Change in SmugMug URLs for better privacy

BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
edited February 23, 2008 in SmugMug Support
Some of you have been reading the debate in the blogosphere about SmugMug URLs to private images being too easily guessable. The blogs were not written by our customers, but they do make some good points. We've received a few dozen emails in response and they tend to fall into 3 camps:

1. Leave it as is. Your URLs are short and simple. Don't use GUIDs and mess your URLs up by having strings that look like:

3F2504E0-4F89-11D3-9A0C-0305E82C3301

in them.

2. The problem is SmugMug's choice of words. You should say "unlisted" or "hidden", not "private."

3. Can't you do something simpler than a long GUID so your URLs don't get so messed up but they're harder to guess?

So here's a proposal:

What if we were to add 6 characters--an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.

This would apply to images going forward, public or private. For the 250,000,000 images on the site now, in order to give them a new URL, you'd have to move them to a new gallery. The downside is their new URLs would break any links to them right now that you have in forums or blogs.

Is this solution reasonable? If not, can you tell us why? Any other ideas?

Does this fit your definition of privacy? I have an email in my box from a customer who loves us but is shocked that we would think any image that can be seen by any other person could be considered private. In other words, when he marks a gallery as private, giving the URL to a friend would not enable them to get into the gallery. Anyone else feel that it should work that way?

Thanks for your feedback. We'd like to think this through and get it right but we don't want much time to pass either.

Thanks,
Baldy
«1345

Comments

  • richpepprichpepp Registered Users Posts: 360 Major grins
    edited January 30, 2008
    Baldy wrote:
    So here's a proposal:

    What if we were to add 6 characters, an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.

    That seems like a nice idea to me. I also don't like the GUID idea as then we end up going down the TinyURL route which removes benefit of using our own domain name (photos.miseast.org/...).

    I love the granularity of the security settings and have completely understood what 'private' meant but I can also see that with 5 different switches the number of options may be a little overwhelming for folks just arriving. Maybe you could also have a 'Quick Security' drop down box with just a couple of options that set the other switches up: e.g. 'Only people I invite with the password (most secure)', 'Anyone who knows the link to the gallery can see the pictures (less secure but simpler)', 'Everyone can see my photos but can't get the originals'. Clearly these aren't all of the possible options but the idea is not to iterate all of the possible options - just to give a small easily understood subset.

    Rich
  • scwalterscwalter Registered Users Posts: 417 Major grins
    edited January 30, 2008
    I think smugmug provides all the tools needed to protect photos and I don't want super long URLs. In my opinion, it boils down to users not really understanding the choices. Guessing photo numbers for a private gallery only works if external linking is available, right?

    One way to make sure people don't miss the choices is to combine them into one choice for "security". Currently there are quite a few choices there and most poeple probably don't understand the implications of all of them. I propose you combine the private, external linking fields into a drop-down list with the options:

    - Public/Direct Links Allowed
    - Public/Direct Links Prohibited
    - Unlisted/Direct Links Allowed
    - Unlisted/Direct Links Prohibited

    and then explain how even on an unlisted gallery with direct links enabled, people could still get to your photos. You could even included password in the list too, but then it becomes 8 choices.

    -Scott
    Scott Walter Photography
    scwalter.smugmug.com
  • wellmanwellman Registered Users Posts: 961 Major grins
    edited January 30, 2008
    I agree with scwalter that your main issue is one of education. Despite the fact that most folks understand exactly what your definition of "Private" is, that word alone probably gives too secure a connotation to someone not reading the details.

    My suggestion would be a very well-thought-out tweak to the security settings UI and verbage.

    As for the GUIDs... Seems like a good idea, too. The current system is simple enough, but it's not like I'm typing out or trying to remember URLs or image IDs. Copy and pasting a URL isn't going to get any more complicated by adding 6 characters. (The proposal of applying this to new/moved images is a good one.)

    Thanks for your openness, your calm, and your solicitations for feedback. You guys all did a great job of not turning this thing into a torchfest.
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited January 30, 2008
    scwalter wrote:
    I think smugmug provides all the tools needed to protect photos and I don't want super long URLs. In my opinion, it boils down to users not really understanding the choices. Guessing photo numbers for a private gallery only works if external linking is available, right?
    Keep in mind that the external links option doesn't prevent people from directly accessing image IDs. On popular request, years back, external linking keeps images only from showing up if a link is clicking on another site or forum, like Dgrin. If there is no referrer page (the link has been copied to the browser address bar) or if the referrer is blocked by some firewall software, people will be able to see photos with external linking turned off.

    Sebastian
    Sebastian
    SmugMug Support Hero
  • mhilbushmhilbush Registered Users Posts: 70 Big grins
    edited January 30, 2008
    The short, simple URL is one of the small, but important features of Smugmug. I like it the way it is.

    I believe this is primarily a terminology problem. Among the existing privacy options (private, password protection, external linking), I feel you already give me enough tools to manage the protection of my photos. IMO, adding more options will increase the combinations of the settings, and probably complicate things even further. If I really want to lock down my photos, can't I just make them private and password protected?

    Having said that, I would tend agree that "private" might be a poor choice of terms, and perhaps you should consider renaming it. Aside from that, I would leave things alone.

    Mark
    Mark
  • corbosmancorbosman Registered Users Posts: 54 Big grins
    edited January 30, 2008
    The truth to this whole discussion lies in the middle. Sure, it's partly a matter of words. Make it easier to understand what the different options are. Im quite computer literate but I sometimes get confused by the options as well. I like the words 'hidden' and 'protected' myself.

    But I do think the original blog had a point that it is just slightly too easy to walk the image tree this way. A little too easy for comfort. It's just a matter of time before we'll indeed see some large zip with lots of private unprotected images on bittorrent. Try and explain that with a straight face to the person in your inbox Baldy. Thats a discussion Smugmug can't possibly win. Even if they are somewhat correct in that you cant get a specific image, that may not be the point of this as MySpace recently found out.

    I think SM has no choice but to add some kind of extra characters. You cant just ignore this issue because there is a large imbalance in the consequences of this issue. People that think their images are truly private, say nude pictures of themselves, face severe consequences through exposure. While adding a few extra chars hurts almost no one to the same effect.

    Personally I dont mind if SM uses GUIDs. I dont really understand why people get so worked up about URLs. It's not like you have to remember them. Maybe SM could somehow combine GUID with a non-hacky way to beautify your URLs. But if there is really that much resistance to GUID, 5 extra characters would work for me.

    Or I have a totally different option. Allow people to add to the basic URL with their own selection. A small text box like:

    http://uwimages.smugmug.com/gallery/3988206[_fill in yourself with a max of X] to become http://uwimages.smugmug.com/gallery/3988206_underwater.

    That way, you could give every single existing URL that option, but make it empty. People can opt to fill it in, to change the URL to that specific gallery without having to copy all images to a new gallery. I would say that is MUCH harder to brute force than a pre-defined string.

    Cor
  • denisegoldbergdenisegoldberg Administrators Posts: 14,382 moderator
    edited January 30, 2008
    I also prefer the current url structure. I want people to be able to easily find my galleries.

    I agree with Scott that the problem is the use of the word private. I like his suggestions (above). And it seems to me that people who really want to hide their world should be using smugislands.

    My vote? Leave the url structure as is and change the use of the word "private".

    Also - I link to my photos extensively, so I also agree that you shouldn't change the existing URLs unless the owner of the gallery indicates that they should be changed.

    --- Denise
  • cmasoncmason Registered Users Posts: 2,506 Major grins
    edited January 30, 2008
    I think whatever URL you provide is fine by me, since I just cut and paste or email them to friends and family. Wouldn't notice one way or the other what it is.

    I would like to comment that I believe a small bit of the problem is that the settings and configurations for this stuff are 1) skattered and 2) waaayyy too cute. You guys provide tons of good features, but then put them all over the config panels (better now with new panels), but also obscure them in funky words like 'smug islands' and 'hello world' etc. I mean I am all for having fun, but WTF do those mean? Why not use plain english when it comes to critical privacy settings, so we don't have to go use the Smugmug interpretation bible whenever we want to protect something? Put the cute elsewhere.
  • georgesgeorges Registered Users Posts: 138 Major grins
    edited January 30, 2008
    much ado about...
    First and foremost, this is a terminology problem. I do like the idea of changing private to unlisted.

    Second - Please don't make extremely long urls. When I post a link to a single picture in a forum, or send a link to a friend, the urls are already too long. Once the url wraps to more than one line, many email readers don't handle the link properly. The is especially a problem when a wrapped link is in the quoted part of message thread.

    As for tinyurl? Personnaly, I never click on tinyurls. I like to know where I'm going.
    See you later, gs

    http://georgesphotos.net
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 30, 2008
    I disagree that this is terminology or user education or arranging options problem (although the options are confusing -- it's non-trivial that password protecting a gallery doesn't password protect the images in it, but this is secondary). The main problem, as is clearly described in the blogs, is being able to access private photos by iterating URLs, and this has to be fixed. There is NO benefit to us in having the URLs be numeric and sequential as they are. The proposed solution is fine with me, as is using GUIDs. I would only prefer that URLs stay under 80 characters long, so they don't start getting broken by some mail clients.

    By the way, with this issue getting attention and many people trying it out for themselves, I believe one of my private galleries has been accessed: the stats show 1 access to medium size for every photo, with no accesses to thumbnails or any other sizes. I've changed all my private galleries to also hide owner (although there may still be identifying info in the photos themselves, or in the comments) for now, but I'm waiting for a real solution. I'm also very troubled by the reports that fully protected photos, in password protected galleries and no external links, can be accessed (the contest image). Looking forward to this issue getting fixed too, and explanation of the details afterwards.
  • DJ-S1DJ-S1 Registered Users Posts: 2,303 Major grins
    edited January 30, 2008
    As for embarassing nude photos being found and posted online, isn't nudity prohibited on Smugmug anyway?

    I personally don't care what the URL is, it doesn't affect me in the least. To Georges: Every email product I know of allows you to paste links into clickable text, like this. That eliminates any problem with super long links not working properly in emails.

    I have to agree that the terminology is one of the big problems here. The word "private" means something very specific in Smugmug, and I think it is explained very well. However, if people don't read/don't understand/don't remember this then what happens? Obviously the person thinks that the standard Websters definition applies.

    I would change the security gui a bit; maybe a "no protect", "medium protect" and "max protect" option for simple use and still have the total granularity available for advanced users?

    Right now you have 6 main options, and so you have what, 64 possible settings? (It's been a long time since high schoolrolleyes1.gif) I'm pretty comfortable with the settings and even I'm not sure what level of security happens when I have:

    Public=no
    Hello World=no
    Hello Smuggers=yes
    ext. links=no
    protected=no
    hide owner=yes

    Exactly how locked down is that gallery? headscratch.gif

    As I'm typing this I also realized that setting the first 4 of those options to "no" makes the gallery more secure, but the reverse is true for the last 2 settings. Maybe they should all be one way; set everything to "no" and it's the most secure?

    Just my thoughts - I'm very confident you folks will figure out the best solution for all concerned. thumb.gif
  • hurricanestevehurricanesteve Registered Users Posts: 36 Big grins
    edited January 30, 2008
    1) As a non-pro member, I don't have income riding on this issue, but I can imagine how I would feel if a 12-year old with Firefox download manager sucked all my photos out of a private gallery without having been given a single bit of information from me.

    2) I agree with others that terminology is the enemy here. From my experience, especially in a multi-lingual global marketplace, you will never find a single set of terms/phrases that will appropriately describe the behavior. I have noticed in the blog entries, and in these messages here, a sense of "EVERYONE INTERPRETS THE WORD 'PRIVACY/UNLISTED/WHATEVER' IN THE SAME WAY I DO." Ah, if only.

    2a) I humbly suggest a use-case based description of what each setting will and will not allow. Please include best and worst case scenarios to the best of your knowledge. Choose whatever terminology/descriptor you like. Think about describing the behavior of three 'users': I) Smugmug gallery owner, II) a person you want to view your photo(s), and III) a 'bad guy' who would like to steal/share your photo.

    2b) Just as a final comment, SM's current terminology and descriptions are confusing to me. (I am a casual user. I am a native English speaker. I have had computers in my life since the age of 10. I have a graduate degree. I am in the tech industry. I am under 40.)

    3) GUIDs are good. An option to turn on/off GUIDs for a gallery would be ideal from a user perspective. Users who still want the old linking/easy iteration can keep it. Those of us who dislike the easy access can shut it down. I don't know anything about SM's limitations from a structural standpoint, so weigh it against your costs. To revisit point 2, not everyone will understand what a GUID is, so use-case based descriptions will be necessary.
  • digitalpinsdigitalpins Registered Users Posts: 448 Major grins
    edited January 30, 2008
    I also prefer the current url structure. I want people to be able to easily find my galleries.

    --- Denise

    I agree I like things the way they are

    Maybe newbies dont understand that private (or by clicking NO option by the public setting) really means that they are still open for anyone to view but someone would have to know your url.

    DJ-S1 wrote:
    I would change the security gui a bit; maybe a "no protect", "medium protect" and "max protect" option for simple use and still have the total granularity available for advanced users?

    Right now you have 6 main options, and so you have what, 64 possible settings? (It's been a long time since high school) I'm pretty comfortable with the settings and even I'm not sure what level of security happens when I have:

    Public=no
    Hello World=no
    Hello Smuggers=yes
    ext. links=no
    protected=no
    hide owner=yes

    I also agree here with this above.... maybe these three "no protect", "medium protect" and "max protect" may help, because maybe those 6 options we have to select now could be a bit confusing to newbies
    www.lamontphotography.com
    Canon 60D
    Canon Rebel XTi (400)
    Canon 10-22mm, Canon 50mm f/1.8 II
    MacBook, MacPro
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 30, 2008
    I also prefer the current url structure. I want people to be able to easily find my galleries.
    I agree I like things the way they are
    I don't understand this. Do you really expect people to find your galleries by typing random numbers into URLs? What visitors do you think you're getting that you wouldn't get with a different URL scheme?
  • denisegoldbergdenisegoldberg Administrators Posts: 14,382 moderator
    edited January 30, 2008
    olegos wrote:
    I don't understand this. Do you really expect people to find your galleries by typing random numbers into URLs? What visitors do you think you're getting that you wouldn't get with a different URL scheme?
    You're probably right - I was thinking about the ability to access a category without a guid attached to it.

    And I certainly don't want links to existing photos to change; I link to my photos from my blog and from other places on the web as well. Broken links would not make me happy.

    I also have a hard time believing that adding another number onto a generated album or photo id would improve things at all. Changing the word "private" to reflect the english word for what private does today in smug makes more sense to me.

    --- Denise
  • mleemlee Registered Users Posts: 104 Major grins
    edited January 30, 2008
    I don't have a problem with the way things are now--there are options to do almost everything to make your photos secure and changing to GUIDs or even adding a random string is going to cause more headache for everyone involved. The shorter/easier to link URL the better, IMHO.

    When I first signed up a year ago, there was a bit of a learning curve when it came to figuring out what the different terminology meant, but after I understood it made perfect sense. I agree with changing the terminology to potentially ease that learning curve, but it really makes no difference to me today.
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 30, 2008
    mlee wrote:
    I don't have a problem with the way things are now--there are options to do almost everything to make your photos secure and changing to GUIDs or even adding a random string is going to cause more headache for everyone involved. The shorter/easier to link URL the better, IMHO.

    When I first signed up a year ago, there was a bit of a learning curve when it came to figuring out what the different terminology meant, but after I understood it made perfect sense. I agree with changing the terminology to potentially ease that learning curve, but it really makes no difference to me today.
    mlee, you're not making much sense. There is no option to make your photos inaccessible by simply iterating a number in the URL, which is the issue being raised -- unless you turn off all external links, making them also unlinkable directly from your blogs and emails as well -- and as I understand it's not bulletproof anyway and has been circumvented.

    Then you go on saying that the existing options make perfect sense, but you still wouldn't mind having them changed -- while at the same time it sounds like you oppose changing the last component of the URL, which has no effect on user interface, learning curve, understandability of options, etc.
  • mleemlee Registered Users Posts: 104 Major grins
    edited January 30, 2008
    olegos wrote:
    mlee, you're not making much sense. There is no option to make your photos inaccessible by simply iterating a number in the URL, which is the issue being raised -- unless you turn off all external links, making them also unlinkable directly from your blogs and emails as well -- and as I understand it's not bulletproof anyway and has been circumvented.

    Then you go on saying that the existing options make perfect sense, but you still wouldn't mind having them changed -- while at the same time it sounds like you oppose changing the last component of the URL, which has no effect on user interface, learning curve, understandability of options, etc.

    olegos, I'm not understanding you. If you want your photos completely private, why wouldn't you turn off all external links? When you set your galleries to allow external linking, you're making them available.

    Also, as you allude, I said nothing about changing the existing options, rather changing the terminology.
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited January 30, 2008
    olegos wrote:
    The main problem, as is clearly described in the blogs, is being able to access private photos by iterating URLs, and this has to be fixed.
    I feel this way too. I think the majority opinion is to leave the URLs simple, as they are today. But it would only take one person and an embarrassing photo to generate a very bad situation. In most cases, we try to please the majority but this looks like a case where we shouldn't go down that road.

    I've also become jittery about the word private. There are many dictionary definitions, but this one resonates:

    Not open or accessible to the general public: a private beach.

    There are many ways your private URLs could become public without changing your settings. If you publish your private link in a dgrin post, for example, Google will index it and people will see your photos.

    Unlisted is more like your phone, no? You can make sure you don't list it, but you know that if the number gets out people can call it. Isn't that clearer?

    We're not ignoring what you're saying in this thread, we think it's great. My inclination from what I've read so far is to add the 6 characters to every URL to make them incredibly hard to guess but not make them insanely long like a GUID would do. And to refer to private photos/galleries as unlisted.

    No decisions have been made so if we're being bone-headed, set us straight.

    Thanks,
    Baldy
  • cmasoncmason Registered Users Posts: 2,506 Major grins
    edited January 30, 2008
    "unlisted' maybe parochial...makes sense to us Americans, but chances are they call 'unlisted' phone numbers something else in other parts of the world.

    just saying.....
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited January 30, 2008
    mlee wrote:
    olegos, I'm not understanding you. If you want your photos completely private, why wouldn't you turn off all external links?
    We have kept the options of external linking and privacy separate by popular demand.

    You may have a gallery you don't want people to discover on your SmugMug pages but you do want to post some of the photos in the gallery to a forum. There are many reasons why someone might want to do that. For example, some guy on my motorcycle forum came up with a great Photoshop of one of our most popular members. We didn't want him to know who dunnit, so we placed it in a private gallery with links turned on:

    gdoggut.jpg
  • hurricanestevehurricanesteve Registered Users Posts: 36 Big grins
    edited January 30, 2008
    cmason wrote:
    "unlisted' maybe parochial...makes sense to us Americans, but chances are they call 'unlisted' phone numbers something else in other parts of the world.

    just saying.....

    this echoes my comments also. The terms are arbitrary (but prone to misunderstanding regardless of which way you go, ie listed/unlisted is just as bad as public/private), it's the functionality of each setting that matters...which precise use-case descriptions would give.

    You'd be better off just having LEVEL I, LEVEL II, LEVEL III, etc of privacy. Following interface design standards to meet 80% of your user-population's understanding with additional, advanced tools/settings for the power-users is where I would go based on my cursory understanding of Cooper-style analysis.
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 30, 2008
    mlee wrote:
    olegos, I'm not understanding you. If you want your photos completely private, why wouldn't you turn off all external links? When you set your galleries to allow external linking, you're making them available.
    I want to make them available only to those who I e-mail a direct link to, and nobody else (in practical terms).

    Baldy, I think the source of the problem is that the image (and gallery) ID is numeric AND sequential. Leaving the URL the same length as now, but having the ID be a random sequence of upper and lowercase letters and numbers (maybe increase the length by two or three characters for future growth) would make the situation very much better than it is now, probably good enough, while not making the URLs much "worse" for those who care.
  • mhilbushmhilbush Registered Users Posts: 70 Big grins
    edited January 30, 2008
    olegos wrote:
    Baldy, I think the source of the problem is that the image (and gallery) ID is numeric AND sequential. Leaving the URL the same length as now, but having the ID be a random sequence of upper and lowercase letters and numbers (maybe increase the length by two or three characters for future growth) would make the situation very much better than it is now, probably good enough, while not making the URLs much "worse" for those who care.
    I would tend to agree with olegos. If you maintain the format of the URL, and replace the sequential numerics with randomized alphanumerics, I think you will retain the existing URL simplicity, while making it more difficult to mine images. Using alphanumerics in the identifiers will actually increase the available namespace for images, so you may not need to increase the length much, if at all. Having said that, it will still be possible for a determined individual to mine images. The degree to which this is possible may depend on the ability of SM to quickly "see" and respond to this type of activity.

    Mark
    Mark
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited January 30, 2008
    Baldy wrote:
    If you publish your private link in a dgrin post, for example, Google will index it and people will see your photos.
    I hate to disagree, Baldy, because I like your style but that statement isn't correct.

    If you violate your privacy settings by placing a link to a gallery or image in a forum, we tell Google not to index it.

    While Google behaves honorably when you tell them not to index something, your mileage may vary with evil spammer pedophiles.
  • DavidTODavidTO Registered Users, Retired Mod Posts: 19,160 Major grins
    edited January 30, 2008
    My vote is to leave the URLs and behavior as is, and change the name of it to be more clear. What it should be called I am still undecided on.
    Moderator Emeritus
    Dgrin FAQ | Me | Workshops
  • wellmanwellman Registered Users Posts: 961 Major grins
    edited January 30, 2008
    Baldy wrote:
    My inclination from what I've read so far is to add the 6 characters to every URL to make them incredibly hard to guess but not make them insanely long like a GUID would do. And to refer to private photos/galleries as unlisted.

    Sounds like a winner to me.
  • darryldarryl Registered Users Posts: 997 Major grins
    edited January 30, 2008
    Just skimmed this thread. I tend to agree that it's more a nomenclature/language issue than anything. "Private" isn't exactly the right term. But "Obfuscated" or "Hard to find" doesn't have the right ring to it either.

    I posted about this here, so in case you were wondering how this all started, and SmugMug's response here's the links:

    http://blogoscoped.com/archive/2008-01-28-n59.html
    http://blogs.smugmug.com/don/2008/01/28/your-private-photos-are-still-private/
    http://blogs.smugmug.com/don/2008/01/28/first-two-security-winners/

    As I commented on Don's last post, I really would love a little transparency into the "hacks" used to win the prize. Especially if the holes have now been fixed.

    I've known about the CNAME redirect for awhile, but never really considered it a bug, since I actually am looking for a way to *find this information*.

    Anyways, interesting stuff though. I'm bummed I missed my chance to make some money!
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 30, 2008
    DavidTO wrote:
    My vote is to leave the URLs and behavior as is, and change the name of it to be more clear. What it should be called I am still undecided on.
    You're right. Let's just change the option to say "Make photos available to anyone who decides to increment the number in a URL, and those you send a link to", so that it's clear what it's doing (the other choice being "Public"). And the problem's solved, right?
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 30, 2008
    To those who think the current setup is fine and it's just a matter of terminology, consider this.

    Say I see someone's public vacation photos. I suspect that there may be more photos from there, that the person is sharing with their familiy, but not the world. So I write a quick script to go over URLs with IDs in that vicinity, and can even automatically pre-filter the results based on say EXIF info. How likely do you think I'm to discover photos I'm not supposed to be seing?

    I don't even need to search over the whole namespace, as Don's blog posts imply. If approximate time of the photos is known, the search space gets a lot smaller. Regardless of terminology, this is WRONG.
Sign In or Register to comment.