Comments on: Forgetful Flickr

By: Eric Meyer

Eric Meyer — Fri, 11 Aug 2006 07:40:20 +0000

Derek: Wait, so you’re telling me that this behavior a core feature of Flickr, and not just a limitation born of not having worked on authenticated RSS feeds? Because it seems very strange that photos I can see on a web page don’t show up in an RSS feed of what’s on that page. (And when the wise man posted that, he was talking about core features of a system.)

Okay, so I get that there are extra security concerns with feeds than there are with viewing pages, but I still don’t see how that can be regarded as a “feature”. Unless it’s a feature to force users to the Flickr site every now and again, just to see if there’s something their RSS feed has failed to inform them they can see.

Could the feed at least say that there’s a private photo available, without including said image the actual feed, so that we know when to go look?

By: Derek Powazek

Derek Powazek — Fri, 11 Aug 2006 01:25:44 +0000

Making photos private means keeping them out of public view. As a wise man recently posted: “Accept it and move on, or reject it and walk away, but don”t waste your time complaining about it.”

I consider having my private photos kept out of RSS a feature, not a bug.

By: Meriblog: Meri Williams’ Weblog » links for 2006-08-02

Meriblog: Meri Williams’ Weblog » links for 2006-08-02 — Thu, 03 Aug 2006 08:07:41 +0000

[...] Bloglines | News Cool — looks like Bloglines are taking on feed access control head-on, which I’m sure Eric might be pleased to here. Now we just need the Flickr guys to make the same change (tags: flickr rss privacy photos) [...]

By: Eric Meyer

Eric Meyer — Thu, 06 Jul 2006 15:29:00 +0000

I never said that I don’t really care about privacy. I said that I understand that placing photos on a server is already a privacy risk, and using a random-token obscurity approach didn’t seem a huge additional risk. However, Drew pointed out something I hadn’t considered regarding multi-user aggregators, so I have a different point of view now.

I’m totally happy with an https solution. Many RSS clients support username/password combinations over https connections, so it’s something Flickr could offer– in other words, the part of the problem that Flickr can resolve hasn’t been resolved, whereas the other half has been.

By: Isaac Lin

Isaac Lin — Thu, 06 Jul 2006 15:17:12 +0000

It would be misleading for Flickr to provide a half-baked privacy solution, so I disagree with just using randomly generated URLs as a “security through obscurity” solution.

If you don’t really care about privacy, then wouldn’t it be sufficient to leave the photos as public, but to tag it with some kind of FamilyAndFriends tag? (Flickr could help automate the application of this tag.)

Both your and Jeffrey’s suggestions about having private information available through an RSS feed falls into the trap of thinking of RSS as a push delivery method. With its current design, though, the RSS clients would have to support authentication (say, an HTTPS connection with your Flickr password stored in the RSS client). So it isn’t something solely under the control of Flickr to resolve.

By: Drew McLellan

Drew McLellan — Tue, 04 Jul 2006 11:48:43 +0000

One issue with using unguessable tokens in the URL is that multi-user aggregators often share feeds amongst their users in order to prevent multiple fetches of the same content. Therefore its possible that a ‘secret’ feed is presented as an option to users for whom it was never intended.

Plus, ultimately any URL that you’re requesting once an hour and is being sent clear over the wire and logged in dozens of log files along the way is no secret at all.

By: outbreak » The little bumps of the first time user (written on July 3rd, 2006 by Marko Mrdjenovic)

Sun, 02 Jul 2006 22:23:17 +0000

[...] On a side note, there seems to be a lot going on about Flickr. I haven’t really used it ever, but I’m doing it while writing this – I’ve been trying to get around to posting my pics from @media for some time now. [...]

By: Meriblog: Meri Williams’ Weblog » links for 2006-06-29

Meriblog: Meri Williams’ Weblog » links for 2006-06-29 — Fri, 30 Jun 2006 08:01:21 +0000

[...] Eric’s Archived Thoughts: Forgetful Flickr Wouldn’t it be wonderful if just the simple desire to be able to see friend’s and families’ photos in Flickr RSS feeds stimulated the Flickr team (who we all know design shit-hot stuff) to solve the problem of secure syndication? (tags: rss flickr design webdevelopment webapplications) [...]

By: Aristotle Pagaltzis

Aristotle Pagaltzis — Thu, 29 Jun 2006 03:02:16 +0000

LiveJournal already does this well. If you subscribe to an LJ feed, you get only the person”s public posts. But you can subscribe to a feed with ?auth=digest added to the URL, which requires you to supply an LJ account and password as HTTP credentials. When you poll such a feed it will contains all the items you could see if you visited the associated journal while logged into the account whose details you”ve provided.

It”s a no-brainer, really.

By: BenJ

BenJ — Thu, 29 Jun 2006 03:02:02 +0000

Another solution might be separate feeds (or the same feed, for that matter) that provide a notice of private activity, letting you click through to authenticate and see whatever it is. Not quite as nice as the actual content, but better than nothing.

By: Porter

Porter — Wed, 28 Jun 2006 21:33:04 +0000

This has bothered me, too, but authentication is indeed the problem, as Dave points out. A possible solution would be to allow friends & family to see a different RSS URL that contained an "unguessable" token, which is good enough security for posting photos via email (unless you're Jeremy). But of course, that doesn't address handling people who you revoke "friendship" for still being subscribed to your secret feed, so you'd need a different token for each person that could be revoked if you changed their contact status...

By: Edward

Edward — Wed, 28 Jun 2006 21:29:37 +0000

As Dave has already said, RSS security isn’t particularly, well, existent. You can actually grab RSS feeds for anybody you want by checking out their ID in their Photostream feed and plugging that into the structure for the Recent Activity/Comments Made feed.

I’ve actually appreciated that Flickr doesn’t put those into the feeds.

Right on with the added tag thing, though. That’s something which would be nice to be able to keep a track of.

By: Dave S.

Dave S. — Wed, 28 Jun 2006 20:41:50 +0000

I don’t know about you, but if I mark a photo friends or contacts only, I don’t want the rest of the world to see it. On-site authentication prevents that from happening, but as far as I know, RSS security is still an oxymoron.

Above and beyond HTTPS authentication — which doesn’t work universally amongst RSS readers — the only other method of actually keeping a feed private is a unique, non-guessable URL. But that smacks of security through obscurity, and I’m not inclined to trust private photos and comments to a method like that.

So, I agree with their current practice, at least in relation to RSS.