Flash on iPhone: Video Dream or Privacy Nightmare?
The internet in your pocket. That’s what Steve Jobs and Apple advertising have promised us since Macworld 2007. Not the watered-down WAP internet, the server-pre-rendered kinda-sorta-internet, or the stunted mobile internet. Just... the internet.
About the only thing missing, many would argue, is Flash.
Adobe’s ubiquitous interactive, multi-media technology powers everything from online office apps to easily embedded video clips to in-our-face banner adds. It also powers it’s own “cookie” (online state-saving and tracking) system. Didn’t know that? Advertisers do. They already exploit Flash cookies on the desktop. And as much as we want our videos clips on the iPhone, they want their cookies more. After all, the iPhone is the “next generation mobile” devices -- the one that know everything about us, including who we are and where we are, with all of our private contacts and secure contents just there for the tracking, aggregating, and selling.
The Good, the Bad, and the Flashy
Flash’s general pros and cons have been debated up and down the web. On the pro side, countless users clamor for access to the gigantic online video libraries (both popular and “adult”) that leverage Flash for deployment, as well as web-based applications that use Flash as a development environment. For the cons, the proprietary nature (Adobe owned), accessibility issues, DRM, search engine un-friendliness, and standards non-compliance, along with the history of resource issues with OS X (memory and CPU) raise red flags galore.
Even Steve Jobs, whose company makes and markets both the iPhone and the arguably competitive QuickTime technology, has weighed in: Flash desktop too heavy, Flash Lite not heavy enough, and what iPhone needs just plain missing in between.
But the one issue we haven’t heard much debate about is also potentially the most troubling: Privacy.
The Cookie Conundrum
Most of us are familiar with bowser cookies, those little text strings placed on our systems by many (if not most) modern websites.
Cookies were originally designed to innocently preserve state (the current condition(s) of the browser). For example, when we log into a website a cookie is placed on our system so that the website can keep us logged in as we browse from page to page. This benefits us because it makes our lives easier -- we don’t have to login over and over again each time we change pages. Likewise, we benefit from cookies that maintain our preferences or keep track of our secure connections.
Online advertisers quickly saw benefits of their own. With cookies, advertisers can track us not only through their own sites but across the web. And they can use that data to more specifically target their advertising to us, and they can package our data (aggregated with the data of thousands or millions of others) and sell it for their own profit. While we (consumers) may benefit from this in certain narrow cases (Amazon providing better recommendations when we visit the site, or loyalty programs offering discounts on purchases), we are not formally compensated (they don’t share revenue), and it can be difficult or impossible for us to opt-out (ask and ensure that they don’t track us or sell our data).
Luckily, because of the privacy and security issues raised by cookies most modern browsers, including Apple’s Safari (including Mobile/Touch Safari on the iPhone), Microsoft’s Internet Explorer, and Mozilla’s Firefox provide settings to delete or even disable them entirely.
Advertisers know this, of course, and they don't much like it. Enter Flash cookies.
The Flash plugin is installed on almost every browser on every computer on the internet, and not only does it provides a cookie system all its own, it provides a way to tie Flash cookies back into browser cookies.
So, what’s the big deal? If old fashioned browsers are already storing cookies, what’s the difference if Flash does it as well?
The difference is that most end-users are completely unaware of Flash cookies. We don’t know that Adobe is providing a way to track our information, we don’t know that they are re-enabling browser cookies we’ve gone to the trouble of removing, and we certainly don’t know how to stop or prevent them from doing it.
To give a typical example, we go to a commercial site and it sends a cookie to our browser. We’ve set Firefox to refuse or delete cookies on exit, so we don’t worry about it. Our history is a clean slate. However, this site also sends a cookie to Flash. We go online again and the Flash cookie doesn’t see a clean slate, it sees everything, and it just keeps on tracking us again (and maybe even sees that we’ve deleted our browser cookie and picks up that trail as well). We’ve lost control of our own privacy.
Not so bad? Imagine it was a cheap film-noir detective following us everywhere we go. The store. The bank. Our office. Our bedroom. How would that feel?
Now remember the iPhone knows who we are. It holds all of our private contacts and personal data. And it knows where we are. Google and Skyhook have driven down our streets and through our neighborhoods mapping cell towers and even the Wi-Fi routers in our homes. And EDGE and Wi-Fi allow a virtual open pipe between the devices in our hands and the servers at Apple, Google, Yahoo, the carriers, and now with the iPhone SDK, any developer calling CoreLocation services. And who knows who else? (Not us, that’s for certain.)
So now we not only have our film-noir detective following us around, but we have him (potentially) accessing our phone, digging through our pockets, our wallets, and virtually low-jacking our each and every move. Bigger deal yet?
PCs and Macs have had security experts, privacy advocates, and massive user bases pounding away on them for years. On the desktop transparency is higher, architecture is more easily explored, and environments are far more open and customizable. If we don’t want a certain app, daemon, or service running, chances are someone’s already posted instructions on how to stop or remove it. And if we need an app, daemon, or service to help fix an existing privacy or security problem, chances are someone’s already developed it.
Not true on the iPhone. Though it’s given us a desktop-class browser and has made us comfortable (and indeed eager) to browse on a mobile device, Apple’s “next revolutionary platform”, even post-SDK, is far more of a black box than a little beige one.
(This is not to say people like noted pre-SDK developer Erica Sadun and countless others won’t bang on the iPhone faster and harder than ever to find out, its simply the state things are now and may well remain for most casual iPhone users who don’t scour the blogsphere on a daily basis).
And the Cons Have It
As a longtime corporate web developer who has routinely used Flash (though never Flash cookies!) for years, I thought I would miss it on the iPhone, and that I would quickly file a feature request with Apple and add my voice to the endless comment stream demanding it.
Turns out, not so much.
The clean, low overhead, open standards-based web experience Apple has promoted is compelling. I don’t miss the noisy banner adds, the instant-on video clips, and most importantly, I don’t miss Flash cookies.
But What About our Vidz??!1
While Apple already provides a YouTube app, having struck a deal with the Google-owned online video mega-power to transcode their content from Adobe's codec to the iPhone-friendly MP4 (H.264) format, all this still leaves us with many, many other sites (among the fastest growing on the web, no less) still rocking the Flash, and thus excluded from our mobile enjoyment. What about them?
Adobe itself has recently announced support for H.264 encoded video in Flash, so there's always the chance they may produce Steve Jobs' "just right" sized Flash solution in-between Lite and desktop.
Third party WebApp and native App developers have also discussed technologies that would that would transcode Flash video to H.264 specifically for the iPhone, so if Adobe and Apple can't get it together, maybe some enterprising young startup will?
Let's just hope, whatever the solution and where ever it comes from, it provides the excellent user-experience iPhone owners have come to expect, and at the same time allows for the privacy and security control we now demand.
Appendix: Flash Cookie Management
Steve [Gibson]: So I wanted to mention that to everyone whos listening because many people wrote in having done this experiment. They deleted their cookies, they emptied their browser cache, they shut down their browser, they rebooted their computer, they took their laptop to somewhere else, and they were - and literally at least 40 people wrote in and said, “It still knew me. How did it know me?” And so I appreciated this confirmation that this use of Flash cookies is becoming more widespread, clearly in this case, as he says three out of the three financial institutions he used plant Flash cookies.So to all listeners, into Google you want to put “Flash player settings manager.” Just put in “Flash player settings manager,” and you get a link to Macromedia, maybe it says Adobe now, Im not sure, I dont remember whether theyve changed the URL. But the point is, most of us have Flash loaded in our machines now, which unfortunately is why the banks have all started using it. Its something that survives, as many listeners have discovered, it survives casual cookie deletion. And exactly as this guy has mentioned, it annoys him because it is unknown and is unclear.The good news is, its possible to control these settings and to prevent sites from using Flash cookies if for some reason you really didnt want that, or to restrict sites that you have specifically allowed. Anyway, theres good Flash cookie management available, and its a web-based interface. You dont use your local Flash player, running it like standalone, because it is an embedded web page object. Instead, if you put in “Flash player settings manager,” thatll take you to the Flash site, where youre then able to go to some web pages to bring up a little tabbed interface. Basically it runs your Flash player on the page and gives you access to a user interface you never knew you had. And youre able to browse through and see the domains that have registered cookies on your machine. You can delete them right there. Youre able to change settings. Youre able to do some worrisome things, like you can tell it dont ever turn on my microphone and camera without letting me know. Its like, okay, well, thats probably a good thing to tell it. So youre able to do that and a number of other things.So again, “Flash player settings manager,” and poke around in there. Youll find out who has stored cookies, so you know. Youre able to delete them. Youre able to then block them and prevent them from changing. Anyway, theres a whole bunch of tabs and settings that are definitely worth poking around in.