Feeds

Google borrows Facebook's privacy manual

What's behind the latest cockup?

Protecting against web application threats using SSL

Google can count itself fortunate that a serious privacy storm it caused took place in the run up to Christmas - when world+dog was otherwise occupied. By altering the behaviour of one of its web-services, Google ran foul of its own Privacy guarantee - and continues to violate it.

Here's what happened.

In 2005 Google introduced a web-based RSS reader, in response to the popular and well-regarded Bloglines. Like Bloglines, Google's Reader service permitted users to share their feeds with a selected group of friends.

On December 14, this all changed. Google permitted anyone in your Google contact book to see your "shared" list. Passing acquaintances, employers and spouses were now able to read a user's RSS inbox.

Google cheerfully explained the change here, with the advice, "happy sharing!"

There was no option to opt-out of the "feature" - all Google Readers users were opted in by default.

"People on my contact list are not necessarily my "friends". I have business contacts, school contacts, family contacts, etc., and not only do I not really have any interest in seeing all of their feed information, I don't want them seeing mine either," responded one user. "This is a major privacy problem."

Other users pointed out that Google had violated its own Privacy Policy, which reads:

Send the link to your friends and family, and they'll be able to read what you've recommended. They can bookmark your page in their browsers for easy access, and they can even subscribe to it in Google Reader."

"This feels like a decision made by some 23 year old Google employee who thinks everyone wants to be on the latest social networking craze that all of his friends like," wrote another user.

Google responded that the data had always been "shared" - only previously, the URL was obfuscated. As you'd expect, this only made things worse.

So Google both changed the rules mid-game, and opted everyone into the change: two aspects of Facebook's notorious creepware advertising program Beacon. All your Facebook "friends" could now see what you'd bought through affiliate merchants, such as Amazon.com and eBay. This was beautifully encapsulated by GMSV's headline - "Honey, that jewelry and lingerie purchase you just made better be for me or you’re dead meat"

The philosophy of Creepware

What is frequently overlooked in such instances is the deliberation behind the decision. The poster quoted above suggested naivety and herd instinct were behind the "23 year old" Google employee's decision. But there's a creepy consistency to these serial privacy violations that is very evident to us - if not the developer who implements it. To see it, you have to look at the bigger picture, into the Hive Mind hooey of Web 2.0.

Wired sub editors smuggle through a spoof (February 2000)

Life now imitates parody

What happens after such an incident is that the company in question is typically forced into an apology, regrets "causing offence" (but rarely the decision itself), and the issue is forgotten.

Then it tries again. And again.

Yet these are not accidental decisions - and they follow a disturbing pattern. For example, it's now customary for the media to refer to AOL's release of anonymized search logs last year as a "leak". But this is incorrect; you may recall this was no accident, it was a quite intentional - a gift to the Web.

Reducing the cost and complexity of web vulnerability management

Next page: A modest proposal

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.