Thursday, October 29, 2009

A Private Blog May Not Be Completely Private

We've known for a while that private blogs have limitations, such as latency.

If you originally publish your blog as public, and later make it private, cached copies of the blog will be all over the Internet, for anybody to read, after it's supposedly private. This week, we see another, possibly more serious limitation.
Why was my coworker able to read my very private, personal, password protected blog yesterday? I had it set to "Blog Author Only" and yet she found it and was able to read the whole thing.

It has never, ever been public. I started it last September and set the permissions to "blog author only" at the start for all posts. I have never invited anyone else to read it...and have never, ever logged into it at work.

Occasionally, while using a dialup connection, I've had occasion to load a private blog.

As the blog loads, the browser enumerates the various components of the blog, such as various pictures loading, in the browser status area (generally, the lower left border of the browser window). The interstitial notice
This blog is open to invited readers only

It doesn't look like you have been invited to read this blog. If you think this is a mistake, you might want to contact the blog author and request an invitation.
seems to come up well after the blog main page contents have loaded.

If you are surfing from a network which uses a caching proxy server, it's possible that one person who has permission could properly load the blog in their browser. With the blog having been loaded once, the proxy server may not load the interstitial page again. Anyone else on the network could later view the blog without the interstitial page - even if they do not, supposedly, have permission to do so.

If your Blogger profile is part of your public blogs, or people link to your profile while surfing profiles, and your private blog is listed as one of your blogs, someone may click on the link, and may get a view of the blog.

A second problem comes when you invite people as members of your blog. The invitation goes to specific people, who are free to forward the invitation to their other email accounts, and even to the email addresses of their friends. You may invite one person, and you may see a dozen persons later reading the blog. This may even account for a known discrepancy with the 100 member limit.

These security deficiencies are not ones that you can control. You have no way of denying anybody access to your profile, if it's published publicly. Nor can you stop people who you invite to your blog, from forwarding the invitation to their friends.

If you want to keep your blog private, it would be a good idea to at least remove it from the list of your blogs, in your profile.

>> Top

2 comments:

Susan said...

You name your posts extremely well! It's a mini table of contents.

Dudel said...

Quick Note: People who want things private to remain private should NOT put them online.