I'm experiencing something that is obviously dumb users.
i have a first.last@gmail address and my name is very common. So i bet others had to use less desirable gmail addresses.
Since google started to aggressively push for adding alternative email and/or phone number, dumb users that initially wanted my email address entered it as their "alternate email" not understanding it's for password recovery only.
I clicked the "not me" link in more than 20 confirmation emails, but google probably never used that to better inform the dumb users.
Now my gmail account is a cesspool of emails intended for other people, site registration confirmation for idiots with same first/last name but a different middle name... And there's no spam algorithm that can fight that!
Most of my projects involve a mass-market audience so I get a pretty good view of what average competence looks like. Based on this, I would guess that a significant portion of Americans have a great difficultly reading. Even when you put a big message that says this is not for X, people will continue to do X.
If you run a startup or a company whose audience is early adapters you get a skewed view of the average level of competence of users.
I don't know if things get worse in other countries. However, I would guess that 10-20% of the US population lacks the basic literacy and logic skills to hold a manual job involving anything but repetitive tasks.
And even besides the people with low IQ, most everyone is only capable of thinking abstractly some of the time--and even then only after years of cognitive development. System 2 thinking is taxing to the brain (consumes more glucose/oxygen/etc), and is switched out of whenever it's not absolutely necessary.
It's not about reading ability, it's about the way things are written. There's been plenty of research done on how to write notices and warnings etc. that will catch attention, and how to persuade readers to follow the directions. But of course "user interfaces" are often not "designed" by designers at all, much less anyone who's ever studied the research. (Not that most designers study the research, either, but they're more likely to than Joe Programmer.)
Example: Jakob Nielsen publishes research that shows "people on the web don't read." The sample content used to determine this? The list of tourist attractions in North Dakota.
Garbage in, garbage out.
Finally, the vast majority of text on the web around forms etc. is useless, poorly written, obtuse, abstruse. People have been indirectly trained to ignore it. It's not surprising that most users ignore that messages you took the effort to write.
If you cross paths with enough Googlers in your career, eventually you'll come across the lucky souls with first names as gmail accounts; then when they explain the deafening background radiation they get, you start thinking "hm, maybe email@example.com isn't such a bad address after all"...
Example: Grandma sending pictures to Larry! Oh, he must be firstname.lastname@example.org, right?
I have a first name only email forwarding account at a "well known Easter technical school." (I signed up first thing when these were made available at a time when a lot of people still weren't on the Internet.) I don't get as many random emails as I once did but, at one point, I even got on an email thread involving board discussions at some company.
ha! i can up you. last year got invites to some chinese gov stuff intended to a consul of some country with my same first/last name as me. they had a bunch of emails @gmail and @yahoo and a couple @country.gov, and apparently mixed a few.
Should have taken that free trip to shengze or something :)
I have a friend whose surname was McCurry (which she rarely used - family baggage) and she ended up changing it to Blake, because you never have to spell out Blake to people, but you do every time with McCurry.
Yeah .... I had the same problem with a common first name + last name @gmail - even to the extent of getting someone else's buddy passes for JetBlue - before getting my own domain. I thought it wasn't bad for my purposes, but it's a terrible domain name for spelling out (my handle here plus .com).
I own <first initial><last name>@gmail and I routinely get email intended for other people, including flight itineraries, new account info at various sites, personal emails, and once I even received legal correspondence.
Not only has this taught me how incredibly oblivious some people are to how their email works, but it also showed me just how many companies out there are willing to sign up a random email for an account without verifying the email's ownership, including some big companies like PayPal.
If three other people tried that username, I not only got locked out of my BoA account, and had to set up a bunch of stuff again.
I have a long blog post about BoA's horrible policies I still haven't published because I work in a major financial city and might end up wanting to work for them some day, but as time goes by the odds of it getting published go way up.
And same as the article, i never get to know the idiots email address they are trying to register mine as the password recovery. That's the dumbest on googles side. Makes me powerless to solve the idiocy dos attack on my account
I've gotten everything from business plans to divorce papers sent to my email@example.com address. In some cases I've tracked them down and called their cell phones, and they still mistakenly send me email. There are some people whose email automatically gets re-routed to the 'correct' account with a note, and they continue to use my email address. Some have even sent me nasty emails saying they're blocking my address, as if I am to blame somehow for their incompetence.
I understand that people make mistakes and typos happen. But when you're dealing with legal documents there's no excuse for this kind of oversight.
Because it's the near-equivalent of misspelling your name on an exam, at least when it's entering your own email address.
On the flipside I sometimes get mails intended for someone else with my name in Australia, but that is easy enough to assume that his friends/kids' teachers/etc. just manually typed in the address and messed it up.
I got added to a Black Board announcement list for some school. They don't seem to have a way to say 'stop sending this address mail'. I'm cranky, so I emailed the dean of student affairs about it.
He emailed back as if I were a student. I responded pointing out that I had no association with the school. He emailed back asking me to explain further, as there was someone with my name at the school. So I explained that I thought it was probably someone with the same name. At least that ended it.
That's the most arrogant thing I've read in a while. The fat that someone doesn't comprehend something technical makes them inexperienced. Computer literacy is literacy.
Would you call someone who can't drive a car an idiot? Or someone who is using an ATM machine for the first time? These people are not competent. They are inexperienced. But a pejorative term like "idiot" isn't called for.
These people, for the most part, do not respond or even seem to comprehend correction. They seem to be the same people that refuse to understand what is going on when they dial a wrong number: "Hey Stan! What's goi-""I am not Stan. You have the wrong number.""No, this is Stan's number.""....click"
If you can't apply the term "idiots" to these people then the word is useless and can never be used.
> Would you call someone who can't drive a car an idiot?
I would if this person was out on the highway. I learned to drive on a parking lot, and then on roads with very little traffic. People who can't drive are a danger to themselves. People who are too incompetent to know what their correct email address is are a danger to themselves too.
I get bank statements and postpaid mobile bills. When I wrote a bank (Kotak, India) the executive's first reaction was - "please contact the user" - of course I had mentioned in the email that I've no idea who the intended recipient(Some one in Pune, India) is. I finally had to set a filter and take a vow that I can never be this bank's customer and I ought to quit if my firm decides to tie up with them for salary a/c.
There's Tata Docomo who sends me monthly postpaid bill. I've learened two things from their emails - that gentleman in Nagpur is very irresponsible in paying bills and that Tata Docomo's spam filters are so strong my email never made it them. They keep on sending. I guess they shall send me the calls records if I request to this email.
My fault? I've one of the most famous/common Indian/Hindi names on Gmail/Hotmail/Yahoo and domain name too - both .in and .com.
> I get bank statements and postpaid mobile bills.
Most such e-mail traffic is just spam, not sent by the banks, but sent by people hoping to trick the recipitent into reading the e-mail, following the link and logging into a false web page set up to act like the bank web site.
Once they have your logon details they will go to the real bank page and transfer out your money.
The most amazing thing is that even though most of it is spam not all of it is.
I get monthly emails telling me about various bills or status of from at least my internet, cell phone, and student loans. Pretty sure none have a copy of the bill and ask me to follow a link to log in.
I don't click on most email links because you never know if it's the scammer or the company.
I have an email alias that’s similar to well-known rabbi Shmuley Boteach’s personal email address (‘schmuley’ instead of ‘shmuley’). Occasionally, I get an email that’s meant for him, so I forward it. Not a problem.
A Norwegian girl, living abroad, enabled "auto upload my pictures to Google+" on her phone and for some reason they end up in a Norwegian IT journalists Google+. Everything from full passport details to regular photos are uploaded. The journalist can see Geo location etc as well. Google keep stating it is not possible and the journalist are experiencing problems contacting Google.
The mindset that something "isn't possible" is dangerous as a developer.
You should never deny the evidence. When you say "It's not possible", something in your understanding is obviously mistaken. Maybe your understanding of the evidence, maybe your understanding of the problem, but somewhere you're wrong. Your job now is to find out where you're wrong.
The correct response in such situations is "What am I wrong about?"
I've lost count of how many times I've seen the Can't Happen mindset delay resolution of an issue. It's a genuine problem.
The first job of the respondent is to validate the input so that the right problem gets solved.
> I've lost count of how many times I've seen the Can't Happen mindset delay resolution of an issue. It's a genuine problem.
> When you say "It's not possible", something in your understanding is obviously mistaken.
Not necessarily. Bear in mind that the "error" data itself can be wrong too, for many reasons -- some benign, some not so much. People can and do lie and make mistakes.
In the public sphere things are even more fraught. There are people who loathe $COMPANY and would love to see their services discredited. On the other hand, $COMPANY's legitimate success depends to some extent on people's perception of their reliability, so they have a right to defend themselves.
I think a reasonable response from $COMPANY in this case is "1) That's impossible", to reassure skittish customers, and "2) We'll work directly with the person having the problem and report back, stay tuned" to show respect and responsiveness (and potentially humility later).
If you were running your own company, paying the salaries of your employees and serving your investors, would you do otherwise?
I think that your "What am I wrong about?" approach is going too far in the opposite direction.
I usually use "That shouldn't be possible" - whether it is possible or if it's user error then often depends on the maturity of the system.
On a new system pretty much anything is possible. On a system battle-tested for years by thousands of users the possibility of encountering program bugs drops dramatically.
This is where good supporters become very valuable. They will be able to learn the solutions to common problems that users face and determine if it´s user error, other errors like OS problems or if it's something new that should be investigated by the developers.
Of course if the bug is reproducible then it's a different matter. But any developer who doesn't take a well-described and reproducible bug report seriously should probable find a different job.
"The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair" – D. Adams.
I have two Android phones (ICS and Jelly Bean) and this has not been my experience at all.
The first time you start the Google+ app, it will ask you if you want to enable Instant Upload (which uploads to a private album from which you can publish). Prior to that it doesn't do anything with your photos.
Same for me - but I noticed that it suddenly started syncing to Google+ too a few weeks ago (not sure why it started doing this, either there was an update or it was because I logged into Google+ using the default Android Google+ app and it enabled it then). Either way, I wasn't particularly happy about it, though I believe it uploaded them but did not make them public. I turned it off as soon as I noticed as I don't need my photos synced to two places and I already had photos synced to DropBox.
Both Google/Gmail account and Google Apps account.
I may not be correct about 'any' android phone though. I've only used stock and several custom ROM on Galaxy Nexus ranging from version 4.0.4 to 4.2.2. After you add a Google/gapps account you'll see this in sync setting- http://s24.postimg.org/fxbv98s05/Screenshot_2013_04_28_23_42... . I've found 'Google Photos' always checked by default. First time this feature was introduced, I didn't notice and my G+ filled up with random images from my mobile gallery. Since then I consciously turn this off everytime I flash a ROM.
Edit: so you don't necessarily need Google+ app installed for this to happen.
It isn't true. By default -- including on a brand-new Nexus 4 -- it will notify you that photos are ready to be uploaded, and if you follow-through it gives you the option of automatically uploading from then forward.
Indeed, happened to my very privacy sensitive colleague while setting up his new S3 (he had no prior G+ account, so he got a new one). This may depend on what type of account you have and what terms you have agreed to.
How did you confirm that? Google+ on my Galaxy S III asked me whether I wanted to allow it to upload pictures on first launch (not surprising as it runs the same G+ app as every other device). Of course most people will simply do what nnnnni stated, which is a "sure whatever" clickpast (which Google knows and takes advantage of), and forever more declare it unwanted, mysterious behavior.
1. buy new note2 from att, register google account, skip samsung and att setup.
2. buy new s3 from amazon unlocked, register google account, skip samsung setup.
3. never even open G+ app on both phones
4. take a picture
5. wait an hour
6. you get a notification "pictures you took are ready for sharing" i.e. they are already uploaded against your will and out of your knowledge.
I used the Nexus 4 as an example of the most extensive Google integration. However my other devices are a GS 3, GS 2, Galaxy Glide, and Nexus 7s. Given that Google+ is an app (and is actually the same app on all of them), the same behavior was true on all of them.
Just a warning: blurring pixels in sensitive photos like this is often insufficient. Always black out the information instead (and make sure to flatten the image! and not save it as e.g. a pdf with a black bar over it which has actually happened before too)
That attack is more useful against a mosaic than a straight blur. In this case, to attack successfully, the attacker would have to lay out every possible passport with the letters in the exact position as they'd be printed, because there is a pretty strong blur applied. You have an F and the line of < characters to work with, you know about how long her given and surnames are, and you have a frame of reference for the rest based on how much of the bottom line the author had to blur. Not much else. You also don't have a guarantee that the blur is straight out of Photoshop and contains what you are trying to reverse; looking at it, I don't think it is the actual passport data. I think it was modified then blurred.
I'm happy to be proven wrong, but I think this one is impractical.
The link you provided doesn't provide us with any insight into what the NSA's state-of-the-art might have been.
This NIST publication says: "for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack."
Tech changes have "altered previously held best practices regarding magnetic disk type storage media". It does not seem to confirm that multiple erases were unnecessary before.
It's quite possible. Not only is it possible to perform deconvolution, but since you know that you're looking for text data, and you even have the font, you can do much better. You can iterate through millions of names very quickly and find which one, once blurred produces the best match.
They actually have an example for a regular blurred jpeg at the end. And yes, a camera shake may big difference to a regular blur, but then again, an actual regular blur (so an unfocused lens instead of a moving lens) is less often the problem.
Wow, I had meant to have another sentence saying that it is probably still possible based on the "blur" technique used. But... yeah, I clearly did not say that.
I would assume most of the time people "smudge" the data they want to be removed from a photo. Though, as stated, adding new information to the image has got to be the best way to do this. (a blackout.)
1) Obviously you're talking about traditional spinning platter drives, and not SSDs.
2) The complete drive needs to be overwritten to be sure all data has gone. The safest way to do that is to use an ATA secure erase command. This will overwrite all the sectors marked as bad. DBAN is good, but it will not overwrite sectors marked as bad. (The risk from this is small.)
I guess tech-journalists gets to try out quite a few mobile phones through their work.
Would it not be a reasonable scenario that the journalist got to try a phone and used the Google+ app with his account. Upon returning the phone, it wasn't reset properly before being sold on to another person. So the Google+ app could still be associated with the journalist's account when the phone was sold on.
Google uses hashes for a lot of things. Hash tables are very fast, and great for database look up. In Python if there is a hash collision both entries are compared and resolved by comparison. This is still fast because doing a compare against 4 collisions is still much faster than doing a compare against 1Billion user names.
That said... The odds get to be beyond astronomical. What percentage of people are journalists? I mean if they said someone contacted us to let us know, that would be believable, but "I am a journalist, and this is happening to me" seems a lot less likely.
I'm not ready to side with Google that this is impossible, but even the response from Google doesn't sound like the Google I know. While Google is hard to get a hold of for tech support and resolution of things, if you do get them to respond to a privacy concern they are swift.
With a Teen Girl they would be even swifter. One naked Bathroom pic and they are suddenly in the Child Porn distribution business, knowingly infringing (since they have been told now) on a teen with out her knowledge. That's the kind of thing that an employee goes to jail for, not just gets some big fines.
Even if it was a realistic design pattern, what are the odds that not only that a collision occurred, but also occurred between two users in the same geographic area (i.e. Norway)?
Here is a more likely scenario: They're using the same ISP, and that ISP has some poorly configured transparent HTTP cache that is serving Cache-control: private responses to multiple users. I would bet a significant amount of money on this being the problem.
To test this theory, the journalist should logout (invalidating his cookies), and then only use HTTPS with Google Plus (Install the HTTPS Everywhere extension to be certain https://www.eff.org/https-everywhere). If the pictures keep coming, I'm wrong. If they stop, then they're going to another user with the same ISP until they fix their broken cache.
It is said in the article that the journalist and the girl are from different continents... is there any ISP that operates on multiple continents and uses the same cache infrastructure for all the geographical locations?
It says they're both norwegian, and she was visiting another country..returned from vacation and uploaded her pics? Using her norwegian cellphone while abroad (i.e. norwegian APN)? Emailing her pictures to mom who uploads them from home?
Who knows, but the fact that she visited another country doesn't invalidate it.
When I first created a Google+ account, when I went to YouTube, it was just a hash. I imagine your gallery would be the same since it's all now one linked platform. And this is indeed not the Google we're all familiar with.
Google could land it real hot water; not the wrist slaps for privacy/monopoly violations we've seen so far that could actually be chalked up to oversight... if you tried hard enough. This would be a real low point in the company if pans out to be some sort of auto-upload feature that got enabled and to the wrong account.
Let's not hand-wave; the numbers actually matter here. One-in-a-million chances happen every day. One-in-2^128 chances do not. If you're exclusively using a hash for identifying someone, then you'll make sure it's big enough to prevent accidental collisions. This is not expensive.
That is a facile analysis. The lottery is a massively distributed brute force attack against a fairly weak hashing algorithm. The odds of you winning the lottery are astronomically small. The odds of someone winning the lottery are not.
There is a difference between knowing someone at Google and getting someone at Google to go on the record in regard to a customer service issue with a free product as "spokesperson Cristine Sorensen" is reported to have done.
My wife had a problem with a girl creating a facebook account using a similar email to hers that somehow got her gmail account connected to that facebook account.
There was some account sharing going on, as the girl used that email address to login to her facebook account and all the FB notifications ended up in my wife's inbox.
At first I thought her account was compromised, but it was a secure password, so it seemed to be caused by the only slightly differing email addresses somehow being shared internally by gmail.
Only after activating 2-factor authentication did I manage to prevent that girl from using my wife's gmail account.
However, this was followed by a few weeks of constant gmail notifications about a detail/password change request sent to her phone.
For the longest time, I used to receive someone else's e-mails on GMail. Our e-mail addresses were very similar except that mine had periods in it and his apparently didn't. Either that or he really loved signing me up for things.
I get emails intended for other guys with my first and last name at gmail.
Since periods don't matter, I assume since _I_ grabbed firstlast those other guys have had to settle for firstlast + a random bit tacked on. Later they write it down wrong, or their correspondants omit the random bit.
Quite interesting. I've gotten bids on paving jobs from Scotland. Inquires about DJing in Florida. Invoices from a consultant in Seattle.
My understanding is that Google strips full stops before comparing email addresses and accounts for equality, which is really annoying when people split their email addresses differently at different times, making them look distinct when they are actually the same.
Minor wording point: I think "sensitive" rather than "delicate" pictures is what's meant here, i.e. in the sense of "sensitive documents". (Sensitive/delicate overlap in some of their meanings, but not this one.)
" Whether you are trying to protect corporate intellectual property or just the privacy of your personal life, the key idea is that you shouldn't underestimate the importance of your disclosures, particularly over time. " 
 - Conti, Greg (2008-10-10). Googling Security: How Much Does Google Know About You?
I'm glad to see a story like this getting some press as I've suspected that I've been dealing with something very similar for years now. Every so often I get an email from Facebook or some other service asking me to confirm a sign up I never made and under a different name, and then afterwards (where it gets strange) I get an email thanking me for confirming. Gmail says no other IPs have logged into my account and there's nothing in my sent folder related to it. I've changed passwords and it still happens. It's almost as if I share an email address with someone but they have a different "account".
I really doubt that, as it doesn't seem like you can put in multiple email addresses when you are first signing up for Facebook (http://puu.sh/2IP5J.png). I also don't imagine Facebook continues to email the unverified email addresses after a user has changed their address to pass the verification.
The idea that context-free photos uploaded to the internet (and potentially shared with the public) without the subject's permission somehow represent 'truth' is hilarious.
If they say a picture's worth a thousand words, then it's not much of a leap to apply this quote:
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
How many pictures out of context do you think it would take to ruin the average person's marriage? Destroy their career? Make them a public laughingstock? Not many pictures, if you choose the right ones.
The idea that you can misphrase what I actually said so grotesquely is itself "hilarious".
The GP opined that photos ruin lives and relationships. I've yet to hear a scenario where a unwantedly shared photo ruined either a life or relationship where it wasn't that it actually revealed a hidden truth.
You're awfully close to a No true Scotsman argument, there. However, if you're interested in damaging photos that aren't secret, you need but take a look at the history of social news. There have been a number of high-profile false allegations with associated vigilantism.
Yes, truth does have that potential, or even more accurately, the mistakes made that truth reveals.
Humans make mistakes in judgment. Sometimes not revealing those mistakes (lying, if you will) let you grow through it. Someone might conceal a mistake for life, or reveal it after time has passed, or confess immediately. Unless there's a law enforcement agency trying to get at the truth, I think it's best left up to an individual how to deal with everyday mistakes.
And they are everyday mistakes, because that's our nature.
We're dealing with this issue already in our schools. It used to be if two kids fought in the halls, a teacher or principle would deal with it. Suspension at most, rarely expulsion. The school would almost never bring the matter to the attention of law enforcement except in rare cases. But it's against the law to fight, and they concealed it from law enforcement.
Now police are often stationed in schools. My kid's high school, and the middle school before that, has a dedicated officer. And he has said if he sees you breaking the law he'll arrest you. Do we need more kids contacting the justice system, for doing what kids do as they outgrow being kids? It's the truth, but is it right?
Do you ever spell check or read over what you've written before you submit writing? Shouldn't the computer stream everything as written, so everyone would know the truth about your spelling, grammar and judgment?
I look out the window and I see a lot of color. I'm really glad it's not all black and white.
There's more to it than mistakes. I'm reminded of an advice column from a few weeks back where someone had found out that their recently dead grandmother had been homosexual and was wondering whether to share this with her homophobic family.
People who aren't socially disabled recognize that you don't always tell all the people all that is true. I'd never deny say surfing for porn, but that doesn't mean I want my mom to know my porn viewing tastes.
> Do you mean that truth has the potential of ruining lives and relationships?
Yes, if context is missing. And context will most likely be missing from ‘leaked’ information – and if the subject is sufficiently emotional, people will have little reason left to wait for/inquire about said context.
Give some examples, please. In the overwhelming majority of unwanted picture releases, it is actually the truth that caught people out, not anything "out of context" (which is the ultimate weasel phrase. "Sure I said that racist jokes..but you have to understand that I'm being taken out of context: There weren't any black people in hearing range!").
The teacher that actually has a night life, outside of the lie that everyone sits knitting sweaters for kittens at night. Etc. It is the individual and social lies that get unfurled.
You connect to an old friend of the opposite sex on fb. He/she is a silly git and the first thing he/she does is post an old photo with you and him/her visibly drunk on your fb wall. Your current partner sees it and assumes it's a relatively current photo and thus thinks you're cheating on him/her.