Reading Other People's Gmail Via Bloglines
Using Bloglines to snoop on people’s private Gmail from Martin Belam looks
at how he accidentally stumbled upon email feeds that individuals are posting to
Bloglines. To be fair, it’s an issue that could happen to any "private" feed
that someone unknowingly shares to the public.
Gmail allows people to get a feed of their email, as covered in
pages. That lets you see the subject of your emails along with short
descriptions. But even this small amount of information might be too
embarrassing for some people to have made public.
How would those summaries get made public at all? In the case Martin looks
at, people are adding their Gmail feeds to Bloglines but leaving those feeds
public for others to view. That’s how he stumbled upon them.
Google does warn about this, but he thinks the warning could be more visible.
Perhaps — but it’s also worth keeping in mind that using an online news reader
means you need to carefully consider ANY feed you take and whether those
settings are public or not.
Postscript From Bloglines:
Bloglines is committed to online privacy and we take our role in this effort
seriously. I’d like to help correct some of the misconceptions and explain how
Bloglines privacy works in regards to both search and feeds as well as how to
use Bloglines properly to generate secure feeds.
The main issue at hand is the appearance of Gmail accounts in Bloglines and a
users’s ability to subscribe to these feeds (or search for posts from these
The examples displayed were actually Gmail accounts registered through a
third party (Feedburner) and then subscribed to within Bloglines.
Bloglines actually provides HTTP authentication for secure feeds. When this
method is used, Bloglines secures the feed so that it can not be searched on or
subscribed to except by the owner of the feed.
However, when the user generates their feed through a third party like
Feedburner, the authentication portion has been removed from Bloglines’ control
and we have no way to identify and secure the feed. As a result the feed and
it’s previously secure data become public. Clearly this is a problem and we are
in contact with Feedburner and other third parties to help them better inform
and protect their users.
The other issue is the definition and understanding of "private" feeds within
Bloglines. Marking a feed as private in Bloglines only hides the feed from your
public blogroll and your identity from the feed’s list of subscribers. We try to
make this clear to Bloglines users by prominently displaying the following note
during the feed subscription process:
"Private subscriptions don’t show up in blogrolls and you will not be listed
as a public subscriber. However, the feed and all its posts will remain
available to the public via Bloglines and Ask.com Blog & Feed Search. Exceptions
are Bloglines email subscriptions and feeds that require http authentication. In
both cases, the feed and its posts will not be included in search results."
This issue has reminded us that there is still some confusion about privacy
in the world of feeds. We recognize that a better system of limiting access to
feeds is needed as more content becomes syndicated or syndicatable. We have been
leading the effort to build new safeguards into syndications standards and are
hopeful that some type of Feed
Access Standard will provide further security for users and their feeds.