
Download Public User Data with Oink's Export Tool - cristinacordova
http://www.cristinajcordova.com/2012/03/oinks-export-tool-data-privacy-breach-download-the-data-of-any-user-5/
======
donohoe
Relevant piece for those who can't access the page:

    
    
      So, curiously, I tried replacing my username 
      with Kevin Rose’s:
    

<http://oink-prod.s3.amazonaws.com/kevinrose-export.zip>

    
    
      (go ahead, click it). You’ll get a zip file 
      of every item he has ever added, rated or
      reviewed. You’ll also get every photo he has
      ever uploaded to Oink.

~~~
samstave
Looking at all the pics that Kevin has uploaded made me incredibly hungry. He
has eaten some nice looking meals.

------
HectorRamos
Twitter's privacy breach: read the timeline of any (non-Protected) user by
navigating to <http://www.twitter.com/{username}>

------
chime
Was Oink 100% public or were there private conversation/shares? If everything
on Oink was public (like a public blog or Twitter before direct messages),
then it doesn't seem like a big deal. It's just making it easier to snoop.
Otherwise, wow.

~~~
rickmb
Privacy is not about whether something is public or not. It's about being in
control of your data.

This is the fundamental misunderstanding that seems to be rampant especially
in countries like the US that lack basic privacy regulations.

Just because information was public, doesn't mean that using it in certain
ways without the permission of the person involved is not a breach of privacy.

I seriously doubt this was a type of usages Oink users _explicitly_ agreed to
(and no, burying such provisions in the small print doesn't make it legal).

~~~
Karunamon

      >Privacy is not about whether something is public or not. It's about being in control of your data.
    

Um.. that's not what the word means. It's possible for you to not be in
control of your data but still have it be private, and vice versa.

Google: Define: Privacy

    
    
      The state or condition of being free from being observed  or disturbed by other people.
    
      The state of being free from public attention.
    

That's what the dictionary says.

    
    
      >I seriously doubt this was a type of usages Oink users explicitly agreed to (and no, burying such provisions in the small print doesn't make it legal).
    

Depends on how the site worked. For instance, look at Twitter - everything is
public by default unless you go to your profile and check a box that says
"Make my account private", and then nobody can follow you.

Are you saying it would be a breach of privacy for Twitter to provide a
zipfile containing all of my tweets I've ever made publicly? Which any person
could get anyways by searching @myname site:twitter.com ?

~~~
rickmb
Privacy has a way broader social and legal meaning than the dictionary
definition of the word.

Narrowing it down to a oneliner from a dictionary is not particularly
constructive.

And yes, I would say if Twitter did that, it could well be a breach of
privacy. It would almost certainly be a breach of the law in most Western
countries. Just because you have access to the data, doesn't mean you can just
do with it whatever you like without the consent of the owner. Once that zip-
file spreads, making the Twitter account private becomes pointless.

Why do so many people think copyright is something perfectly logical, but
privacy protection, which has much more to do with protecting the rights of
individuals, is something weird?

~~~
vibrunazo
> It would almost certainly be a breach of the law in most Western countries.

Twitter already let's you download someone's tweet in a .json file. Are you
saying that twitter is almost certainly breaking the law? Or is it something
specifically evil with the .zip file?

We're not saying you should "just do with it whatever you like". What they're
specifically doing is making it publicly available. Which it already was,
because that's the definition of what public means. As the previous poster
pointed out.

Public domain is not protected by copyright. Most countries (though not all)
explicitly differentiates the laws of what's public and what's copyrighted.
Usually, both are mutually exclusive.

------
mef
Site seems to be down. Google cache
[http://webcache.googleusercontent.com/search?sourceid=chrome...](http://webcache.googleusercontent.com/search?sourceid=chrome&ie=UTF-8&q=cache%3Ahttp%3A%2F%2Fwww.cristinajcordova.com%2F2012%2F03%2Foinks-
export-tool-data-privacy-breach-download-the-data-of-any-user-5%2F)

~~~
cristinacordova
sorry, trying to get it back up.

~~~
cristinacordova
It should be back up now.

~~~
drewinglis
It's still down for me. =\

~~~
cristinacordova
still seems I'm getting attacked by a single IP...

------
km3k
According to Oink's twitter account, "All of the data is and was publicly
available."

<https://twitter.com/#!/oinkapp/status/179981032416755712>

------
dolinsky
_update2_ \- Apparently some usernames work and others don't

I believe his account is the only one that is made public. Obtaining a list of
usernames is as easy as a 'site:oink.com' search in google.

curl -I <http://oink-prod.s3.amazonaws.com/kevinrose-export.zip>

    
    
        HTTP/1.1 200 OK
        x-amz-id-2: 9lLlixkcIypVbEIPzp7lmAT3gqwxFS3h99pdgnipW5aZVmhy422YA06OaMT7KOXd
        x-amz-request-id: E6D61A351A455807
        Date: Fri, 16 Mar 2012 17:23:28 GMT
        Last-Modified: Fri, 16 Mar 2012 17:22:17 GMT
        ETag: "799ee5f116bed2fac2893dda920a987a"
        Accept-Ranges: bytes
        Content-Type: application/zip
        Content-Length: 65492507
        Server: AmazonS3
    

curl -I <http://oink-prod.s3.amazonaws.com/thebucknutz-export.zip>

    
    
        HTTP/1.1 403 Forbidden
        x-amz-request-id: D3BF734D33B46816
        x-amz-id-2: exsDFYH6AcczbNuZWnlFW86EO9SP8EpwMDSwx9dGjSl9A24f3jXBobTRgOw+XNrC
        Content-Type: application/xml
        Transfer-Encoding: chunked
        Date: Fri, 16 Mar 2012 17:23:37 GMT
        Server: AmazonS3
    

_update_ \- seems that she had some success with links last night. Looks like
they've fixed perms in the meantime.

[https://twitter.com/#!/cristinacordova/statuses/180708226696...](https://twitter.com/#!/cristinacordova/statuses/180708226696876032)

~~~
joliveira
Maybe that user is not available anymore or something else because if you try
to download cristina-export.zip it sure works.

~~~
dolinsky
Indeed it does.

curl -I <http://oink-prod.s3.amazonaws.com/cristina-export.zip>

    
    
        HTTP/1.1 200 OK
        x-amz-id-2: gIfqnrhzuVR2HJIhT8Msk37Pp96qabi6Amtq6ZG9makBlT/d5z+bYivF27tac16v
        x-amz-request-id: 9A1C02D63152317A
        Date: Fri, 16 Mar 2012 17:47:27 GMT
        Last-Modified: Fri, 16 Mar 2012 06:09:58 GMT
        ETag: "6326a2bc6724b1566530f34f5d96bf26"
        Accept-Ranges: bytes
        Content-Type: application/zip
        Content-Length: 212717
        Server: AmazonS3
    

Wouldn't take much for someone to whip up a script to parse the search results
to build a list of usernames to bounce off of. There's also a fair amount of
item-specific data too.

------
InclinedPlane
Well, if there's a silver lining to this it's a good thing the development
team behind that product isn't going anywhere where data privacy breaches
could be a big deal.

------
tonywebster
I noticed this when I did my export as well, but when I saw the data, it was
only public information. But makes for a good headline for this blogger it
seems.

------
harryf
Filed under "How to make shutting down your service a memorable event"

------
stickfigure
All the data is public. You could probably get it in a less concise form from
Google.

There is no story here, other than "Oink allows the public to download public
data".

------
ZanderEarth32
I never used Oink, but was there an option when creating an account to make it
a private account, limiting access to certain types of data to certain users?
If not, isn't everyone's uploads, reviews, pictures, etc. already available
for anyone to see? Even if this is true, this still shouldn't be happening.

------
kmfrk
Can you going to a restaurant and see your friends pull out their iPhone to
snap photos of everything they eat and drink? I'd want to smack them at the
back of their head.

Good riddance to products like Oink, if it fosters habits like Rose's, if his
photos are anything to go by.

------
brown9-2
Btw, what was Oink about? I'd never heard of it before it was shut down and
this Google story, so it's hard to find out anything about _what_ the app
actually was. They seem to be getting a lot more attention post-shutdown than
pre.

------
smackfu
Ha. I thought the download service was pretty clever and well put together,
but didn't notice that the link they gave you wasn't anonymized.

------
joshaidan
I understand most of the data was public anyway, but why not at the very least
use a randomly generated string instead of your username?

------
benatkin
Whether or not it's public content and the privacy policy says it is, Oink
botched it.

If they were going to release all the data they should have said so.

The archives not being generated until a user triggers the export indicates to
me that it's just sloppy coding.

~~~
icebraining
_If they were going to release all the data they should have said so._

They didn't release anything new - all the data was already accessible from
their website, and users were aware of that. They just made a zip out of it.

------
kirbysayshi
I thought some weird cache from Oink's Pink Palace was found! Hadn't heard of
this Oink until now.

------
cageyjames
Privacy should always be the number one concern with apps and websites. This
is simply just sloppy.

~~~
siculars
Not when everything you put in is Public.

~~~
filipmares
it was public on the site, not browseable. you needed to know the explicit url
to your profile. there simply was no structure for it.

~~~
icebraining
No structure? It was www.oink.com/{nick}, how is that not a structure? That's
exactly the same structure as the zip.

------
tonyrice
I honestly can say I have no clue what Oink is but this seems like something
pretty serious.

------
ig1
Flagged because the title is misleading and unfairly besmirches the Oink team.
All the data was public in the first place.

EDIT: The title has been changed to something reasonable so I've unflaged it.

~~~
cristinacordova
Do you mean you changed the title? I certainly didn't as I'm now blocked from
editing the title of my own submission. Also, the post seems to still be
flagged.

~~~
ig1
Presumably one of the mods changed it

~~~
cristinacordova
I see, thanks.

