Evil Elf or Sneaky Bloglines?
I thought Library Elf was cool, despite the discussions on HorizonL.
This popped up in my Bloglines today, and after reading there were over 200+ Elf records accessible, i did the search listed in the article.
LibraryLaw Blog: Breaking Discovery - Library Elf blasts a giant hole through privacy - and why I terminated my account
I was shocked that my elf account was one of the ones listed!
My email address was listed, along with links for other people to subscribe to my elf feed, and links that took you right to my current elf record, listing items out & holds.
Yes, I had added it to Bloglines. I had it marked as a “private” feed. As Bloglines states “private subs don’t show up in blogrolls.” I had no intention for y’all to be able to see what I have on hold or checked out.
I think this is a major problem that Bloglines still indexes the feeds we mark as private and I could not find this info anywhere on their website.
Jenny Levine commented on the original post:
I hope someone more technical than me will come along and leave a comment, but I’m pretty sure this is an issue with RSS, not Elf. It’s an education issue that if you put any private feed in a public aggregator, anyone will be able to read that feed. The only patron feeds you should be able to read in Bloglines are the ones users have manually added, and the same would hold true for any feed coming from a library catalog or database.
Count me educated now.
I admit, this is the first I’ve heard of the so called Bloglines set as “private” feeds being searchable. Why aren’t private feeds protected from the spiders?
Wondering though— are Hennepin Co’s RSS patron account feeds searchable, if the patron adds them to their bloglines account? The demos I saw at CODI used Bloglines, but they talked about how they didn’t display the patron PIN and all the efforts they made to make it secure.
Glenn P., care to comment?
“private subs don’t show up in blogrolls”
That just means that Bloglines won’t show that you subscribe to it, not that it’s not indexed in the wider engine. I do think they need to do a better job of explaining this, but I think it might be difficult for them to index the feed and let you search it in “your blogs” while marked private. I’m not a programmer, but I just have to wonder what thousands of private feeds does to the load on the system when it’s trying to figure out what you can and can’t search.
This is a major reason I usually say in my presentations that we’re still in the first generation of aggregators. In 2006, I think we’ll start seeing more options for private aggregators for password-protected or confidential feeds. Even something like Dino (Newsgator at the server level) would still give your organization access to your patron feed, so probably the best option is to run a desktop client if you can. Of course, that negates the benefit of being able to access it from anywhere, but you have to decide what’s most important in an aggregator for you.
Comment on 28 December 2005 @ 0654
[…] Mary discovered something very interesting yesterday about putting in your Library Elf feed into Bloglines… we can all see it. When she did a search for Library Elf in bloglines under “all blogs,” she found over 200 people’s personal feeds where you could see their e-mail address, what they have out, what they have on hold, and what library they use. YIKES! I tried it out and was easily able to see what a number of my friends subscribed to Library Elf were reading. Creepy. According to Kelli Staley, even making the feed private doesn’t matter, because it still will show up in the search. All making your feed private will do means it won’t show up in your blogroll. It will still be listed in Blogline’s database of feeds. All the “private” thing is for is if you subscribe to a blog that you don’t want people to know you subscribe to. If you really want information like this to be private, put it in a desktop aggregator. Frankly, I feel uncomfortable giving my library log-in info to a third party, even for the sake of saving time. Since Mary’s post, Library Elf has warned its users (in the FAQ) about Bloglines, but how many people really read an FAQ unless they are having real problems? They really should have a warning smack dab on the front page if they are concerned about privacy. I’m no feed expert, but is there any way Library Elf could generate these feeds where so much personal info isn’t showing? Like don’t tie a person’s name and e-mail address to the feed, but give it a unique number. It still sucks the people can see what other people are reading, but it’s less meaningful to see what #593832 is reading as opposed to seeing what Bob Jones is reading. […]
Pingback on 28 December 2005 @ 1424
I posted a more general reply to Mary’s concerns about Elf. Specifically re: Hennepin’s implementation we discovered the Bloglines issue shortly after we started offering feeds of patron data and changed the way publish our feeds as a result. We publish only the patron’s first and middle name(s) in their feed. The URL for the feed does not include the patron’s barcode, pin, email or any other indentifying information. It only contains a random “token”. We connect the token with the patron borrower information on our servers to publish the feed but the token cannot be used to gain access to any other patron information. The same scheme is being employed by Seattle and Ann Arbor.
Comment on 28 December 2005 @ 1505
We’re just beta testing our RSS library account feeds and I’m using a similar technique to Glenn - the RSS feed URL contains a salted hash that’s generated from the borrower ID, barcode and pin number. So if any of those 3 values change, then the borrower will need to log back into their HIP account to get the new URL for their feed.
We’re also going to give the user a RSS options page. On this page they’ll be able to select what kind of information appears in the feed — e.g. do they just want alerts (fines, overdues, etc) or full details of their account (books on loan, requests, etc). They’ll also be able to choose if they want any personal info to appear in the feed (e.g. their name).
The default options will essentially give an anonymous feed with no personal information shown.
When I first saw Talis’ RSS demo (Project Bluebird), I did wonder if they would run into this problem with Bloglines…
www.bloglines.com/search?t=1&r=0&q=”Library%20Alerts”
…from what I understand of the Talis system, the RSS feed includes links to log you straight into the user’s account - yoinks!
Comment on 28 December 2005 @ 1628
I am one of the developers of Library Elf and I thought you might be interested how we are handling the Bloglines problem as relating to Elf. I put the response on the blog that originally discovered the problem. Just to let you know, We’ve taken off all email address references in the RSS feeds and have stopped Bloglines from grabbing existing Elf RSS feeds. And we will be working on a longer term solution for greater RSS security. This discussion is proving very fruitful.
Comment on 28 December 2005 @ 2101
Privacy on the internet continues to be at issue. Just because someone says your data is private, doesn’t mean it’s true. Just as the AOL folks.
Comment on 5 March 2007 @ 0148
melting degree cover scenarios
non tonne gps comment
Trackback on 29 June 2009 @ 0024
Allergic symptoms signs codeine.
Codeine.
Trackback on 29 June 2009 @ 2201
Dangers of hydroxycut.
Hydroxycut. Side effects of hydroxycut.
Trackback on 3 July 2009 @ 1202