out (ask and ensure that they don’t track us or sell our data).

Luckily, because of the privacy and security issues raised by cookies most modern browsers, including Apple’s Safari (including Mobile/Touch Safari on the iPhone), Microsoft’s Internet Explorer, and Mozilla’s Firefox provide settings to delete or even disable them entirely.

Advertisers know this, of course, and they don't much like it. Enter Flash cookies.

Flash Bang

The Flash plugin is installed on almost every browser on every computer on the internet, and not only does it provides a cookie system all its own, it provides a way to tie Flash cookies back into browser cookies.

So, what’s the big deal? If old fashioned browsers are already storing cookies, what’s the difference if Flash does it as well?

The difference is that most end-users are completely unaware of Flash cookies. We don’t know that Adobe is providing a way to track our information, we don’t know that they are re-enabling browser cookies we’ve gone to the trouble of removing, and we certainly don’t know how to stop or prevent them from doing it.

To give a typical example, we go to a commercial site and it sends a cookie to our browser. We’ve set Firefox to refuse or delete cookies on exit, so we don’t worry about it. Our history is a clean slate. However, this site also sends a cookie to Flash. We go online again and the Flash cookie doesn’t see a clean slate, it sees everything, and it just keeps on tracking us again (and maybe even sees that we’ve deleted our browser cookie and picks up that trail as well). We’ve lost control of our own privacy.

Not so bad? Imagine it was a cheap film-noir detective following us everywhere we go. The store. The bank. Our office. Our bedroom. How would that feel?

Now remember the iPhone knows who we are. It holds all of our private contacts and personal data. And it knows where we are. Google and Skyhook have driven down our streets and through our neighborhoods mapping cell towers and even the Wi-Fi routers in our homes. And EDGE and Wi-Fi allow a virtual open pipe between the devices in our hands and the servers at Apple, Google, Yahoo, the carriers, and now with the iPhone SDK, any developer calling CoreLocation services. And who knows who else? (Not us, that’s for certain.)

So now we not only have our film-noir detective following us around, but we have him (potentially) accessing our phone, digging through our pockets, our wallets, and virtually low-jacking our each and every move. Bigger deal yet?

PCs and Macs have had security experts, privacy advocates, and massive user bases pounding away on them for years. On the desktop transparency is higher, architecture is more easily explored, and environments are far more open and customizable. If we don’t want a certain app, daemon, or service running, chances are someone’s already posted instructions on how to stop or remove it. And if we need an app, daemon, or service to help fix an existing privacy or security problem, chances are someone’s already developed it.

Not true on the iPhone. Though it’s given us a desktop-class browser and has made us comfortable (and indeed eager) to browse on a mobile device, Apple’s “next revolutionary platform”, even post-SDK, is far more of a black box than a little beige one.

(This is not to say people like noted pre-SDK developer Erica Sadun and countless others won’t bang on the iPhone faster and harder than ever to find out, its simply the state things are now and may well remain for most casual iPhone users who don’t scour the blogsphere on a daily basis).

And the Cons Have It

As a longtime corporate web developer who has routinely used Flash (though never Flash cookies!) for years, I thought I would miss it on the iPhone, and that I would quickly file a feature request with Apple and add my voice to the endless comment stream demanding it.

Turns out, not so much.

The clean, low overhead, open standards-based web experience Apple has promoted is compelling. I don’t miss the noisy banner adds, the instant-on video clips, and most importantly, I don’t miss Flash cookies.

But What About our Vidz??!1

While Apple already provides a YouTube app, having struck a deal with the Google-owned online video mega-power to transcode their content from Adobe's codec to the iPhone-friendly MP4 (H.264) format, all this still leaves us with many, many other sites (among the fastest growing on the web, no less) still rocking the Flash, and thus excluded from our mobile enjoyment. What about them?

Adobe itself has recently announced support for H.264 encoded video in Flash, so there's always the chance they may produce Steve Jobs' "just right" sized Flash solution in-between Lite and desktop.

Third party WebApp and native App developers have also discussed technologies that would that would transcode Flash video to H.264 specifically for the iPhone, so if Adobe and Apple can't get it together, maybe some enterprising young startup will?

Let's just hope, whatever the solution and where ever it comes from, it provides the excellent user-experience iPhone owners have come to expect, and at the same time allows for the privacy and security control we now demand.

Appendix: Flash Cookie Management

Notes security expert Steve Gibson has previously provided instructions on how to manage Flash privacy settings and control cookie behavior:

Adobe Flash Settings Manager

Steve [Gibson]: So I wanted to mention that to everyone whos listening because many people wrote in having done this experiment. They deleted their cookies, they emptied their browser cache, they shut down their browser, they rebooted their computer, they took their laptop to somewhere else, and they were - and literally at least 40 people wrote in and said, “It still knew me. How did it know me?” And so I appreciated this confirmation that this use of Flash cookies is becoming more widespread, clearly in this case, as he says three out of the three financial institutions he used plant Flash cookies.So to all listeners, into Google you want to put “Flash player settings manager.” Just put in “Flash player settings manager,” and you get a link to Macromedia, maybe it says Adobe now, Im not sure, I dont remember whether theyve changed the URL. But the point is, most of us have Flash loaded in our machines now, which unfortunately is why the banks have all started using it. Its something that survives, as many listeners have discovered, it survives casual cookie deletion. And exactly as this guy has mentioned, it annoys him because it is unknown and is unclear.The good news is, its possible to control these settings and to prevent sites from using Flash cookies if for some reason you really didnt want that, or to restrict sites that you have specifically allowed. Anyway, theres good Flash cookie management available, and its a web-based interface. You dont use your local Flash player, running it like standalone, because it is an embedded web page object. Instead, if you put in “Flash player settings manager,” thatll take you to the Flash site, where youre then able to go to some web pages to bring up a little tabbed interface. Basically it runs your Flash player on the page and gives you access to a user interface you never knew you had. And youre able to browse through and see the domains that have registered cookies on your machine. You can delete them right there. Youre able to change settings. Youre able to do some worrisome things, like you can tell it dont ever turn on my microphone and camera without letting me know. Its like, okay, well, thats probably a good thing to tell it. So youre able to do that and a number of other things.So again, “Flash player settings manager,” and poke around in there. Youll find out who has stored cookies, so you know. Youre able to delete them. Youre able to then block them and prevent them from changing. Anyway, theres a whole bunch of tabs and settings that are definitely worth poking around in.

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, Review, The TV Show, Vector, ZEN & TECH, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts

 

0
loading...
0
loading...
0
loading...
0
loading...

← Previously

iPhone SDK - 100,000 Downloads

Next up →

Web App Review: Toodledo

There are 17 comments. Add yours.

Dieter Bohn says:

Alright, I have to set up a twitter acct for PD. I discovered this post was up from yours, rene!

Rene Ritchie says:

LOL! I'd *love* a Twitter feed for Phone different. OMGplz!1
Here's the Digg link:
http://digg.com/apple/Flash_on_the_iPhone_Video_Dream_or_Privacy_Nightmare

surur says:

Is this another article to make iPhone users feel better about the deficiencies of their device e.g. "Why EDGE is superior!" and "No cut-and-paste means no-one can ever accuse you of plagiarism!"
Or is this just the planting the Fear in FUD?
Surur

Rene Ritchie says:

Neither. It's pointing out important privacy and security concerns which people should be aware of and know how to manage, be it on the iPhone or the desktop.

surur says:

Neither. It's pointing out important privacy and security concerns which people should be aware of and know how to manage, be it on the iPhone or the desktop.
I missed your article on how Apple will know exactly which Apps you buy, and how to prevent their targeted advertising. Is that next in the series?
Surur

Dieter Bohn says:

@rene: Just added the "simple" digg link to all posts!

Rene Ritchie says:

@Dieter: nice!
@Surur: That's also an imporant point, as is telco tracking via EMEI. However, these are "first party" relationships and to some extent you know that scorpian when you pick it up. With ad cookies, those are "third party" and you may not have any idea who you're being revorded by (see the recent Paypal/Double-Click link scandal for an example)

Dieter Bohn says:

@surur - Yes, legit point for sure. OTOH, granular cookie management is much easier on a WinMo device than it is on the iPhone -- I doubt that Apple plans to introduce it and I'd be surprised to see a 3rd party app be able to do the same. So if Flash is able to smuggle in cookies, that's a bigger issue on the iPhone than it is on another device.

Rene Ritchie says:

@Dieter, does WinMob actually provide specific Flash cookie management? It's fairly obscure even on the desktop (as mentioned on the article, you need to go to a Macromedia weblink -- though some might be surfaced on plugin settings as well).
Bottom line, and as a guy who works in IT and has to deal with security, Flash are a dodgy technology to me and I wish Adobe was more upfront about them and provided far more obvious and easily accessible privacy controls for end-users.

Josh says:

On OSX these cookies are in ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/RARVP7KA/
and ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/
and can be deleted through the Finder.
(On my system anyways...)

Rene Ritchie says:

Thanks Josh. It's obscure cookie handling like that which gives me pause about Adobe and their intentions.

dolozottsuimi says:

sextir.com is a free porn site - We provide the world with free: porn videos,porn movies,xxx free movies,free porn,free sex.
Best porn hub and tube on the web

michael allen jones says:

The "Very Shortly" was posted in Feb of 2008, its now Feb of 2009, Where's the Beef?
Were leaning to the new Storm Blackberry. Supports everything we need. Were a media company, We have over 60 iphones and were tired of not being able to see our own clients web needs on the spot. Last year we picked up the iphones not thinking this would be become a long time problem. It's 2009 and we can't wait any longer. We would love to come back some day but it seems hopeless with the EGO of Steve.
The Storm has better resolution and better sound. What I really care about is the flash and video. Future is now. I will miss my apps but this is business. Were a MAC based operation, and didn't really want to make these changes but again we cannot wait another penny. My employees are constantly having to pull over to the local coffee house and whip out a latte and the laptop just to help a client. TIME AND MONEY. Plus it really ticks me when were trying to move forward in thinking yet it feels like were moving back in time with capability. Clients want it now, and thats my bottom line. Now is what my clients get.
Apples new motto should be "Lose the EGO Steve". Wake up Steve its 2009.

Josiah Sloon says:

very wonderful to read it :D

Metin2 Board says:

I’m curious to find out what blog platform you’re utilizing? I’m experiencing some small security issues with my latest site and I would like to find something more safeguarded. Do you have any solutions?

body cream says:

Definitely this blog is very informative and neatly designed.

neti pot solutions says:

After looking into it a little farther, the source that informed me of the accrual rate discrepancy between staff and members said that nothing was officially released to the membership...but that it most definitely IS the case. It has to be that they do not want the members to know about it, so they are keeping a low profile on this issue. They haven't exactly lied. They just haven't disclosed the inequality of accural rates for people who share the exact same plan. Since the staff already gets an unfair advantage on their pension (years vs. amount paid), I continue to find this unfair to the members who pay the bulk of the contributions.