Change in SmugMug URLs for better privacy

[Baldy]

Some of you have been reading the debate in the blogosphere about SmugMug URLs to private images being too easily guessable. The blogs were not written by our customers, but they do make some good points. We've received a few dozen emails in response and they tend to fall into 3 camps:

1. Leave it as is. Your URLs are short and simple. Don't use GUIDs and mess your URLs up by having strings that look like:

3F2504E0-4F89-11D3-9A0C-0305E82C3301

in them.

2. The problem is SmugMug's choice of words. You should say "unlisted" or "hidden", not "private."

3. Can't you do something simpler than a long GUID so your URLs don't get so messed up but they're harder to guess?

So here's a proposal:

What if we were to add 6 characters--an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.

This would apply to images going forward, public or private. For the 250,000,000 images on the site now, in order to give them a new URL, you'd have to move them to a new gallery. The downside is their new URLs would break any links to them right now that you have in forums or blogs.

Is this solution reasonable? If not, can you tell us why? Any other ideas?

Does this fit your definition of privacy? I have an email in my box from a customer who loves us but is shocked that we would think any image that can be seen by any other person could be considered private. In other words, when he marks a gallery as private, giving the URL to a friend would not enable them to get into the gallery. Anyone else feel that it should work that way?

Thanks for your feedback. We'd like to think this through and get it right but we don't want much time to pass either.

Thanks,
Baldy

[richpepp]

Quote:

Originally Posted by Baldy

So here's a proposal:

What if we were to add 6 characters, an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.

That seems like a nice idea to me. I also don't like the GUID idea as then we end up going down the TinyURL route which removes benefit of using our own domain name (photos.miseast.org/...).

I love the granularity of the security settings and have completely understood what 'private' meant but I can also see that with 5 different switches the number of options may be a little overwhelming for folks just arriving. Maybe you could also have a 'Quick Security' drop down box with just a couple of options that set the other switches up: e.g. 'Only people I invite with the password (most secure)', 'Anyone who knows the link to the gallery can see the pictures (less secure but simpler)', 'Everyone can see my photos but can't get the originals'. Clearly these aren't all of the possible options but the idea is not to iterate all of the possible options - just to give a small easily understood subset.

Rich

[scwalter]

I think smugmug provides all the tools needed to protect photos and I don't want super long URLs. In my opinion, it boils down to users not really understanding the choices. Guessing photo numbers for a private gallery only works if external linking is available, right?

One way to make sure people don't miss the choices is to combine them into one choice for "security". Currently there are quite a few choices there and most poeple probably don't understand the implications of all of them. I propose you combine the private, external linking fields into a drop-down list with the options:

- Public/Direct Links Allowed
- Public/Direct Links Prohibited
- Unlisted/Direct Links Allowed
- Unlisted/Direct Links Prohibited

and then explain how even on an unlisted gallery with direct links enabled, people could still get to your photos. You could even included password in the list too, but then it becomes 8 choices.

-Scott

[wellman]

I agree with scwalter that your main issue is one of education. Despite the fact that most folks understand exactly what your definition of "Private" is, that word alone probably gives too secure a connotation to someone not reading the details.

My suggestion would be a very well-thought-out tweak to the security settings UI and verbage.

As for the GUIDs... Seems like a good idea, too. The current system is simple enough, but it's not like I'm typing out or trying to remember URLs or image IDs. Copy and pasting a URL isn't going to get any more complicated by adding 6 characters. (The proposal of applying this to new/moved images is a good one.)

Thanks for your openness, your calm, and your solicitations for feedback. You guys all did a great job of not turning this thing into a torchfest.

[rainforest1155]

Quote:

Originally Posted by scwalter

I think smugmug provides all the tools needed to protect photos and I don't want super long URLs. In my opinion, it boils down to users not really understanding the choices. Guessing photo numbers for a private gallery only works if external linking is available, right?

Keep in mind that the external links option doesn't prevent people from directly accessing image IDs. On popular request, years back, external linking keeps images only from showing up if a link is clicking on another site or forum, like Dgrin. If there is no referrer page (the link has been copied to the browser address bar) or if the referrer is blocked by some firewall software, people will be able to see photos with external linking turned off.

Sebastian

[mhilbush]

The short, simple URL is one of the small, but important features of Smugmug. I like it the way it is.

I believe this is primarily a terminology problem. Among the existing privacy options (private, password protection, external linking), I feel you already give me enough tools to manage the protection of my photos. IMO, adding more options will increase the combinations of the settings, and probably complicate things even further. If I really want to lock down my photos, can't I just make them private and password protected?

Having said that, I would tend agree that "private" might be a poor choice of terms, and perhaps you should consider renaming it. Aside from that, I would leave things alone.

Mark

[corbosman]

The truth to this whole discussion lies in the middle. Sure, it's partly a matter of words. Make it easier to understand what the different options are. Im quite computer literate but I sometimes get confused by the options as well. I like the words 'hidden' and 'protected' myself.

But I do think the original blog had a point that it is just slightly too easy to walk the image tree this way. A little too easy for comfort. It's just a matter of time before we'll indeed see some large zip with lots of private unprotected images on bittorrent. Try and explain that with a straight face to the person in your inbox Baldy. Thats a discussion Smugmug can't possibly win. Even if they are somewhat correct in that you cant get a specific image, that may not be the point of this as MySpace recently found out.

I think SM has no choice but to add some kind of extra characters. You cant just ignore this issue because there is a large imbalance in the consequences of this issue. People that think their images are truly private, say nude pictures of themselves, face severe consequences through exposure. While adding a few extra chars hurts almost no one to the same effect.

Personally I dont mind if SM uses GUIDs. I dont really understand why people get so worked up about URLs. It's not like you have to remember them. Maybe SM could somehow combine GUID with a non-hacky way to beautify your URLs. But if there is really that much resistance to GUID, 5 extra characters would work for me.

Or I have a totally different option. Allow people to add to the basic URL with their own selection. A small text box like:

http://uwimages.smugmug.com/gallery/3988206[_fill in yourself with a max of X] to become http://uwimages.smugmug.com/gallery/3988206_underwater.

That way, you could give every single existing URL that option, but make it empty. People can opt to fill it in, to change the URL to that specific gallery without having to copy all images to a new gallery. I would say that is MUCH harder to brute force than a pre-defined string.

Cor

[denisegoldberg]

I also prefer the current url structure. I want people to be able to easily find my galleries.

I agree with Scott that the problem is the use of the word private. I like his suggestions (above). And it seems to me that people who really want to hide their world should be using smugislands.

My vote? Leave the url structure as is and change the use of the word "private".

Also - I link to my photos extensively, so I also agree that you shouldn't change the existing URLs unless the owner of the gallery indicates that they should be changed.

--- Denise

[cmason]

I think whatever URL you provide is fine by me, since I just cut and paste or email them to friends and family. Wouldn't notice one way or the other what it is.

I would like to comment that I believe a small bit of the problem is that the settings and configurations for this stuff are 1) skattered and 2) waaayyy too cute. You guys provide tons of good features, but then put them all over the config panels (better now with new panels), but also obscure them in funky words like 'smug islands' and 'hello world' etc. I mean I am all for having fun, but WTF do those mean? Why not use plain english when it comes to critical privacy settings, so we don't have to go use the Smugmug interpretation bible whenever we want to protect something? Put the cute elsewhere.

[georges]

First and foremost, this is a terminology problem. I do like the idea of changing private to unlisted.

Second - Please don't make extremely long urls. When I post a link to a single picture in a forum, or send a link to a friend, the urls are already too long. Once the url wraps to more than one line, many email readers don't handle the link properly. The is especially a problem when a wrapped link is in the quoted part of message thread.

As for tinyurl? Personnaly, I never click on tinyurls. I like to know where I'm going.