GOOGLE PHOTOS IS SENDING YOUR PRIVATE SHARES PUBLIC AND YOU DON’T EVEN KNOW IT.
Researcher Robert Wiblin over at 80,000 Hours spotted something quite interesting about Google Photos recently. He noticed that privately shared links became publicly accessible. He told some friends who use Google Photos and they didn’t believe him. After all, why would Google allow such an oversight? Surely if you’re sharing privately with a specific person, then only that person can see it, right?
Apparently not. After doing a little digging, Robert was able to demonstrate that these privately shared links are publicly accessible from any Google account, or even if you’re not logged into Google at all – as shown when he was able to access a “private” shared link from an Incognito browser window.
Robert details the complete issue in a post over on Medium. About the video above,
One would expect that Google Photos would work the same way as Google Drive, given that until recently, the two were intrinsically linked. But that is not so. The behaviour we expect and the behaviour shown in Google Drive is not the same in Google Photos. The instant you share your private photo with anybody, then anybody else who can get hold of the URL is able to view it.
So, whereas Google Drive operates private shares in a similar fashion to “Private” videos on YouTube, Google Photos appears to be more like YouTube’s “Unlisted” videos, which are accessible to anybody with the link.
This method of operation isn’t inherently bad, but the problem is that Google Photos does not warn people that anybody with this link will be able to view the images. The intended recipient of the link also doesn’t know that anybody can view it. They assume it’s a private share for their eyes only, and don’t think twice about censoring the link if they forward the conversation to somebody else.
And by default, these links stick around forever until you explicitly go and delete the share.
While for photographers it might cause for a few embarrassing moments sending what we think is a private link to a client, depending on what those images contain, potentially exposing private client images to the world might be illegal.
So, photographers, if you really want to share private images with your clients, or even your friends and colleagues, don’t use Google Photos.
You can read more about the problem over on Robert’s Medium post.
