An Email to Yahoo/Flickr regarding privacy leakJanuary 26, 2008 at 12:44 am | Posted in privacy | 2 Comments
Tags: 30boxes, Flickr, myspace, Twitter, Yahoo
Here is a copy of my email to Yahoo (for Flickr) Germany (they automatically forward me to the German site, due the my IP I suppose), addressing the privacy issue raised by the 30boxes mashup (I wrote about that here). I picked the ‘Infringement of Privacy’ label, hopefully I’ll get a response, hopefully they’ll fix that problem.
I just learned that, due to an open API at Flickr, it is now possible to extract and MATCH ones nickname and email address and make that connection public. That means: Knowing someone’s email address suffices to retrieve that person’s flickr account.
This is currently possible using the services of a website called www.30boxes.com. 30boxes offers a calendar services and claims to allow people to do the following:
* organize your stuff
* plan your day
* keep up with your friends
Unfortunately, in their interpretation, a friend is someone whose email address you know (an unfortunate misunderstanding that could also be witnessed in the recent disclosure of shared items to everyone in your contact list at Googlemail)
Similarly, keeping up with your friends at 30 boxes works the following way: Once you have signed up, you can “Find buddies” by entering the email addresses of people you know (of course, knowing someone’s email address does _not_ mean that you are friends!)
30boxes then attempts to retrieve data from the APIs of – among others – Flickr, Twitter, Myspace.
What is disconcerting here is that it, in the case of flickr – matches nicknames and emailaddresses, meaning that the privacy that the nickname offers is jeopardized.
I, for instance, entered the email of a friend (which I am not going to type in here, as I am also going to publish a copy of this email on my blog) and immediately received a link to her flickr account – I am very sure that she isn’t too pleased about this.
I am probably lucky that 30boxes wasn’t able to match my email address with my flickr account (for which ever reason) – nonetheless, I wonder whether:
a) Flickr knows about this vulnerability of their API
b) this vulnerability is covered by the terms and services (I doubt that I would understand the legal language that defines the use of APIs, hence I haven’t checked myself).
In any case: The fact that one HAS the opportunity to chose a nickname does, in my view, suggest that the connection between nickname and email address should also NOT be revealed to third parties nor made public, e.g. publicized in the 30 boxes mashup.
Furthermore: If a user gives out his or her email address, that does not necessarily mean that he or she also meant to allow this person to see his or her flickr account. This is, however, the consequence of opening your api to third parties like 30 boxes.
Your feedback is very much appreciated.
I might have to send emails to Twitter, Myspace etc. as well.