A Serious Bloglines Privacy Issue

By way of introduction, Bloglines is a web-based RSS aggregator. You give it the URLs of the feeds that you want to read and it displays them for you. It’s convenient, it works most of the time and it isn’t as bad as all the other web-based feed aggregators.

But there’s a problem with Bloglines. The problem is either a usability issue, a privacy issue or a PEBKAC issue depending on your point of view, but it’s a fairly material problem in all cases.

Each Bloglines user has an account. The account lets you set various options about how your feeds should be displayed, font sizes, your timezone and other related things. You also have the option to make your blogroll private or public:

Bloglines privacy

At first blush, this setting seems to mean “don’t let other people see what I’m reading”. But that’s not the case at all.

Like most people, I get RSS feeds by various interesting people that I like to read, Dilbert, news sources and the like. But I also have an RSS feed from a web-based invoicing service, my Netflix queue, and my Todo list. There’s nothing terribly interesting on any of these feeds, but it’s not the type of information that I would normally volunteer for public availability. Each of these feeds is referenced by a URL that looks like this:

http://www.some-service.com/user/phil/9a8a1e2fb15021fae61f379b0eb8c65d

The random string of characters at the end of the URL is a hashcode with the following characteristics:

  1. Non-sequential
  2. Hard to guess

If someone knows the URL of the feed, they can read the content therein and possibly find out what your favorite movies are. This is a basic way to provide security through obscurity, a technique that’s not considered safe at all for any serious purpose. And I knew this when I added these private-not-for-anybody-else-to-read feeds to my bloglines account. I thought that there was a remote possiblity that someone could find the URL and could see what I’m billing my clients, learn what DVDs I watch or find out what’s on my todo list. It seemed like a safe bet at the time.

The problem is that the privacy setting that keeps your Bloglines blogroll private has no bearing on the accessible of your feed entries via the Bloglines blog search. In other words, all feeds entered into Bloglines are searchable and therefore readable by anybody . (Imagine my surprise when one of my friends located the URL for the RSS feed from my billing service and was able to see what I charge my clients).

When I added these feeds, it was not obvious at all to me that Bloglines would make the content of my feeds publicly available. My assumption was that I’d be able to use the service without privacy leakage by selecting the option to keep my blogroll private.

So, I contacted the web-based invoicing company that I use and alerted them to the problem. They said they’d try to give me a new URL or block Bloglines from getting my feeds altogether. I bounced a few emails back and forth with them, but I’m not sure what they did in the end.

I also contacted 37signals to inform them that there are thousands of Tada lists viewable in Bloglines and I’m fairly sure that close to 0% of the feed owners know about this. I never heard back from them.

Of course, I also contacted Bloglines. They responded with this:

This is a problem on the feed publishers end. If these are private feeds they should be authenticated. We make an effort (though not a guarantee) to hide authenticated sites from the public. Marking a ‘subscription’ as ‘private’ doesn’t mean the ‘feed’ is no longer accessible to the public.

Their response confirms the problem that I’m describing here (except that they think it’s not their problem). And as an additional test, I just tried to add a feed that’s behind a HTTP-authenticated page on one of my servers and Bloglines doesn’t appear to offer any support for authenticated feeds, anyway.

Most private feeds rely on the hard-to-guess URL technique mentioned earlier. And if that’s what Bloglines is calling ‘authenticated’, then they only guarantee that they appear to make is that the content of these private feeds is made public.

In my view, Bloglines is at fault here. That they effectively make all feeds publicly available is not clear at all and, frankly, is something that they should stop doing.

But what fun can we have with this while Bloglines continues this braindead activity? Reading people’s Tadalists is great fun. Some samples:

  • Hilfiger underwear
  • Added: nice, big skillet (to hit John with. Not really)
  • Completed: finalize packet for reformed.org
  • Added: take shoes off when you come into the house you dirty bastard!
  • Added: root canal
  • Added: lose 50 pounds
  • Added: compare sept & oct pay stubs
  • Added: Get certified copy of driving record at DMV
  • Completed: Babysit @ 7-8:30
  • Added: replace tires – Merchants Tire (703) 525-5550
  • Completed: on tuesday, credit out the equipnet bill and resend it with carol’s new address
  • Completed: Get reprints of Honeymoon pictures

Clearly, the majority of the thousands of people affected by this are not intending for this stuff to be made available for the world to see. I’d like to see people lean on Bloglines to get this problem fixed. Please visit their contact page and voice your disapproval about this badly conceived feature on their site.

9 thoughts on “A Serious Bloglines Privacy Issue”

  1. They seem to take a very ‘architecture of the web’ position on this, which is their right. It is not Bloglines job to guess which public urls are not really meant to be public. Too many useful features (and a big part of their value as a company) rely on being able to share public URL (related blogs discovery, etc). At fault here are the companies that made these feeds public. There is no way to rely on these URLs staying private with proxies, log file analyzers, etc. 37 signals has demonstrated their understanding of standards when they had to be clued in to the meaning of idempotent after they raised a stink over GWA. It is quite saddening that we seem to have to relearn web architecture for every novel use of HTTP. A couple years back, it was all the /secret urls that showed up in Google queries, now it is the rediscovery of HTTP authentication in the context of feeds.

  2. The problem is that Bloglines misleads users into thinking that these added feeds are private. If they didn’t make the content searchable by default, this wouldn’t be the issue that it is.

  3. Paul,

    Thanks for the additional info. But the issue here isn’t the lack of a UI for authenticated feeds. The issue is that the privacy setting in the account settings page is misleading in the sense that it doesn’t make clear the fact that all feeds provided to Bloglines are going to be made publicly available via the search mechanism. I see two solutions:

    1) Give me the ability to mark a feed as ‘private’ (which really means sort-of-private through obscurity as Gregor explains) so that it doesn’t appear in the Bloglines search results

    2) Disable Bloglines search altogether

    phil.

Comments are closed.