JD on EP

JD--

This is an interesting article and of issues that I have been mulling lately, particularly as a result discussions that have occurred regarding ECMA standards and implementations or lack thereof.

I am starting to think that stepping away from browser dependency for Internet communication, under certain types of content/application, makes a hell of a lot of sense, e.g. to use stand alone Adobe AIR applications.

What has me concerned is the level of implicit trust that must be born, often unknowingly, by the end-user of any stand alone RIA.

The last thing that needs to happen is that a few stand alone apps get out there with read/write access, create havoc and establish mistrust for this technology.

How can or will Adobe help small developers/clients establish trust within AIR apps before mistrust/misuse can happen?

Thank you very much.

Hi, I think the issues of client app integrity are as important as those of serverside data integrity... different, but both important.

For AIR, we've got to hammer on the idea that you should only install applications from people you trust. It's not like a webpage, where the browser offers relatively few privileges and you can bop into a stranger's site. AIR makes desktop apps, with filesystem access, and you can't download these willy-nilly from strangers.

Security issues were important to settle in the 1990s. We didn't resolve them then, and people have paid the price since. Privacy issues are the significant issue in this decade, and I'm not sure we're accurately recognizing data implications yet either. Worrying.

These issues are complex, and are exactly why we don't have a 'connect every social network together' policy in the current OpenSocial model. If people have an established trust relationship with a social network service, and a sense of community there, OpenSocial lets 3rd party app developers tap into that instead of trying to implement their own social network, or to import everything into their own world.
The de facto interop model at the moment is 'give me your webmail username and password and I'll import your friends into my site' - while you can trust some apps to do just what they say, the Quechup fiasco shows that this isn't really a model that scales. With social networks you can't just leak your own data you can accidentally leak that of your friends. A goal within OpenSocial is to only give the apps the access they actually need, not full read/write access by default.

Thanks Kevin. I appreciate what you're saying. This was what I was trying to understand with OpenSocial last week -- whether Google had a way to harvest data from other social networks. This seems to imply that it does not.

It's interesting that Tim wants more developer abilities, which risks damaging consumer privacy. You're caught in the middle here, eh?

If anything, I'd urge supreme caution in what we enable with data transfer. As with last decade's security issues, it's hard to stuff the genie back in the bottle. We've got to think -- hard! -- about ways people might abuse data transfer before enabling processes which might later be abused.

JD--

Thank you for asking the hard questions.

------

In my view, security and privacy are both synonymous and both are issues that are still not being fully addressed, at least, given substantial priority.

Adobe with its AIR platform is in a unique position for re-establishment of both not only the the platform's [associated runtimes and frameworks] ability to set security and privacy as a priority but to also establish Adobe culture as being hard-core about security and privacy.

The AIR platform has tremendous potential to allow Internet communication to break out away from browser dependency and the volatility of standards evolution.

Trust level of any application, from a consumer's perspective, is tied directly to brand awareness. Assumption is made that a brand that qualifies is knowledgeable about producing a quality application. For example, BMW engineers an excellent automobile but engineers a lousy Web site. I would not trust BMW to engineer a tied-down AIR application but the consumer would.

Additionally, without better security and privacy levels present within development that can be efficiently communicated to the end-user by the platform and runtime, the practical use of AIR by smaller businesses is limited.

Adobe has one very small son of a bitch who would love to integrate AIR as a primary platform for Internet communication. As it stands and in good conscience, I simply cannot.