Does Flash watch you? Someone with a blog named Tom wrote how they just noted the Macromedia Flash Player 6 can ask your permission to turn on your cam or mic. This got Slashdotted half-a-year ago. Someone called "Chuck" quickly set him straight today (thank you, mysterious stranger ;-).
But now I see that both Dave Winer and Doc Searls have pushed the visibility higher, phrasing it as "What does DoubleClick see when they look at you through their ads?" Read it again, fellows... think it through. With the traffic you give to links you do have a certain responsibility.
Recap: If you've got a cam, then the Flash Player is capable of using it, but only if you give permission to that site to do so. Do a context-click in the Player to see your current permission settings. These permissions are stored on your local drive and are under your control. Click that little "?" button in the Player's settings to learn more. posted 11/26/2002 02:47:04 PM [link]Comment (9)
[Anonymous comments may be edited, but if you own your words then they're yours.]
I didn't say "ho-hum".. please don't mischaracterize me. The prior misperception on Slashdot just signifies this is not a new issue.
Counting your links, we have had two instances of such misperception over the last ten months. This is a pretty good record, but also means that we have to again re-evaluate whether the UI and text can be made even clearer so that we don't get a third such report.
"if anyone told me that a new facility had been added to my shaving mirror, or cereal bowl, or telephone, that could enable them to record video and sound and relay it to anyone else without my knowing about it..." I thought you understood that this does not occur... that you must give explicit permission for your cam or mic to be used?
"When some ''major media outlet'' finally does this story, the ho-humness of it will not be much in evidence." Again, you are visualizing ho-hum, but I do consider Slashdot and Winer/Searls to be the equivalent of "major media outlets". Associated Press would probably contact us before publishing a story, but these are just two different styles of fact-checking. jd | Email | Homepage | 11.27.02 - 5:30 pm
What I "understood" is that you assert this permission feature to be the case. What you seem not to have quite asbsorbed is that for the end user, this assertion is not universally and incontrovertably sufficient to allay concerns. I can think of numerous questions, contingencies, possibilities, which your blanket assurance neither addresses nor, I suspect, imagines. There is a gap between what the owner of the code conceives, and what the end user of the code is concerned with, and it is a very large gap. It is the task of communication to bridge it, and I am advising you that the bridge in this case is incomplete. Let me just offer one question which I did not see answered in your privacy info: Suppose I'm playing some game with friends, and we have the "allow" feature turned on to facilitate play. Later, I go on to other things, forgetting to turn it off. What happens when the next cloying flash 6 ad appears on my screen? Tom Matrullo | Email | Homepage | 11.27.02 - 11:17 pm
Thanks. As I noted, folks here are open to improving that documentation to allay such concerns. Specifics would help me make that case to others, and more accurately target areas which could be improved.
For instance, is the document too long? not long enough? Is there a specific area that read ambiguously to you?
For "suppose I'm playing a game with friends", that "Remember" option controls whether this is a perpetual permission or a one-time permission. If you wish to review and possibly change some permissions, then that Settings Manager page will read your current locally-stored permissions and allow you to inspect and edit them. (Permissions are stored on a per-domain basis.)
If there are other ambiguities you see then I could profitably use them to help others, thanks in advance.
jd | 11.28.02 - 1:52 am
I think I can see more clearly now how the gap between producer and end user is less just a fillable hole and more like a discontinuity. You invite me to point to "ambiguities," but the problem is that we are less in a realm of ambiguity - a relatively mild form of semantic suspense - than in a mode of radical uncertainty. See, for example, a comment like this on a blog I just now ran across:
"I don't believe the reassurances that users will have to click "allow" because we already see the tendencies of interfaces to use default settings and "opt out" clauses that are very hard for newbies to be aware of or even find--these border collie web-style herding exercises online being mostly practiced by Microsoft in setting browser defaults for the helper PLUGINs. Yeah, them again." (from http://radio.weblogs.com/0109581/2002/11/27.html)
The point is, we are beyond clarifying ambiguous speech and far into the realm of trust, confusion, and potential mischief. There is no way some privacy manual is going to dispel this. I do have one suggestion: Every ad and every instance of Flash 6 which carries this capability should have a warning label clearly in evidence: e.g., "Caution - this ad could be watching or listening to you - click for details." Anything less obtrusive just doesn't meet the standard for respecting the privacy of people at home or at work. Tom Matrullo | Email | Homepage | 11.28.02 - 6:44 pm
Every ad and every instance of Flash 6 which carries this capability should have a warning label clearly in evidence: e.g., "Caution - this ad could be watching or listening to you - click for details."
If an ad does seek permission to use your cam, it will already pop up a request for such permission.
Are we agreed on this point yet? jd | 11.29.02 - 2:55 pm
I think you exaggerate the importance of this point. Let me grant it for the sake of argument. Still, it sits within a context of other "points" that are far from equally clear or agreeable, and which impinge on the value of this point. E.g., a very small instance: my kid is playing some game, and turns on "allow." A while later, I am working on the computer. How do I know whether it is watching me? How does anyone know that it is watching and/or listening, if they were not there when "allow" was set?
I have to respectfully go along with Tom here. I do usability too, and can appreciate the challenge of it. Even in your note to me (and above) you write that the user should be clicking on a question mark in the player (aside from the popup window that would come up).
That is all well and good for Tom and I and many other longtime users of plugins and players. I don't relish the idea of having to go and click on a question mark to find out an answer to something, a click away, not a walk-through, not a well-publicized thing. Usability research shows again and again that the further steps away a piece of information is from the user, the less likely the user will take the steps to get to it.
MOST users are unaware of how plugins get on their machines, even RealPlayer plugins, or Quicktime or Stuffit plugins. And why? Because if the plugin takes too many extra steps, people won't get it. I know Macromedia has been fighting this battle from the get-go. I've watched your plug-in steps evolve over the years, streamlining all the way, and I've been glad. The easier you make it for folks to get plugins, the better for me to be able to successfully usability test my Flash modules an an average user's home machine without getting that damn broken icon.
Netscape has addressed this issue as well with Smart Install features to encourage people to update their browsers. And we all find ourselves doing ethnographic usability observation in home AND office settings where you watch in horror as someone opens your site on a 386 machine, 640x480 256 color monitor, and Netscape 3 or 4. I'm not talking 2 years ago. I'm talking now.
These are the users we have to worry about. They have their TiVo and its competitors and THEY DON'T KNOW they can question interface features, or even inquire about them. And just because they don't know doesn't mean they don't deserve privacy. That would be the point I was making.
Tom: I'm glad we're past the point of "does computer spy on me!?", and have now moved into "what if someone in my house messes with my computer?"
If you give people you don't trust access to your computer, then for the Flash part, you can always use the previously-mentioned Settings Manager to see if they gave DoubleClick perpetual permission to look at you (assuming they had the bandwidth to do so). You should also definitely run anti-virus software, updated, check for newly-installed software on your computer, check for newly-deleted software on your computer, check browser history and cache, secure any personal files, and all the other things you'd naturally do if you let someone you didn't trust change the settings on your computer.
"Miasma" (who?): The Settings Panel asks if you'd like to open your cam to the site you visit. That's pretty clear. If you don't want to, you click "deny". If you have questions, you click the question mark.
You have to explicitly grant permission for anything to happen.
I can appreciate your saying this is unclear, but I'm not certain what you suggest as possibly being clearer...?
(Masses of text don't cut it... the idea is to get to the idea simply and transparently. This is particularly important in a multi-language and multi-agegroup interface such as a web player.) jd | 11.30.02 - 1:22 pm
>
I wouldn't go quite so far as to say the latter is "past" the former. More like: another dimension of the same root concern.
I am intrigued by how the hypothetical case I offered above involving my 10-year-old kid turns into this: "If you give people you don't trust access to your computer..." Clearly you are choosing to re-purpose the example with an eye to shifting the burden of responsibility onto twits like me. Guns don't kill people, etc...
Clearly, if I foolishly "give" such access to untrustworthy sorts (like my kid) then I deserve all the surveillance I get - is that about right?
You have given copies of Flash to nearly half a billion machines (1) around the world. When one downloads Flash 6, there is not a single stitch of information (2) suggesting that this adds two-way audio/video capabilities to one's PC. There are known and well publicized risks and vulnerabilities (3a) with Flash (3b). Yet, despite all of the above, if I forget to check the settings after my kid has used the machine, I am responsible, because I gave access to person or persons I ''don't trust.'' Do you not see that you are attempting to shift the fulcrum of responsibility onto the end user, who in most cases doesn't even know your software has this capability? It seems even your own developers are not even apprised of it! (4)
