An Email to Yahoo/Flickr regarding privacy leak

January 26, 2008 at 12:44 am | Posted in privacy | 2 Comments
Tags: , , , ,

Here is a copy of my email to Yahoo (for Flickr) Germany (they automatically forward me to the German site, due the my IP I suppose), addressing the privacy issue raised by the 30boxes mashup (I wrote about that here). I picked the ‘Infringement of Privacy’ label, hopefully I’ll get a response, hopefully they’ll fix that problem.

Dear Yahoo,

I just learned that, due to an open API at Flickr, it is now possible to extract and MATCH ones nickname and email address and make that connection public. That means: Knowing someone’s email address suffices to retrieve that person’s flickr account.

This is currently possible using the services of a website called www.30boxes.com. 30boxes offers a calendar services and claims to allow people to do the following:

* organize your stuff
* plan your day
* keep up with your friends

Unfortunately, in their interpretation, a friend is someone whose email address you know (an unfortunate misunderstanding that could also be witnessed in the recent disclosure of shared items to everyone in your contact list at Googlemail)

Similarly, keeping up with your friends at 30 boxes works the following way: Once you have signed up, you can “Find buddies” by entering the email addresses of people you know (of course, knowing someone’s email address does _not_ mean that you are friends!)

30boxes then attempts to retrieve data from the APIs of – among others – Flickr, Twitter, Myspace.

What is disconcerting here is that it, in the case of flickr – matches nicknames and emailaddresses, meaning that the privacy that the nickname offers is jeopardized.

I, for instance, entered the email of a friend (which I am not going to type in here, as I am also going to publish a copy of this email on my blog) and immediately received a link to her flickr account – I am very sure that she isn’t too pleased about this.

I am probably lucky that 30boxes wasn’t able to match my email address with my flickr account (for which ever reason) – nonetheless, I wonder whether:

a) Flickr knows about this vulnerability of their API

b) this vulnerability is covered by the terms and services (I doubt that I would understand the legal language that defines the use of APIs, hence I haven’t checked myself).

In any case: The fact that one HAS the opportunity to chose a nickname does, in my view, suggest that the connection between nickname and email address should also NOT be revealed to third parties nor made public, e.g. publicized in the 30 boxes mashup.

Furthermore: If a user gives out his or her email address, that does not necessarily mean that he or she also meant to allow this person to see his or her flickr account. This is, however, the consequence of opening your api to third parties like 30 boxes.

Your feedback is very much appreciated.

Best wishes

Anaj Blog

I might have to send emails to Twitter, Myspace etc. as well.

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. I wrote about the same privacy violation on my weblog and I’d be interested to know if you ever hear back from Flickr or Twitter.

  2. Hi Mike, thanks for letting me know! No, no word from Yahoo Flickr yet – will follow this up soon. I completely agree with your stance:

    ***
    This Techcrunch article goes into more detail about Spokeo, which isn’t the problem but merely one example of how easy it is to gather information that’s not meant to be public. I can live without that kind of false privacy.
    ***

    As in my example, 30boxes is not the problem, but the fact that websites like flickr claim to have privacy features in place, but allow for their circumvention so easily.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: