The Google Docs anonymity hole



  • Normally Google Docs is a great tool for sharing and collaborating on documents, spreadsheets and slide presentations. But today I discovered one situation where it can be a problem: when you're trying to keep your Gmail-based identity separate from an identity that includes another e-mail address.

    Today I wanted to submit an assignment that I'd done in Docs, so I typed in the prof's e-mail -- jdoe@miskatonic.edu -- as a person to share it with. A moment later, the updated list of people allowed to view showed me and... jtdoe9@gmail.com. Prof. Doe had never told me he had a Gmail account, let alone what the address was, but now Google had!

    Sharing a document doesn't require solving a CAPTCHA or passing a spam filter, so I could have taken a list of non-Gmail addresses, shared a separate blank document with each of them, and gotten back a list of associated Gmail addresses.



  •  Wow i'd never noticed that...



  • So what? What does that help you, knowing the associated Gmail address?



  • @TheThing said:

    So what? What does that help you, knowing the associated Gmail address?

     

     

    I've got other non-gmail email addresses that forward to my gmail account, and i'd really rather not have my main gmail account displayed to someone who might try to share a doc with one of those other non-gmail addresses.  I'm looking through privacy settings to see if I can turn off this 'feature'



  • @CaptainCaveman said:

    @TheThing said:

    So what? What does that help you, knowing the associated Gmail address?

    I've got other non-gmail email addresses that forward to my gmail account, and i'd really rather not have my main gmail account displayed to someone who might try to share a doc with one of those other non-gmail addresses.  I'm looking through privacy settings to see if I can turn off this 'feature'

    Is the reason you don't like it because you want to be able to close/shut down the other non-gmail address when it starts accumilating too much junk?

     



  •  @TheThing said:

    Is the reason you don't like it because you want to be able to close/shut down the other non-gmail address when it starts accumilating too much junk?

     yes with a twist.  i tend to make pseudo random email addresses that I use on ecommerce sites, like my_amazon_stuff@freewebmailsite.tld or something like that, and only ever use that address for transactions on the same site (in this case amazon).  Eventually the email address will get sold off to spammers, and I let the original site know i don't appreciate it them selling off my email address, and either they fix the situation (really almost never happens) or i kill the account and start another. 

     



  • @Seahen said:

    Normally Google Docs is a great tool for sharing and collaborating on documents, spreadsheets and slide presentations. But today I discovered one situation where it can be a problem: when you're trying to keep your Gmail-based identity separate from an identity that includes another e-mail address.

    Today I wanted to submit an assignment that I'd done in Docs, so I typed in the prof's e-mail -- jdoe@miskatonic.edu 

    Miska-fuckin-tonic?  Don't you have bigger problems that google docs security holes?! 

    @Seahen said:

    -- as a person to share it with. A moment later, the updated list of people allowed to view showed me and... jtdoe9@gmail.com. Prof. Doe had never told me he had a Gmail account, let alone what the address was, but now Google had!

    Sharing a document doesn't require solving a CAPTCHA or passing a spam filter, so I could have taken a list of non-Gmail addresses, shared a separate blank document with each of them, and gotten back a list of associated Gmail addresses.

    But isn't this almost certainly because your prof made a conscious decision to link the two email addresses in his gmail or google docs prefs?




  •  Couldn't this have happened because he signed in with his gmail account when he went to view it?



  • This is the intended behavior see here:

    You need a google account to log edit a Doc so if the person has already linked their accounts why not just use it?



  •  @CaptainCaveman said:

    i tend to make pseudo random email addresses that I use on ecommerce sites, like my_amazon_stuff@freewebmailsite.tld or something like that, and only ever use that address for transactions on the same site (in this case amazon).

    Or you could just filter you+amazon@gmail.com into the trash when they do it...



  • @scgtrp said:

     @CaptainCaveman said:

    i tend to make pseudo random email addresses that I use on ecommerce sites, like my_amazon_stuff@freewebmailsite.tld or something like that, and only ever use that address for transactions on the same site (in this case amazon).

    Or you could just filter you+amazon@gmail.com into the trash when they do it...

    1. Not all sites accept + in an email address
    2. How hard is it for a spammer to drop the local part anyway?



  • @CaptainCaveman said:

    Eventually the email address will get sold off to spammers

    I've had a few surprising throw-away email addresses being sold off, including one I used to register Trend Micro.



  • @CaptainCaveman said:

     @TheThing said:

    Is the reason you don't like it because you want to be able to close/shut down the other non-gmail address when it starts accumilating too much junk?

     yes with a twist.  i tend to make pseudo random email addresses that I use on ecommerce sites, like my_amazon_stuff@freewebmailsite.tld or something like that, and only ever use that address for transactions on the same site (in this case amazon).  Eventually the email address will get sold off to spammers, and I let the original site know i don't appreciate it them selling off my email address, and either they fix the situation (really almost never happens) or i kill the account and start another. 

     

    I don't much like it when companies do that, but I came to the conclusion that it's probably more harmful to them to let them send me promotional junk and mark it as spam in Gmail's spam filter than to filter it straight to deletion. If reasonably large numbers of people mark a company's junk as spam, everything they send to everyone using Gmail's filtering service will be considered spam.



  • @davedavenotdavemaybedave said:

    I don't much like it when companies do that, but I came to the conclusion that it's probably more harmful to them to let them send me promotional junk and mark it as spam in Gmail's spam filter than to filter it straight to deletion. If reasonably large numbers of people mark a company's junk as spam, everything they send to everyone using Gmail's filtering service will be considered spam.
     

    So... spammers get marked as spam, where's the problem? 😃 If a company is sending junk (even if it's not technically advertising, etc) it's spam, they don't need to. People don't want it. 



  • @EJ_ said:

    If a company is sending junk (even if it's not technically advertising, etc) it's spam, they don't need to. People don't want it. 
     

    I think you might be drawing the Spam line a little too far this side of proper advertising.

    Of course, "if it's junk, [...] people don't want it". That's an information-free tautology. Good job arguing.



  • Somewhat related:

     @[url=http://www.buzzclassaction.com/faq#Q1]BuzzClassAction.com[/url] said:

    On February 9, 2010, Google launched Buzz, a social networking
    program. The Plaintiffs allege that Google automatically enrolled Gmail
    users in Buzz, and that Buzz publicly exposed data, including users’
    most frequent Gmail contacts, without enough user consent. The Action
    alleges that Google violated (i) the Electronic Communications Privacy
    Act, 18 U.S.C. §2510 et seq; (ii) the Stored Communications Act, 18 U.S.C. §2701 et seq; (iii) the Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq;
    (iv) the common law tort of Public Disclosure of Private Facts as
    recognized by California common law; and (v) the California Unfair
    Competition Law, California Business & Professions Code §17200.
    Google denies the accuracy of Plaintiffs’ allegations and denies that it
    violated any law or caused any harm by the launch of Google Buzz.

    Nice job, Google, sharing every Gmailers'  information and getting yourself sued.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.