Why not block images from API if right-click turned on?
darryl
Registered Users Posts: 997 Major grins
Yes, we all know that right-clicking isn't true protection against downloading images.
But... if somebody is selecting it, isn't it reasonable to assume that they *don't* want somebody to download their images using RapidFetcher or WinDownload.
Couldn't (and shouldn't) the API return zero images for a gallery with right-click protection turned on?
This wouldn't break linking (although do people really right-click photos but leave linking on? That seems... odd.)
I just showed a friend who's a pro photog WinDownload, and she was mildly concerned that her photos could be so easily gotten. Not hugely so, since she only allows up to Medium and watermarks as well, but it surprised me too.
Thoughts?
But... if somebody is selecting it, isn't it reasonable to assume that they *don't* want somebody to download their images using RapidFetcher or WinDownload.
Couldn't (and shouldn't) the API return zero images for a gallery with right-click protection turned on?
This wouldn't break linking (although do people really right-click photos but leave linking on? That seems... odd.)
I just showed a friend who's a pro photog WinDownload, and she was mildly concerned that her photos could be so easily gotten. Not hugely so, since she only allows up to Medium and watermarks as well, but it surprised me too.
Thoughts?
0
Comments
BUT, I'm talking about API calls that SmugMug has control over. In this case, it's a progam that's talking to SmugMug's API, and as such, SmugMug can reveal as little or as much information as they wish.
In this case, SmugMug could prevent the links to images in a right-click protected gallery from going back to the program making the API call for a gallery.
It seems to me that you wanted the public to see the small, watermarked, pictures or you wouldn’t have exposed them. You can always add a site or album password if you don’t want the public involved. You want potential customers to see the samples and then buy it. How does downloading them change that as long as they can find your web site should they want to buy it?
Am I missing something? Am I naïve?
Downloading images when the owner doesn’t want it was not the intended purpose of the program.
One objective was to allow my friends, family and sports team mates to download multiple pictures or entire albums, or sets of albums, without clicking on them one at a time or having to make lots of CDs and distributing them.
The other objective was to be able to easily find and download my (the owners) originals for use in other applications (backup, slideshows, phones…).
I agree that with watermarking and small-sized images, my friend really shouldn't worry about extra exposure (and she doesn't, really). But the point is that right-click protection implies that the person *doesn't* want people downloading their photos.
If SmugMug blocked right-click protected images from API calls, then your objective to allow friends, family and sports teammates (or owners) to easily download images would not be affected, right?
But for professionals, they might have some assurance that at least it's a little harder for people to download their whole portfolio, etc.
It's true that users should *not* be lulled into a false-sense of security since right-click protection can be worked around without much effort. But it doesn't make sense to me that the API wouldn't treat the same as "no download".
Basically, I'm asking what is the scenario where an owner would right-click protect his photos and then need to allow the API to have access to those photos to non-owners?
Should WinDownload skip right-click protected albums?... let me sleep on that.
You shouldn't change anything Dsweet. SmugMug should.
I just don't see any legitimate use case for 3rd party application to ever need to download right-click protected albums.
Thanks for thinking about it though, and helping me flesh out my points.
Instead, I propose that if you make a public (not logged in as owner) call to smugmug.images.get for a gallery that has right-click protection turned on, no image locations (download URLs) will be returned.
I hadn't thought about the iPad/iPhone app scenario though. Hm...
When a user makes an album public and sets the right-click-protection, they are declaring that the public can view my images, but I don’t want the public to download them.
The downside to your proposal is that if no image locations are returned then the public can’t view the image; contradicting what the owner has specified. Let’s not throw the baby out with the bath water.
I think the api is appropriate the way it is. If an owner declares an album is public then it should be public, SmugMug has taken steps to make it harder to download “protected” (Public-protected-oxymoron
http://www.revellphotography.com/blog/2010/06/is-my-ipad-stealing-your-photo/
Apparently on Flickr if you set the account-wide option for "Who can download your stuff?" to "Only You", then the API does not allow programs to access the full-sized original file.
Now SmugMug is a lot more flexible, in that allowing full-sized originals and blocking downloads are gallery-specific options, but it seems to me that with respect to full-sized downloads for APIs, maybe they should adopt Flickr's approach.
Also, it occurs to me that if the API only denies access of full-sized originals, than Pearson's worry about displaying photos on the phone (using an iPhone app, for instance) really shouldn't be an issue, because the iPhone app (if written by a sane person) would not be downloading the full-sized original, because it wouldn't need that high-resolution of an image.
Thoughts, anyone?
If you want real protection, then limit the size of the gallery images that can be displayed on the web to something small and/or use watermarks. The Smugmug API respects both these settings as it should.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
You are of course technically correct.
But for the average user "Allow downloads" or "Protected" means what it says: Don't let somebody download my images. They don't want to think about watermarking, max-size, etc.
Can you give me some examples of SmugMug apps that would be broken if *Originals* (not any other size) were disabled based on the "Protected" flag?
Anyone using right-click protection and allowing originals has messed up their settings. That is not a combination that makes sense. Either you want your originals to be available or you do not. Adding right-click protection does not protect your originals. Never has. Never will. I can get to them in under a second (the time that it takes to type a -O onto the end of URL).
For completeness here, I should mention that there are two forms of using the API, an unauthenticated session and an authenticated session. An unauthenticated session is available to any one as it does not require any account credentials and it can access anything that you have configured your gallery settings to allow. An authenticated session requires valid account credentials and it can access originals even if the gallery settings do not permit public access to originals. This is so that tools meant to be used by the account owner can be built and so that partners that you authorize to access your account can get access to your images via the authenticated sessions.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
Huh, i'd not thought of that. You're right. Thay combination of settings seems nonsensical. So much so that it begs the question why Smugmug allows it at all?
Yes. I'm only talking about unauthenticated sessions. I'd posit that most of the tools we're talking about (bulk downloaders) would be used by either Owners or friends/family of people explicitly trying to share originals.
It's not like AlbumFetcher or CLDownload are widely known outside of the SmugMug community.
Also, again, I'm talking about the API, not the website. While yes, you can add -O to get one original at a time, it's a whole other story when you're talking about enabling slurping up a full gallery of photos.
what other apps are you concerned that this would break?
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
I think the API is good. I think it enables interesting third party things. For example, one can write a client side JS script (no user credentials required) to automatically show photos in a blog, etc... I don't follow the community of apps that are out there to know what good comes from it or what would break if it was changed.
I just think right-click protection is no real form of protection and not really a security setting at all. It only prevents one particular access in a browser and doesn't prevent any of the other forms of access. As such, it's a browser presentation setting, not a security setting and therefore it should not control or influence what the API does or doesn't allow.
The API is correctly following the real security settings for a gallery (password, largest size available, watermarks, etc...) which are observed for all unauthenticated forms of access.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question