Philip Jacob

A Serious Bloglines Privacy Issue

· Philip Jacob

By way of introduction, Bloglines is a web-based RSS aggregator. You give it the URLs of the feeds that you want to read and it displays them for you. It’s convenient, it works most of the time and it isn’t as bad as all the other web-based feed aggregators.

But there’s a problem with Bloglines. The problem is either a usability issue, a privacy issue or a PEBKAC issue depending on your point of view, but it’s a fairly material problem in all cases.

Each Bloglines user has an account. The account lets you set various options about how your feeds should be displayed, font sizes, your timezone and other related things. You also have the option to make your blogroll private or public:

Bloglines privacy

At first blush, this setting seems to mean “don’t let other people see what I’m reading”. But that’s not the case at all.

Like most people, I get RSS feeds by various interesting people that I like to read, Dilbert, news sources and the like. But I also have an RSS feed from a web-based invoicing service, my Netflix queue, and my Todo list. There’s nothing terribly interesting on any of these feeds, but it’s not the type of information that I would normally volunteer for public availability. Each of these feeds is referenced by a URL that looks like this:

http://www.some-service.com/user/phil/9a8a1e2fb15021fae61f379b0eb8c65d

The random string of characters at the end of the URL is a hashcode with the following characteristics:

  1. Non-sequential
  2. Hard to guess

If someone knows the URL of the feed, they can read the content therein and possibly find out what your favorite movies are. This is a basic way to provide security through obscurity, a technique that’s not considered safe at all for any serious purpose. And I knew this when I added these private-not-for-anybody-else-to-read feeds to my bloglines account. I thought that there was a remote possiblity that someone could find the URL and could see what I’m billing my clients, learn what DVDs I watch or find out what’s on my todo list. It seemed like a safe bet at the time.

The problem is that the privacy setting that keeps your Bloglines blogroll private has no bearing on the accessible of your feed entries via the Bloglines blog search. In other words, all feeds entered into Bloglines are searchable and therefore readable by anybody . (Imagine my surprise when one of my friends located the URL for the RSS feed from my billing service and was able to see what I charge my clients).

When I added these feeds, it was not obvious at all to me that Bloglines would make the content of my feeds publicly available. My assumption was that I’d be able to use the service without privacy leakage by selecting the option to keep my blogroll private.

So, I contacted the web-based invoicing company that I use and alerted them to the problem. They said they’d try to give me a new URL or block Bloglines from getting my feeds altogether. I bounced a few emails back and forth with them, but I’m not sure what they did in the end.

I also contacted 37signals to inform them that there are thousands of Tada lists viewable in Bloglines and I’m fairly sure that close to 0% of the feed owners know about this. I never heard back from them.

Of course, I also contacted Bloglines. They responded with this:

This is a problem on the feed publishers end. If these are private feeds they should be authenticated. We make an effort (though not a guarantee) to hide authenticated sites from the public. Marking a ‘subscription’ as ‘private’ doesn’t mean the ‘feed’ is no longer accessible to the public.

Their response confirms the problem that I’m describing here (except that they think it’s not their problem). And as an additional test, I just tried to add a feed that’s behind a HTTP-authenticated page on one of my servers and Bloglines doesn’t appear to offer any support for authenticated feeds, anyway.

Most private feeds rely on the hard-to-guess URL technique mentioned earlier. And if that’s what Bloglines is calling ‘authenticated’, then they only guarantee that they appear to make is that the content of these private feeds is made public.

In my view, Bloglines is at fault here. That they effectively make all feeds publicly available is not clear at all and, frankly, is something that they should stop doing.

But what fun can we have with this while Bloglines continues this braindead activity? Reading people’s Tadalists is great fun. Some samples:

  • Hilfiger underwear
  • Added: nice, big skillet (to hit John with. Not really)
  • Completed: finalize packet for reformed.org
  • Added: take shoes off when you come into the house you dirty bastard!
  • Added: root canal
  • Added: lose 50 pounds
  • Added: compare sept & oct pay stubs
  • Added: Get certified copy of driving record at DMV
  • Completed: Babysit @ 7-8:30
  • Added: replace tires - Merchants Tire (703) 525-5550
  • Completed: on tuesday, credit out the equipnet bill and resend it with carol’s new address
  • Completed: Get reprints of Honeymoon pictures

Clearly, the majority of the thousands of people affected by this are not intending for this stuff to be made available for the world to see. I’d like to see people lean on Bloglines to get this problem fixed. Please visit their contact page and voice your disapproval about this badly conceived feature on their site.