One of my readers, Jonathan Hirshon, sent me this email after he accidentally right-clicked on a Flash ad that happened to sneak past his ad filter and grabbed its source URL…
> After checking Macromedia’s online privacy manager on my iMac, I was horrified to learn that Flash 7 (and presumably 8) gives advertisers the option to not only capture data from your mic or video camera – but to also store data separate from your cookie files that can be read by macromedia.com (and presumably its advertisers, though I am unsure of this last point). Click the 4th tab on the privacy manager and check the ‘Website privacy settings’ and see what sites you have visited that have already stored info on you and whether they have the ability to remotely access your A/V equipment.
Now the big this Macromedia will say, well its in our privacy manager and we are not hiding anything from you. The tiniest of tiny fine print like that is most often never read by consumers. I think we need someone like Eliot Spitzer to step up and make the big tech companies spell this out in clear, and plain english in big bold letters.
18 thoughts on “Does Macromedia Flash infringe privacy of its users?”
This has been a feature in Flash for years. Nothing new and it just allows for stuff like Odeo’s upcoming podcasting application.
even so jon, this is a bit of news to me. i had no idea that the information (from my computer) was so easily shareable. they should have been more upfront about it. i am not sure i will use odea because of those reasons.
Chill out dude… The flash soapbox items (the equivalents of cookies) that are stored by a flash movie loaded from domain.com are only accessible from the same domain.com (not even from *.domain.com) under default settings. And yes, this has been there since flash 6.
All possibly true – but I for one just learned about this now and was horrified to learn that some website could remotely access my webcam and mic. Sure, it might be old news to some – but I think the vast majority of users know NOTHING about this.
Cookies aside, can you imagine a virus or worm that somehow rejiggers your settings so a remote hacker can turn on your webcam or mic at will – the possibilities for that kind of privacy invasion should scare anyone!
Macromedia should put it in big, bold words during the install process that websites have the ability to remotely acess your A/V hardware and GIVE YOU THE OPTION TO PERMANENTLY SHUT THAT DOWN.
Some people may have a need for this, and power to them – but the vast majority of people don’t, and Macrodobe should really be upfront on this one, IMHO.
I read your blog regularly, and really enjoy your work. With that said, I really think youve missed the boat on this entry, and are mis representing the security vulnerability of Flash. The flash player cananot access your mic or vid cam without you first granting permission. When a flash app is built so that a user can communicate with someone else, such as with a video or audio conference, users who join the conference grant permission, or allow the session to engage their video cam and mic. Macromedia, or the flash developer can’t sneak in and take control of your camera or mic.
Unplug the camera when you are not using it, same for the mic.
There problem solved, and we did not need some government regulation.
BTW: did you know your phone’s mic is always live and can be used by the police to linten in on you?
“i had no idea that the information (from my computer) was so easily shareable.”
It isn’t — a quick web search on terms like “site:macromedia.com webcam privacy” will turn up info without frightening the horses.
Recap: Two-way live video communications were added to the Macromedia Flash Player in March 2002. The default is no access unless you explicitly click otherwise. The only problem I’ve seen in the past 3.5 years has been a similar under-researched A-lister scare back in Dec02.
If you ever have a privacy or security concern with Macromedia technology, then it would be to everyone’s interest to have it addressed:
“Now the big this Macromedia will say, well its in our privacy manager and we are not hiding anything from you.”
No need to hypothesize or project — if you can’t research it on your own then checking in beats making up quotes.
Shame on your rebuttal and the company you work for. It is disgusting to think you would reply with such gibberish. The fact is, ADOBE/FLASH HAS CROSSED THE LINE. Having ANY hooks that would allow access to my Microphone or Camera or store information locally WITHOUT MY DIRECT CONSENT (ever thought of OPT IN, verses having to OPT OUT!!), is nothing short of dishonest and plain WRONG!
The best is making users GO TO YOUR WEBSITE to make changes to flash settings? Don’t get me started. It’s wrong, and you are getting away with it for the time being but more and more people are becoming aware of the spyware practice of Adobe and the like.
those are not quotes, but you turn them into quotes. you know what i never found those security and privacy alerts because the damn software came bundled with the computer and believe it or not, i had no idea about this issue till it was brought to my attention.
Also John you miss the point, the idea here is to make simple and clearer. JD makes fun of A-listers who picked up on it, but then as a company you never made it easier for folks to figure this out. My big problem is that companies like Macromedia don’t explicitly state privacy and security policies in plain english, in big type, that normal human beings can understand.
Om, I thought you had a clue about technology, but this post shows you clearly don’t. The Flash video and audio is opt-in and this post is just sensationalist. I thought journalists were supposed to do research before they wrote. Oh, wait, this is just a blog, so why bother getting your facts straight.
And Jon, please tell us you have something more important to worry about in your life. No hacker wants to watch you as you browse the various pr0n sites…
Just to clarify, the “Flash cookies” referred to above (actually called LocalShared Objects), and basically like browser cookies. They cannot be read across domains (so for examples, Macromedia can’t read “cookies” from Yahoo).
The default is to allow them (the same as default settings as cookie access in browsers), but users can disable or restrict them.
As far as web cam / microphone access, Flash content can only access them if users explicitly allow it at runtime. Access can also be permanently disabled (on a global or per domain basis.
More info here:
Hope that helps clarify what is actually possible.
As far as how we present this information / settings to users, we are open to any suggestions. We take both security and privacy very seriously, and have tried to set the access restrictions with this in mind.
It is users like you that make it harder for the rest of the people in the world who have a clue about what they are talking about.
You probably believe the government is honest too.
The fact is, EVERYTHING should be disabled by DEFAULT. The fact is, YOU SHOULD NOT HAVE TO GO TO A WEBSITE TO CHANGE YOUR SETTINGS FOR LOCALLY INSTALLED SOFTWARE. That in and of itself is an invasion of privacy. Which sites I choose to allow or deny? What my setting preferences are?
People like you completely miss the point. The mere fact that when you go to adobe’s site, they have a list of all your sites you visit etc. (as shown when you go to change your global settings), is NOTHING SHORT OF AN INVASION OF YOUR PRIVACY AND SPYWARE. IT IS SPYWARE. Plain and simple.
Hmm, that’s odd, last night’s comment didn’t take…
Like Mike added, “simple and clearer” is a constant goal. The issue here is a highly-linked weblog author not doing even a basic web search, making things more complex and occluded.
(I didn’t “make fun” of a-listers so much as note previous times they’ve created issues by not checking rumors before publicizing them.)
There’s no lasting harm done this time (few links), but I would earnestly entreat you to do a little more research on a story — at least some quick searches — before promoting an idea, thanks in advance.
i had dropped in a note to your pr department to counter check the email. still have not heard back. you know, that is the reason it was was posed as a question. i asked the question, now we have an answer. the difference between a story and a blog post – we have a conversation. so everyone had their say in it, and we know what’s what. that’s all.
Funny coming across this discussion. Seems like foreshadowing to me…
“A vulnerability in Macromedia Flash Player 7 has been identified that could allow the execution of arbitrary code.”
All this was news to me too even though I have worked with Flash in the past. The flipside of all this better connectivity is some hacker will find a way to exploit it. Unplugging your gadgets when not in use, and checking all your programs with a fine-tooth comb may have to be standard procedure soon enough…
Ignorant stuff like this posted on your site really lets the world know what a DUMBASS you are, thanks!