We posted eight months ago about Google calendar’s lack of respect for private data. Chris Pirillo has a found a clever demonstration of this: just search for “user password” in public events, and you’ll come up with a huge list of usernames and passwords of all sorts.
We’re not holding our breath for Google to fix this problem, or even notice that it exists. But it illustrates a subtle point about privacy and security. Think about how hard it would be for Google to fix this problem now. They have tens of thousands of calendars, and events in Google Calendar that may or may not be private. So even if they added privacy controls now, it would be up to the user to change the privacy settings on all of their past events. And Google calendar users would be confused when other people’s events that they used to be able to see suddenly disappeared.
Privacy and security isn’t easy to do right, and it’s even harder to tack on after the fact. We have been designing and worrying about privacy and security from the beginning, and we don’t have these kinds of problems.
Hi,
We at the Calgoo office use Google Calendar for business purposes. Privacy settings on Google Calendar have always existed to our knowledge. What the problem is is that users are not educated on how to use the program. Google should make it more clear as to what the various privacy settings are and how to use them. Also defaulting to private would make a lot of these headaches go away.
Hard to blame just Google here though – lazy users must share this blame equally.
- Calgoo
http://www.calgoo.com
Yes, Google calendar has had “Public” and “Private” settings for events and calendars created from within Google calendar for a long time.
Google calendar does not have any privacy controls for events imported via a URL, and most people do not realize this because of the way that the interface is structured. You can decide whether other people can “find this public calendar via Google Calendar search.” However, even events in imported calendars set to not be findable contain only public events: if you look at the calendar details, it clearly says “Anyone can: See all event details.”
We were confused enough about this interface to perform a test a while back, and we found that any event in any imported calendar will show up in Google calendar search, regardless of whether the user chose to make the calendar findable.
I’m sure you know this, since your business is based on integrating with Google calendar.
I’m explaining it for the benefit of other people who are following our blog. Imagine how damaging it would be if a competitor searched for your company name and a range like “Jan 1 2005 through Jan 1 2008″ and found a bunch of sensitive business meetings about secret business deals? Or imagine if that happened to one of your users, and they decided to sue you or Google?
I strongly (although respectfully) disagree with your assertion that “lazy users must share the blame” for these kinds of privacy breaches. Certainly in this extreme example, I would place the blame entirely on Google, since pretty much everyone we talk to, on this blog or in person, is under the mistaken impression that Google supports private calendar feeds. If everyone who uses an application is confused about it, you can’t really blame “lazy users.”
And I disagree in a broader sense too. It is possible to write software that is secure, with clear, simple, easy to use privacy controls. The vast majority of computer users don’t even think about privacy (at least until their privacy is breached). The only way to get people to use privacy controls is to make them easy to use. This is one of the core features of Mosuki.