FWIW, whenever I share sensitive documents on drive, I do so via a shareable link. I figured if I trust someone not to download the file and share it as an attachment, then I trust that person to not share the url publicly as well.
One distinction though, is that URLs are much easier to steal, as compared to login info. People often don't make an effort to hide their browser URL when using their laptop in a public location, nor do they clear their history when using a shared computer. In theory, someone determined can use these vulnerabilities to steal a URL address.
In practice, the above threat-model seems obscure and unlikely enough, that for a social service like Google photos, what Google has seems reasonable enough. I can understand the author's surprise, but I can also understand Google's policy here.
A simple UI fix would be to explicitly call the sharing mode "unlisted" like some other sites do including Youtube, with a similar warning about linking to the content.
It's trying to achieve privacy by obscurity, and I'm assuming that Google has robots / etc configured so that no search engine could crawl the shared album URLs.
That said, I do agree that this should be communicated better. Personally, I like this feature because some of my friends are fiercely anti-Google and this still allows me to share photos with them seamlessly. The alternative suggested by the author (i.e., upload to Drive then share) is less seamless and for me, not worth the additional privacy gain. (The photos I truly want private are not shared at all, and I try to delete them from the cloud asap).
I am fiercely anti-Google and I wouldn't touch a Google link for any reason, even if a friend sent it. If it's so important you need me to see it right away, send it via Telegram or MMS.
That said, I don't think this is malicious on Google's part, it's just lazy. Allowing sharing of private content is difficult to get right, but if Dropbox can do it I know Google can. Hell, they are smart enough to do it better, which is why this screams laziness or just a plain "we don't care" attitude.
Second, the author was speaking of sharing a random photo with a friend, not national security secrets. I don't want Google seeing what I see, and using a third party messenger or a carrier service like MMS accomplishes this. If I need it to be encrypted, I'll use an encrypted service, but I wasn't talking about that and you're moving the goalposts to make what point exactly?
Sort of like Google Drive does it. Make it easy, sure, but let me know the trade offs.
Not sure how much clearer Google could make this.
Why is this the top story? It is a non story. PEBKAC.
I only see email, with no warning that album will be public.
The Via Sharable link screenshot is from Google drive, which works as expected.
Unfortunately for me, I was using the other flows to share my photos.
Completely agree that Google Photos (and the other data hosting services) could provide warnings to those new to this method of sharing — I wouldn't expect my grandma to simply know this.
This can be seen by inspecting image link in Google Drive.
I was simply expecting to see the same behavior with Google Photos. As you said, at the very least it would be nice to see a warning, which turns out they provide in some, but not all flows.
Not okay, Google.
Getting hold of one of those URLs is not going to be easy, but still this is not at all what I would expect.
The size of the URL for the image resource is utterly huge. If that is truly random in its generation, there's no way anybody's ever going to guess it or enumerate it. It's all SSL, so you'd need a serious network breach for anybody to sniff it, and then you have bigger problems.
So yeah. Not that bothered upon further thought.
I still think it's OK to use Google Photos. People just should be very careful with what they chose to share.
Please let me know if I got something wrong.
This appears to be true and another key distinction between Google Drive and Google Photos.
Google Photos uses direct link to image in their Web UI. This means that if I right click on a Google Photo image, select “Copy Link Location”, and share this link on the Internet, anyone with the link will be able to see the photo.
Google Drive adds an extra level of protection. The URL exposed in Google Drive Web UI is actually a redirect to the real image location. That redirect makes sure that the user is authenticated and has permissions to access the image. After the check is complete, however, Google Drive will redirect to the physical location of the image. Copying and pasting that URL will have similar security implications.
Given that those URLs are extremely hard to guess, I am not as concern with this finding. My biggest complain with Google Photos is that it offers me a UI to email private links to other people, without alerting me that user authentication will not be performed to view this content.
All of this seems to be working as I expected.
If I share something with my family, who are all on Google, I would like it to ONLY be available to them. Right now there is no way to do it.
also yeah the hyperbolic language combined with the coinbase link read as "attention seeking" to me.
Coinbase link, is my experiment of trying to monetize my blog. Like I said, 2 kids...
I still use email if I want to share a picture with somebody? I must be old school.
JFYI, in case of need:
I only wrote this because I was shocked too. I genuinely did not expect this behavior, and I've been using Google Photos a lot in the past year.
Sensing a clear agenda here.
Edit: looking at your submission history -- wow. I'm surprised you haven't been dinged for spamming.
Re AMP, I was not just posting to gain up-votes, I believed in all the things I said. But I did underplayed the benefits that AMP provided, for which I apologized. You can read more about that here if you'd like: https://www.alexkras.com/google-amp-is-winning/
I don't have an agenda... I saw something the surprised me concerning my security, realized that other's might have overlooked it, and wrote a blog post about it...
Re continues re post, it is not against HN terms. I was doing it because I thought that there are people who can benefit from my writing, I take a lot of time to write my posts and it sucks when nobody gets to read it. I did however go overboard towards the end, I have been warned, and I am only submitting articles once now. Such as this post, as you can see in my history.
> ... I think that this is a lazy design. ...
No, it's absolutely deliberate.
My take (not sure why nobody else is saying this):
Google is contractually required to not inspect or analyze the _private_ data it stores beyond technical purposes such as deduplication.
- Google Drive is used for corporate environments where privacy is the be-all end-all. Can't really do anything there.
- But by using UX antipatterns to get away with making Photos public by default, Google can say "well the photo was publicly accessible so we've ...".
Hmm. I wonder what the legal ramifications are of making a photo private. Does that constitute a licensing change on the part of the copyright holder (you)? Can Google argue _for_ holding on to "the copy of the photo that was public"? (Yes there's no bit difference but the legal flavor is different.) If that's the case, that could explain why everything's public by default; just grab a copy of the photo before the user makes it private a second later.
Remember how the Pixel has unlimited online Photos storage?
This is clearly a tracking move. I was reading about how YouTube analyzes the content of videos (AI content recognition), etc. If Google has the infra to analyze _video_ they can easily do images.
Related: https://medium.com/insurge-intelligence/how-the-cia-made-goo... (REALLY long - I started going crosseyed ~60% through - but probably the most relevant thing you'll find all week if you're interested in how Google is tracking you and what their motivations are)