Change in SmugMug URLs for better privacy

[Baldy]

Some of you have been reading the debate in the blogosphere about SmugMug URLs to private images being too easily guessable. The blogs were not written by our customers, but they do make some good points. We've received a few dozen emails in response and they tend to fall into 3 camps:

1. Leave it as is. Your URLs are short and simple. Don't use GUIDs and mess your URLs up by having strings that look like:

3F2504E0-4F89-11D3-9A0C-0305E82C3301

in them.

2. The problem is SmugMug's choice of words. You should say "unlisted" or "hidden", not "private."

3. Can't you do something simpler than a long GUID so your URLs don't get so messed up but they're harder to guess?

So here's a proposal:

What if we were to add 6 characters--an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.

This would apply to images going forward, public or private. For the 250,000,000 images on the site now, in order to give them a new URL, you'd have to move them to a new gallery. The downside is their new URLs would break any links to them right now that you have in forums or blogs.

Is this solution reasonable? If not, can you tell us why? Any other ideas?

Does this fit your definition of privacy? I have an email in my box from a customer who loves us but is shocked that we would think any image that can be seen by any other person could be considered private. In other words, when he marks a gallery as private, giving the URL to a friend would not enable them to get into the gallery. Anyone else feel that it should work that way?

Thanks for your feedback. We'd like to think this through and get it right but we don't want much time to pass either.

Thanks,
Baldy

[richpepp]

Quote:

Originally Posted by Baldy

So here's a proposal:

What if we were to add 6 characters, an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.

That seems like a nice idea to me. I also don't like the GUID idea as then we end up going down the TinyURL route which removes benefit of using our own domain name (photos.miseast.org/...).

I love the granularity of the security settings and have completely understood what 'private' meant but I can also see that with 5 different switches the number of options may be a little overwhelming for folks just arriving. Maybe you could also have a 'Quick Security' drop down box with just a couple of options that set the other switches up: e.g. 'Only people I invite with the password (most secure)', 'Anyone who knows the link to the gallery can see the pictures (less secure but simpler)', 'Everyone can see my photos but can't get the originals'. Clearly these aren't all of the possible options but the idea is not to iterate all of the possible options - just to give a small easily understood subset.

Rich

[scwalter]

I think smugmug provides all the tools needed to protect photos and I don't want super long URLs. In my opinion, it boils down to users not really understanding the choices. Guessing photo numbers for a private gallery only works if external linking is available, right?

One way to make sure people don't miss the choices is to combine them into one choice for "security". Currently there are quite a few choices there and most poeple probably don't understand the implications of all of them. I propose you combine the private, external linking fields into a drop-down list with the options:

- Public/Direct Links Allowed
- Public/Direct Links Prohibited
- Unlisted/Direct Links Allowed
- Unlisted/Direct Links Prohibited

and then explain how even on an unlisted gallery with direct links enabled, people could still get to your photos. You could even included password in the list too, but then it becomes 8 choices.

-Scott

[wellman]

I agree with scwalter that your main issue is one of education. Despite the fact that most folks understand exactly what your definition of "Private" is, that word alone probably gives too secure a connotation to someone not reading the details.

My suggestion would be a very well-thought-out tweak to the security settings UI and verbage.

As for the GUIDs... Seems like a good idea, too. The current system is simple enough, but it's not like I'm typing out or trying to remember URLs or image IDs. Copy and pasting a URL isn't going to get any more complicated by adding 6 characters. (The proposal of applying this to new/moved images is a good one.)

Thanks for your openness, your calm, and your solicitations for feedback. You guys all did a great job of not turning this thing into a torchfest.

[rainforest1155]

Quote:

Originally Posted by scwalter

I think smugmug provides all the tools needed to protect photos and I don't want super long URLs. In my opinion, it boils down to users not really understanding the choices. Guessing photo numbers for a private gallery only works if external linking is available, right?

Keep in mind that the external links option doesn't prevent people from directly accessing image IDs. On popular request, years back, external linking keeps images only from showing up if a link is clicking on another site or forum, like Dgrin. If there is no referrer page (the link has been copied to the browser address bar) or if the referrer is blocked by some firewall software, people will be able to see photos with external linking turned off.

Sebastian

[mhilbush]

The short, simple URL is one of the small, but important features of Smugmug. I like it the way it is.

I believe this is primarily a terminology problem. Among the existing privacy options (private, password protection, external linking), I feel you already give me enough tools to manage the protection of my photos. IMO, adding more options will increase the combinations of the settings, and probably complicate things even further. If I really want to lock down my photos, can't I just make them private and password protected?

Having said that, I would tend agree that "private" might be a poor choice of terms, and perhaps you should consider renaming it. Aside from that, I would leave things alone.

Mark

[corbosman]

The truth to this whole discussion lies in the middle. Sure, it's partly a matter of words. Make it easier to understand what the different options are. Im quite computer literate but I sometimes get confused by the options as well. I like the words 'hidden' and 'protected' myself.

But I do think the original blog had a point that it is just slightly too easy to walk the image tree this way. A little too easy for comfort. It's just a matter of time before we'll indeed see some large zip with lots of private unprotected images on bittorrent. Try and explain that with a straight face to the person in your inbox Baldy. Thats a discussion Smugmug can't possibly win. Even if they are somewhat correct in that you cant get a specific image, that may not be the point of this as MySpace recently found out.

I think SM has no choice but to add some kind of extra characters. You cant just ignore this issue because there is a large imbalance in the consequences of this issue. People that think their images are truly private, say nude pictures of themselves, face severe consequences through exposure. While adding a few extra chars hurts almost no one to the same effect.

Personally I dont mind if SM uses GUIDs. I dont really understand why people get so worked up about URLs. It's not like you have to remember them. Maybe SM could somehow combine GUID with a non-hacky way to beautify your URLs. But if there is really that much resistance to GUID, 5 extra characters would work for me.

Or I have a totally different option. Allow people to add to the basic URL with their own selection. A small text box like:

http://uwimages.smugmug.com/gallery/3988206[_fill in yourself with a max of X] to become http://uwimages.smugmug.com/gallery/3988206_underwater.

That way, you could give every single existing URL that option, but make it empty. People can opt to fill it in, to change the URL to that specific gallery without having to copy all images to a new gallery. I would say that is MUCH harder to brute force than a pre-defined string.

Cor

[denisegoldberg]

I also prefer the current url structure. I want people to be able to easily find my galleries.

I agree with Scott that the problem is the use of the word private. I like his suggestions (above). And it seems to me that people who really want to hide their world should be using smugislands.

My vote? Leave the url structure as is and change the use of the word "private".

Also - I link to my photos extensively, so I also agree that you shouldn't change the existing URLs unless the owner of the gallery indicates that they should be changed.

--- Denise

[cmason]

I think whatever URL you provide is fine by me, since I just cut and paste or email them to friends and family. Wouldn't notice one way or the other what it is.

I would like to comment that I believe a small bit of the problem is that the settings and configurations for this stuff are 1) skattered and 2) waaayyy too cute. You guys provide tons of good features, but then put them all over the config panels (better now with new panels), but also obscure them in funky words like 'smug islands' and 'hello world' etc. I mean I am all for having fun, but WTF do those mean? Why not use plain english when it comes to critical privacy settings, so we don't have to go use the Smugmug interpretation bible whenever we want to protect something? Put the cute elsewhere.

[georges]

First and foremost, this is a terminology problem. I do like the idea of changing private to unlisted.

Second - Please don't make extremely long urls. When I post a link to a single picture in a forum, or send a link to a friend, the urls are already too long. Once the url wraps to more than one line, many email readers don't handle the link properly. The is especially a problem when a wrapped link is in the quoted part of message thread.

As for tinyurl? Personnaly, I never click on tinyurls. I like to know where I'm going.

[olegos]

I disagree that this is terminology or user education or arranging options problem (although the options are confusing -- it's non-trivial that password protecting a gallery doesn't password protect the images in it, but this is secondary). The main problem, as is clearly described in the blogs, is being able to access private photos by iterating URLs, and this has to be fixed. There is NO benefit to us in having the URLs be numeric and sequential as they are. The proposed solution is fine with me, as is using GUIDs. I would only prefer that URLs stay under 80 characters long, so they don't start getting broken by some mail clients.

By the way, with this issue getting attention and many people trying it out for themselves, I believe one of my private galleries has been accessed: the stats show 1 access to medium size for every photo, with no accesses to thumbnails or any other sizes. I've changed all my private galleries to also hide owner (although there may still be identifying info in the photos themselves, or in the comments) for now, but I'm waiting for a real solution. I'm also very troubled by the reports that fully protected photos, in password protected galleries and no external links, can be accessed (the contest image). Looking forward to this issue getting fixed too, and explanation of the details afterwards.

[DJ-S1]

As for embarassing nude photos being found and posted online, isn't nudity prohibited on Smugmug anyway?

I personally don't care what the URL is, it doesn't affect me in the least. To Georges: Every email product I know of allows you to paste links into clickable text, like this. That eliminates any problem with super long links not working properly in emails.

I have to agree that the terminology is one of the big problems here. The word "private" means something very specific in Smugmug, and I think it is explained very well. However, if people don't read/don't understand/don't remember this then what happens? Obviously the person thinks that the standard Websters definition applies.

I would change the security gui a bit; maybe a "no protect", "medium protect" and "max protect" option for simple use and still have the total granularity available for advanced users?

Right now you have 6 main options, and so you have what, 64 possible settings? (It's been a long time since high school) I'm pretty comfortable with the settings and even I'm not sure what level of security happens when I have:

Public=no
Hello World=no
Hello Smuggers=yes
ext. links=no
protected=no
hide owner=yes

Exactly how locked down is that gallery?

As I'm typing this I also realized that setting the first 4 of those options to "no" makes the gallery more secure, but the reverse is true for the last 2 settings. Maybe they should all be one way; set everything to "no" and it's the most secure?

Just my thoughts - I'm very confident you folks will figure out the best solution for all concerned.

[hurricanesteve]

1) As a non-pro member, I don't have income riding on this issue, but I can imagine how I would feel if a 12-year old with Firefox download manager sucked all my photos out of a private gallery without having been given a single bit of information from me.

2) I agree with others that terminology is the enemy here. From my experience, especially in a multi-lingual global marketplace, you will never find a single set of terms/phrases that will appropriately describe the behavior. I have noticed in the blog entries, and in these messages here, a sense of "EVERYONE INTERPRETS THE WORD 'PRIVACY/UNLISTED/WHATEVER' IN THE SAME WAY I DO." Ah, if only.

2a) I humbly suggest a use-case based description of what each setting will and will not allow. Please include best and worst case scenarios to the best of your knowledge. Choose whatever terminology/descriptor you like. Think about describing the behavior of three 'users': I) Smugmug gallery owner, II) a person you want to view your photo(s), and III) a 'bad guy' who would like to steal/share your photo.

2b) Just as a final comment, SM's current terminology and descriptions are confusing to me. (I am a casual user. I am a native English speaker. I have had computers in my life since the age of 10. I have a graduate degree. I am in the tech industry. I am under 40.)

3) GUIDs are good. An option to turn on/off GUIDs for a gallery would be ideal from a user perspective. Users who still want the old linking/easy iteration can keep it. Those of us who dislike the easy access can shut it down. I don't know anything about SM's limitations from a structural standpoint, so weigh it against your costs. To revisit point 2, not everyone will understand what a GUID is, so use-case based descriptions will be necessary.

[digitalpins]

Quote:

Originally Posted by denisegoldberg

I also prefer the current url structure. I want people to be able to easily find my galleries.

--- Denise

I agree I like things the way they are

Maybe newbies dont understand that private (or by clicking NO option by the public setting) really means that they are still open for anyone to view but someone would have to know your url.

Quote:

Originally Posted by DJ-S1

I would change the security gui a bit; maybe a "no protect", "medium protect" and "max protect" option for simple use and still have the total granularity available for advanced users?

Right now you have 6 main options, and so you have what, 64 possible settings? (It's been a long time since high school) I'm pretty comfortable with the settings and even I'm not sure what level of security happens when I have:

Public=no
Hello World=no
Hello Smuggers=yes
ext. links=no
protected=no
hide owner=yes

I also agree here with this above.... maybe these three "no protect", "medium protect" and "max protect" may help, because maybe those 6 options we have to select now could be a bit confusing to newbies

[olegos]

Quote:

Originally Posted by digitalpins

Quote:

I agree I like things the way they are

I don't understand this. Do you really expect people to find your galleries by typing random numbers into URLs? What visitors do you think you're getting that you wouldn't get with a different URL scheme?

[denisegoldberg]

Quote:

Originally Posted by olegos

I don't understand this. Do you really expect people to find your galleries by typing random numbers into URLs? What visitors do you think you're getting that you wouldn't get with a different URL scheme?

You're probably right - I was thinking about the ability to access a category without a guid attached to it.

And I certainly don't want links to existing photos to change; I link to my photos from my blog and from other places on the web as well. Broken links would not make me happy.

I also have a hard time believing that adding another number onto a generated album or photo id would improve things at all. Changing the word "private" to reflect the english word for what private does today in smug makes more sense to me.

--- Denise

[mlee]

I don't have a problem with the way things are now--there are options to do almost everything to make your photos secure and changing to GUIDs or even adding a random string is going to cause more headache for everyone involved. The shorter/easier to link URL the better, IMHO.

When I first signed up a year ago, there was a bit of a learning curve when it came to figuring out what the different terminology meant, but after I understood it made perfect sense. I agree with changing the terminology to potentially ease that learning curve, but it really makes no difference to me today.

[olegos]

Quote:

Originally Posted by mlee

I don't have a problem with the way things are now--there are options to do almost everything to make your photos secure and changing to GUIDs or even adding a random string is going to cause more headache for everyone involved. The shorter/easier to link URL the better, IMHO.

When I first signed up a year ago, there was a bit of a learning curve when it came to figuring out what the different terminology meant, but after I understood it made perfect sense. I agree with changing the terminology to potentially ease that learning curve, but it really makes no difference to me today.

mlee, you're not making much sense. There is no option to make your photos inaccessible by simply iterating a number in the URL, which is the issue being raised -- unless you turn off all external links, making them also unlinkable directly from your blogs and emails as well -- and as I understand it's not bulletproof anyway and has been circumvented.

Then you go on saying that the existing options make perfect sense, but you still wouldn't mind having them changed -- while at the same time it sounds like you oppose changing the last component of the URL, which has no effect on user interface, learning curve, understandability of options, etc.

[mlee]

Quote:

Originally Posted by olegos

mlee, you're not making much sense. There is no option to make your photos inaccessible by simply iterating a number in the URL, which is the issue being raised -- unless you turn off all external links, making them also unlinkable directly from your blogs and emails as well -- and as I understand it's not bulletproof anyway and has been circumvented.

Then you go on saying that the existing options make perfect sense, but you still wouldn't mind having them changed -- while at the same time it sounds like you oppose changing the last component of the URL, which has no effect on user interface, learning curve, understandability of options, etc.

olegos, I'm not understanding you. If you want your photos completely private, why wouldn't you turn off all external links? When you set your galleries to allow external linking, you're making them available.

Also, as you allude, I said nothing about changing the existing options, rather changing the terminology.

[Baldy]

Quote:

Originally Posted by olegos

The main problem, as is clearly described in the blogs, is being able to access private photos by iterating URLs, and this has to be fixed.

I feel this way too. I think the majority opinion is to leave the URLs simple, as they are today. But it would only take one person and an embarrassing photo to generate a very bad situation. In most cases, we try to please the majority but this looks like a case where we shouldn't go down that road.

I've also become jittery about the word private. There are many dictionary definitions, but this one resonates:

Not open or accessible to the general public: a private beach.

There are many ways your private URLs could become public without changing your settings. If you publish your private link in a dgrin post, for example, Google will index it and people will see your photos.

Unlisted is more like your phone, no? You can make sure you don't list it, but you know that if the number gets out people can call it. Isn't that clearer?

We're not ignoring what you're saying in this thread, we think it's great. My inclination from what I've read so far is to add the 6 characters to every URL to make them incredibly hard to guess but not make them insanely long like a GUID would do. And to refer to private photos/galleries as unlisted.

No decisions have been made so if we're being bone-headed, set us straight.

Thanks,
Baldy