December 26, 2007
@ 05:21 PM
Comments [13]
The Facebook Effect: Google Reader Violates User's Privacy

There is a post in a Slashdot user Felipe Hoffa's journal entitled Google Reader shares private data, ruins Christmas (alternate link) which contains a very damning indictment of the Google Reader team. It all starts with the release of the Sharing with Friends feature which is described below

We've just launched a new feature that makes it easier to follow your
friends' shared items in Google Reader. Check out the announcement on
our blog:
http://googlereader.blogspot.com/2007/12/reader-and-talk-are-friends....

The short description of it is this: If any of your friends from
Google Talk are using Reader and sharing items, you'll see them listed
in your sidebar under "Friends' shared items." Similarly, they'll be
able to see any items you're sharing. You can hide items from any
friend you don't want to see, and you can also opt out of sharing by
removing all your shared items. For full details, check out the
following help articles:
http://www.google.com/support/reader/bin/answer.py?answer=83000
http://www.google.com/support/reader/bin/answer.py?answer=83041

This is still a very experimental feature, so we'd love to hear what
you think of it.

Unsurprisingly, there has been a massive negative outcry about this feature. The main reason for the flood of complaints (many of which are excerpted in Felipe Hoffa's journal) is the fact that the Google Reader team has decided to define "friends" as anyone in your Gmail contact list.

On the surface this seems a lot like the initial backlash over the Facebook news feed. Google Reader users are complaining about their Gmail contacts having an easy way of viewing a list of feeds the user had already made public. I imagine that the Google folks have begun to make arguments like "If Facebook can get away with it, we should be able to as well" to justify some of their recent social networking moves such as this one and Google Profiles.

However the Google Reader team made failed to grasp two key aspects of social software  here:

  1. Internet Users Don't Fully Grasp that Everything on the Web is Public Unless Behind Access Controls: To most users of the Internet, if I create a Web page and don't tell anyone about it, then the page is private and known only to me. Similarly, if I create a blog or shared bookmarks on a social bookmarking site then no one should know about it unless I send them links to the page. 

    As someone who's worked on the Access Control technology behind Windows Live sharing initiatives from SkyDrive to Windows Live Spaces I know this isn't the case. The only way to make something private on the Web is to place it behind access controls that require users to be authenticated and authorized before they can view the content you've created.

    The Google Reader developers assumed that their average users were like me and would assume that their content was public even if it had an obfuscated URL. The problem here is that even if it was "technically" true that Shared Items in Google Reader were public although with an obfuscated URL, the fact that there was URL obfuscation involved implies that they realized that users didn't want their Shared Items to be PUBLIC. Arguing that the items were "technically" public and thus justifying broadcasting the items to the user's Gmail contacts seems dubious at best.

  2. Friends in One Context are not Necessarily Friends in Another: The bigger problem is that the folks at Google are trying to build a unified social graph across all their application as a way to compete with the powerful social network that Facebook has built. I've previously talked about the problems faced by a unified social graph based on what I've seen working on the social graph contacts platform for Windows Live. The fact that I send someone email does not mean that I want to make them an IM buddy nor does it mean that I want them to have access to all the items I find interesting in my RSS feeds since some of these items may reveal political, religious or even sexual leanings that I did not mean to share with someone I just happen to exchange email with frequently.

    Deciding that instead of having GTalk IM buddies, Gmail contacts, and Google Reader friends that users should just have Google Friends may simplify things for some program managers at Google but it causes problems for users who now have to deal with the consequence of their different social contexts beginning to bleed into each other. Even though Facebook is a single application, they have this problem with users having to manage contacts from multiple social contexts (family, friends, co-workers, etc) within a single application let alone applications with extremely different uses.

My assumption is that the folks at Google Reader will put in a some time over the weekend and will add granular privacy controls as recommended by Robert Scoble. I also predict that we will see more ham fisted attempts to grow their social graph at the expense of user privacy from various large [and small] Web properties including Facebook in 2008. 

In the words of Scott McNealy, "Privacy is Dead. Get Over It"


 

Categories: Social Software
Tracked by:
"how to sell a home fast" (how to sell a home fast) [Trackback]
« Congratulations to Justin Rudd | Home | RSS Bandit v1.6.0.0 Released »
Wednesday, 26 December 2007 18:10:11 (GMT Standard Time, UTC+00:00)
Really, the major difference between this and the Facebook Newsfeed controversy is that Newsfeed only made it easier to access information that was ALREADY FULLY AVAILABLE. Whereas Google is making non-available information available.

I still fail to understand why Newsfeed was so controversial.
pwb
Wednesday, 26 December 2007 19:19:53 (GMT Standard Time, UTC+00:00)
Well I've noticed that anyone I've ever been in a three way discussion with by way of a list I am subscribed to that has a gmail address is automatically in my contacts. Actually I suppose it applies to other addresses to but I've noticed it with Gmail because those contacts are marked as being online or not.
bryan
Wednesday, 26 December 2007 20:35:49 (GMT Standard Time, UTC+00:00)
"the fact that the Google Reader team has decided to define "friends" as anyone in your Gmail contact list."

That's been widely reported, but that's not what the Google Reader blog says. It says "we've linked up Reader with Google Talk (also known as chat in Gmail) to make your shared items visible to your friends from Google Talk."

http://googlereader.blogspot.com/2007/12/reader-and-talk-are-friends.html
Swashbuckler
Wednesday, 26 December 2007 21:53:40 (GMT Standard Time, UTC+00:00)
One thing I think everyone keeps forgetting is that it is not the case that all GMail contacts automatically see your shared items feed.

It's only contacts that you've accepted a request to chat with through Google Talk. Below are all the stars that have to align for someone to see your feed:

- You must use Google Reader
- You must share items to a _public_ feed through Google Reader
- You must have GMail Contacts
- You must use GTalk
- You must have accepted a request from those GMail contacts to chat with you through GTalk.

Seems like an awful lot of work to share with someone to be considered a gross misuse of your "private" public shared items feed.

I agree, there might be some situations where someone who you've chatted with might be able to see your already PUBLIC feed of shared items. In that case, don't share items or remove them from your GTalk buddies **they can still remain a contact in GMail.

Maybe someone will set me straight with something I'm missing, but I'm just not in agreement that this is an issue.
Jim Fiorato
Wednesday, 26 December 2007 23:13:38 (GMT Standard Time, UTC+00:00)
Jim and Swashbuckler,
I'm not sure whether they are people you've emailed vs. people you've IMed makes a difference. The key issue still remains that Google retroactively changed the semantics of a feature in a way that had people who had created/shared data in one context having it revealed in another.

If I'm creating bookmarks of NSFW images at Fark and sharing them with college buddies, does it really matter that Google suddenly started broadcasting them to email contacts vs. IM buddies? The fundamental issue is that what I "assumed" was private is now being made very public to people who's relationship to me doesn't extend to that kind of behavior.
Dare Obasanjo
Thursday, 27 December 2007 02:20:47 (GMT Standard Time, UTC+00:00)
"I'm not sure whether they are people you've emailed vs. people you've IMed makes a difference."

It does to me. I email people all the time, I've NEVER chatted with someone using Google Talk.


"The key issue still remains that Google retroactively changed the semantics of a feature in a way that had people who had created/shared data in one context having it revealed in another."

Agreed. However, I'd be willing to bet that the number of people someone has IM'd using Google Talk is significantly less than the number of people someone has emailed using GMail. Thus, the exposure isn't as great as many are making it out to be.
Swashbuckler
Thursday, 27 December 2007 02:36:19 (GMT Standard Time, UTC+00:00)
Swashbuckler,
>It does to me. I email people all the time, I've NEVER chatted with someone using Google Talk.

Given that you aren't an IM user, it seems you aren't really in the best position to judge whether revealing a user's [originally] private list of subscriptions to their IM buddy list is a gross privacy violation or not.

>However, I'd be willing to bet that the number of people someone has IM'd using Google Talk is significantly less than the number of people someone has emailed using GMail. Thus, the exposure isn't as great as many are making it out to be.

You seem to be arguing like a mathematician. When it comes to privacy issues, I doubt that John Doe is mollified that his shared links which contain various posts from the Suicide Girls are "only" going to his mom, girl friend and immediate coworkers that he has on his IM list instead of the random people he is on various mailing lists with that are his email contacts.
Dare Obasanjo
Thursday, 27 December 2007 03:45:38 (GMT Standard Time, UTC+00:00)
The semantics of the feed were always public, nothing any more restrictive than that. It has said "Your shared items are Publicly accessible" on the shared items page prior to this feature being released.

What happens when someone down the road says the same thing about RSS Bandit? What if you add some feature to it in version 2.0 that just makes something already public, more publicly accessible? The Twitter feature for instance.

The whole argument doesn't make sense. It's a public feed. People getting upset that it's now public in a different way seems odd to me. If you've been using it for a private feed, then that's the problem.

We've been asking the for open social networking, starting with something that is already public seems reasonable to me.

I think this feature had a lot of potential, and it's a shame we killed it.
Jim Fiorato
Thursday, 27 December 2007 08:07:40 (GMT Standard Time, UTC+00:00)
"Given that you aren't an IM user"

I didn't say I wasn't an IM user, I said I didn't use Google Talk. I use IM all the time.


"it seems you aren't really in the best position to judge whether revealing a user's [originally] private list of subscriptions to their IM buddy list is a gross privacy violation or not."

Do YOU use Google Talk? If not, then perhaps you aren't in that best position either.


"You seem to be arguing like a mathematician."

I am. Google made a mistake. Nevertheless, the risk isn't as large as some people are making it out to be because the exposure is being misreported.

Btw, companies make decisions mathematically all the time. Say, oh... I don't know... Microsoft might just decide to work on a lower exposure but more widespread problem because it's more widespread. That's not going to necessarily comfort those few that do encounter the more serious problem.
Swashbuckler
Thursday, 27 December 2007 12:13:36 (GMT Standard Time, UTC+00:00)
I think you're missing two key points. First, the average user of the Internet is very different from the average tech blogger or Microsoft employee. Average users want features to be easy to use and not hidden behind a series of user controls. Despite the outcry of the vocal minority, Google implemented the Share function in a transparent and easy to understand manner. Second, no one is forced to use the Share feature. To use your example, if you wanted to share NSFW images from Fark or any other site, you could email them directly from Reader.
Anjuan
Thursday, 27 December 2007 13:09:07 (GMT Standard Time, UTC+00:00)
If you haven't seen it already:
http://googlereader.blogspot.com/2007/12/managing-your-shared-items.html
Jim Fiorato
Thursday, 27 December 2007 13:48:07 (GMT Standard Time, UTC+00:00)
You said "...the fact that there was URL obfuscation involved implies that they realized that users didn't want their Shared Items to be PUBLIC..."

Actually, that's not how the 20-digit IDs in URLs came about. The most straightforward (and friendly/discoverable) thing was to put the Google Account username there (e.g. mihai.parparita for me). Unfortunately this meant that we would be leaking email addresses, which would have been a great target for spammers to harvest.

At the time we were working on the sharing feature in mid-2006, Google Accounts did not support the ability to add additional usernames (i.e. aliases in the same namespace but not tied to an email address) to your account. In the meantime, this capability has appeared, and some Google products (e.g. Picasa Web) are using it. I'm sure using it is somewhere on our to do list.

Mihai Parparita
Google Reader Engineer
Mihai Parparita
Friday, 28 December 2007 21:35:20 (GMT Standard Time, UTC+00:00)
Regardless of the purpose behind creating the obfuscated URLs, said obfuscation _acts_ like an encryption key - technically "in the open", but near impossible to guess in practice.
nordsieck
Comments are closed.