A Private Blog May Not Be Completely Private

We've known for a while that private blogs have limitations, such as latency.

If you originally publish your blog as public, and later make it private, cached copies of the blog will be all over the Internet, for anybody to read, after it's supposedly private. This week, we see another, possibly more serious limitation.
Why was my coworker able to read my very private, personal, password protected blog yesterday? I had it set to "Blog Author Only" and yet she found it and was able to read the whole thing.

It has never, ever been public. I started it last September and set the permissions to "blog author only" at the start for all posts. I have never invited anyone else to read it...and have never, ever logged into it at work.

The private blog interstitial may not be loaded, for any would be reader, for several reasons.

The private blog interstitial won't be loaded, before every access to the blog.

People with blog content cached locally - either on their computer, or their network - won't always requires Blogger server access, when a blog page is displayed. Some visitor logs will detect blog access, even when cached content is retrieved - and even when the private blog interstitial is not involved.

Some readers may inadvertently provide access to other network users.

Occasionally, while using slow Internet access, I might load a private blog.

As the blog loads, the browser identifies the various components of the blog, such as various pictures loading, in the browser status area. An odd interstitial notice might be seen.

This blog is open to invited readers only

It doesn't look like you have been invited to read this blog. If you think this is a mistake, you might want to contact the blog author and request an invitation.

This might come up well after the blog main page contents have loaded.

If you are surfing from a network which uses a caching proxy server, it's possible that one person who has permission could properly load the blog in their browser. With the blog having been loaded once, the proxy server may not load the interstitial page again. Anyone else on the network could later view the blog without the interstitial page - even if they do not, supposedly, have permission to do so.

If your Blogger profile is part of your public blogs, or people link to your profile while surfing profiles, and your private blog is listed as one of your blogs, someone may click on the link, and may get a view of the blog.

Invited readers may intentionally share their recently received invitations.

A second problem comes when you invite people as members of your blog. The invitation goes to specific people, who are free to forward the invitation to their other email accounts, and even to the email addresses of their friends. You may invite one person, and you may see a dozen persons later reading the blog. This may even account for a known discrepancy with the 100 member limit.

These security deficiencies are not ones that you can control. You have no way of denying anybody access to your profile, if it's published publicly. Nor can you stop people who you invite to your blog, from forwarding the invitation to their friends.

If you want to keep your blog private, it would be a good idea to at least remove it from the list of your blogs, in your profile.

Private blogs are not immune to referer spam.

Some entries in some visitor logs might make us think that unauthorised people are reading a private blog. Referer spam is not blocked by the private blog interstitial - since referer spam does not involve actual blog access.

As previously stated, visitor logs are not 100% accurate.

These various issues contribute more reasons why no visitor meter will ever be 100% accurate.

Comments

Susan said…
You name your posts extremely well! It's a mini table of contents.
Dudel said…
Quick Note: People who want things private to remain private should NOT put them online.