Using Bloglines to snoop on people's private Gmail
I was astonished on Friday when I was looking at my Gmail account inbox, and accidently hit the 'Subscribe with Bloglines' bookmarklet on my Firefox links toolbar. Bloglines then dutifully put up on the screen a whole series of Atom feeds of other people's Gmail accounts that I could subscribe too.
At first, because all of the Atom feeds had been sent through FeedBurner, and the content seemed so spammy, I wondered if it might not have been set up to entice people to subscribe to the feeds as a way of getting more eyeballs on spam email. However, a couple of the feeds seemed to contain genuine personal email, and frankly, such a high percentage of email traffic is spam that if you monitored any email address I'm sure the ratio of spammy mail would look quite high.
Whilst you are not able to go straight from the feed to look at the complete email, once subscribed you can read the subject and the first line of any email sent to these addresses. That can be enough though, especially once a thread starts. For example I know one of these people left their job last week.
In another email, you nearly get hold of someone's user ID and password for a website, further prove that Dave Cross is right when complaining about the poor handling of password data by a lot of online applications. In this case there just are not enough characters in the snippet to reveal the password - but only just.
I think that is where the privacy issue gets a bit scarier and, for me, more controversial. The people sending emails to these addresses have no control over whether the recipient has made their Gmail feed public via an aggregator like Bloglines or not. There is the potential that in the opening line or subject of an email that they think is a secure private one-to-one conversation they could give out very personal details, or defame someone, and end up with their private communication plastered all over the web.
The fault I guess lies with both Google and Bloglines. Google clearly need to more to educate their Gmail Atom users about the potential privacy implications of making their email available in a syndication format. They do have an FAQ answer that warns you that if you do not set the feed to private in your aggregator, you are revealing your email to the world.
Are my Google Mail RSS feeds publicly accessible?
Many aggregator services mark your profile and feeds as public by default, making the subjects and snippets of your Google Mail messages searchable. Even though other users can view the subjects and snippets, the entire content of your messages is not accessible.
If you want to make sure that your Google Mail feeds are not searchable, we suggest setting your profile and feeds as private.
However, that warning isn't given in the main FAQ entry about setting the feed up, even though Google take the time to warn you that the feed will not appear until you have some unread mail in the feed.
How do I view Google Mail messages with my aggregator?
You can view Google Mail messages in your aggregator by subscribing to a new channel. Enter https://mail.google.com/mail/feed/atom in the 'URL' field, then submit your Google Mail address and password.
Please keep in mind that Google Mail messages will not appear in your aggregator unless there are unread messages in your inbox.
And Bloglines could do something to restrict the display of feeds with the telltale sign of contaning content from Gmail, so that if you know your own Gmail Atom address you can subscribe to it, but that you can't fish for other people's mail using Bloglines anymore.