Should this be the end for Flash in government?
- By Amanda Ziadeh
- Sep 02, 2015
The general consensus on the continued use of Adobe Flash Player to view web graphics and videos is “the end is near” -- recent announcements that Amazon will no longer accept Flash ads and that Google Chrome will no longer allow autoplay were the latest signs of slippage. Yet some government agencies still have Flash on their sites, despite security and browser-based concerns.
Even amidst an “Occupy Flash” movement to end the plugin altogether, some agency sites still require Flash to view graphics, video tutorials, front-end web applications, animation, interactive simulations, photo galleries and video tours.
NASA , for example, uses Flash for its navigable simulators like Home and City, Rocket Science 101, 3D Virtuality and Launch It.
Similarly, the National Institutes of Health uses Flash for video-casting and features like Tox Town, a virtual tool where users can explore how wildfires, toxic chemicals, droughts, storms and floods affect different parts of the country. Flash also can be found on DisasterAssistance.Gov and some pages of the websites for the Department of Homeland Security and the Centers for Disease Control and Prevention.
Security concerns -- along with Flash’s incompatibility with mobile, speed and browser inefficiencies, and the growing use of HTML5 and Java -- are strong factors in the move away from the once-dominant solution.
Because Flash is a browser-based plug-in, vulnerabilities and holes can be exploited by hackers to access end-users' machines. One solution would be to install updates by Adobe that “block” known vulnerability holes, but zero-day bugs were found as part of the three hacks in Adobe’s Flash Player browser plugin earlier this year.
The FBI’s cyber division released a memo in mid-July outlining a threat in which an email phishing campaign targeting U.S. government agencies contained a link that exploits Adobe Flash vulnerability CVE-2015-5119.
Such zero day exploits create the perfect storm for government security teams when they make checking personal email unsafe, according to Ken Westin, security analyst for software company Tripwire. “Accessing personal email becomes a greater risk,” he said, "especially if the attackers know these personal emails, which is not difficult information to gather."
In light of these vulnerabilities, some browsers disable and block the use of certain Flash Player versions altogether, or prevent them from automatically running -- rendering Flash-friendly sites inconvenient or entirely unusable for some visitors.
Vision Internet, a website development and software provider for local government agencies, steers clear of Flash with its designs for these very reasons.
“We have cautioned our local government clients about using Flash for many years,” said Ashley Fruechting, Vision Internet's senior director of marketing and strategic partnerships. “Flash is notoriously susceptible to hacks ... and has become increasingly known for causing site performance issues.”
Security is not the only concern: As all levels of government redesign websites to prioritize mobile device compatibility, Flash is increasingly left out.
Flash does not work on Apple iOS, and though it is available on Android devices, its "weight" and rendering processes can drain mobile phone and tablet batteries.
NIC, an e-government service provider, discourages the use of Flash due to its incompatibility with mobile, and has not used the plugin for at least three-and-a-half years.
“Since we’re a mobile-first development shop, we really focus on HTML5 as a viable option for us, and what we deliver to our government,” said Jeff Shaw, NIC's vice president of information and technology.
NIC handles digital development for a number of state websites, and every site it delivers is made to be compatible with mobile, contributing to Flash’s demise. “We recognize – and are trying to get the government to also recognize – that the push is for us to move to mobile first because that's what everyone is starting to use,” Shaw said.
Fruechting agreed. Flash’s "well-documented issues with Apple products meant it just wasn’t a practical solution," she said, "especially when there are so many other approaches that allow clients to achieve visually impactful sites that are still mobile-friendly.”
Simplicity and speed
Flash’s propensity to bog down browsers makes websites heavier and slower when the plug-in is active -- creating usability issues even when battery life is not a concern.
"There are no remaining uses for Flash in government,” said Mike Migurski, Code for America's chief technology officer. “We’ve advanced the state of simple, clear and fast web design that’s natively accessible, 508-compliant and doesn’t depend on outside consultants to deliver and deploy."
And while not every developer is as absolute as Migurski, most sites and designers building them are indeed leaning toward HTML5 and Java as a Flash alternative.
HTML5 and Java
Once web browsers were able to adopt digital-rights management for HTML5, a new, practical option was available for streaming video and audio. HTML5 also uses an easier programming language than Flash’s proprietary language, making it easier for technology specialists to understand.
While some predict the coming end of Flash all together, Adobe and Google’s Project Zero are working to continue updating Flash with mitigation techniques to patch holes and relieve zero-day vulnerabilities.
For government agencies, however, the shift towards mobile design and enhanced security efforts could mean that Flash is quietly -- and quickly -- exiting the public sector.
Amanda Ziadeh is a former reporter/producer for GCN.