Careful before you click that share button!

I’ve noticed something about Google Photos that is really weird. Crazy enough that I’ve told dozens of Photos users and none have believed me. They swear I have to be wrong, until I show them otherwise.

Whenever you share a photo with a specific person or account on Google Photos, it creates a link that will allow anyone in the world to view those photos, forever, until you go and manually deactivate that link in an obscure part of the interface.

You can see it here:

(Had I instead shared it with the Photos account visible 4 seconds in, the result would have been identical.)

What have you just watched? If I go and share a photo with a specific other Google Account, I can use that link to view it in:

i) another Google Account it wasn’t shared with (25 seconds in), and;

ii) an incognito window where I’m not logged into any Google Account at all (39 seconds in)!

If that ‘secret’’ link is ever revealed, anyone anywhere will be able to see it until I go and delete that specific sharing instance. And I’d have no way to find out that they were viewing it!

People constantly tell me I can’t be right about this — it’ll happen in the comments below, I promise — because the interface never indicates that this is going on. Nowhere did “Create shared URL” or anything similar appear in the video.

Furthermore, the interface looks very similar to Google Drive, which by default only lets people see a file when logged into the specific account it was shared with.

Drive also lists who a file is shared with when you click the share icon — so people using Photos naturally assume their photos are private when they see that nobody is listed when they click the ‘share’ icon.

I can only ever find out that I’ve created this permanent semi-public link by going to the ‘Sharing’ tab in Photos, which is very easy to miss. Nothing in the interface relating to that particular photo will show me. And even the Sharing page gives zero indication that you’ve made a publicly visible link rather than just shared a photo with an individual:

‘Albums’ work the same way. If you create an album and share it with a specific Google Account, it will create a permanent ‘secret’ URL with all those photos visible to anyone with the link, until you go and delete or completely un-share the Album.

Why this is unacceptable

Firstly it’s unacceptable because most users don’t realise it’s happening. The interface is so poorly designed that the most common reaction I’ve had when I tell Photos users about this is literal disbelief. The only way to convince people is to show them with their own eyes. If our private and potentially sensitive data is going to be revealed this way, it should be clear that it’s going on.

It’s also unacceptable because it creates an excessive risk of sensitive data being exposed. People often take photos of things like private documents, or themselves naked. It’s very important only the right people get to see these things! Google is a data company that has a responsibility to its users to make sure that’s the case.

How could the ‘secret’ link end up in the wrong hands? Some possibilities:

An email thread / document with a link to the photo or album is forwarded or shared with the wrong person, or accidentally posted somewhere public. The recipient naturally thinks the link is only works for them (as would be the case for Drive) and doesn’t take care to prevent it becoming public. Links sent by email are semi-public because they move across the internet unencrypted, and are simple to intercept, especially for governments. It’s only OK to link to sensitive things by email if the recipient needs to be logged in to view them. A database of these links is one day leaked or hacked, or people figure out a pattern in how the ‘secret’ URLs are generated. Someone’s emails or other documents are hacked or leaked, with the links to photos contained inside for all to see.

Keep in mind the status quo is for these links to persist forever, providing plenty of time for one of the above things to happen.

Furthermore, if you were discussing a topic by email it wouldn’t be that unusual for exactly the wrong person (e.g. someone at another company, or a member of your extended family) to be later added to a thread and gain access to any photos someone has linked to along the way. Most people have terrible information security practices.

Maybe you don’t care. Fair enough. But if you’re a teenager using Photos to share racy photos with your partner, or an immigration lawyer using Photos to receive and send photographs of client documents, you might well care.

And for political dissidents around the world, clarity about what they are sharing and with who is a literal matter of life and death.

Would Google use this sharing method for their sensitive internal photos or documents? Not a chance! It would be negligent and likely illegal.

The solution

Easy: sharing behaviour in Photos should be changed to match that of Google Drive, which is excellent and transparent.

On Drive, if the person you want to share with has a Google Account, it’s shared with that account exclusively. And if they don’t, you have the opportunity to either send them a link they can convert into permanent access for one Google Account of their choice, or knowingly make the file public and send them a link to it.

If that’s not possible, Photos’ interface should be changed to make it clear that ‘Anyone with the link can view’.

Until this week you could automatically get photos from an Android phone uploaded to Drive and share them using its far superior interface. But that option was just turned off completely, preventing this workaround. You can read about that in my previous post: Google’s new system for Drive/Photos image syncing is insane.

—

Added: This post has really blown up with over 300,000 views in under a day. Lest I seem like I’m all negativity, I should point out that the Photos team has made good decisions too — for instance, its interface for scanning and selecting photos is very impressive.

There are a number of comments from people who say they’ve always known Photos worked this way. That’s great, though given I’ve only seen a few dozen responses like that out of 300,000 readers, they seem to be in the minority. I suspect that what drives people’s expectations is what other services they’ve used before trying Photos. If, like me, you are used to Drive and then switch to Photos, this behaviour is totally unexpected and alarming.