Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] question about browser/Gmail subject line / browser history exposure

Sam King samking at cs.stanford.edu
Wed Jul 4 14:44:58 PDT 2012


I remember when they first implemented this feature in the early days of
gmail.  I remember experiencing it as a wonderful feature, which was how
they touted it.  In Yahoo mail, I can't bookmark a URL for a particular
email, and I can't use the forward or back buttons in my browser.  In
gmail, they got the browser to treat each email as a separate page, so the
browser history shows each as a separate page.  As a result, it would
probably be a very large change in the code and a decently large decrease
in usability if they were to revert that feature.  I believe that
m.gmail.com doesn't give away too much information in the subject lines,
though.

In any case, if someone is doing sensitive things in a public location on
an insecure computer, there are a lot of vectors of attack (you mentioned
keyloggers.  How about someone looking over your shoulder or recording
you?).  If that person isn't taking the basic precaution of clearing their
browser history (or going into privacy mode in FF or incognito mode in
Chrome), they probably are exposing a lot more than a list of emails they
read, and they probably aren't taking a lot of other necessary precautions.
 Even if they used Yahoo mail, the browser history would still reveal their
username (and the connections aren't https by default, so it would probably
be much easier for someone to actually read your emails and gather your
browsing data).

In general, a good user interface is one where user expectations are
fulfilled.  I don't think that most people I know have the expectation,
"When I am in a public place, the things that I say and read are private"
-- I wouldn't be surprised if someone noticed a newspaper article I was
reading in a cafe, for instance -- and I also think that most people I know
are starting to have the expectation, "anything that I do on a computer or
on the internet will leave traces."  That is very dependent on the culture
and familiarity with computers on the part of the user, though.

Sam King
Director | Code the Change <http://codethechange.org> - we have a Code Jam
for social good coming up!
Teacher | CS1U: Practical Unix <http://cs1u.stanford.edu> - videos and
exercises are available free online!
facebook <https://www.facebook.com/samjking>,
linkedin<http://www.linkedin.com/profile/view?id=55518052>,
twitter <http://twitter.com/codethechange>,
google+<https://plus.google.com/111459971983433860521>,
verbose letters <http://stanford.edu/~samking/personal/>



On Wed, Jul 4, 2012 at 5:15 PM, Katrin Verclas <katrin at mobileactive.org>wrote:

> Hi, Robert, thanks for that.
>
> See below.
>
> On Jul 4, 2012, at 8:55 AM, Robert Guerra wrote:
>
> > Katrin,
> >
> > Likely what  is being displayed is the HTML page title, which google
> updates per each email that is viewed or composed.
>
> Yeah but that's a choice gmail/fb make for some usability/ease of
> use/whatever reason that backfires for those users dependent on internet
> cafes who are not deleting their browser history.
>
> Of course, as was pointed out to me, there is also the problem of
> keylogger software on many computers in many cafes in many repressive
> countries that records passwords etc.... which, of course, is an important
> related issue but not one I am getting into here :)
>
> >
> > The data being displayed is - sensitive data - as such would likely have
> been included in the privacy impact analysis that all GNI companies need to
> do
>
> Has the privacy impact analysis been released? I am copying Susan on this
> to shed light on how and what role GNI plays in this (not clear on this but
> Sudan can enlighten us)
>
> > . If there's a variation between them on this, then that should be
> pointed out.
>
> Between Yahoo v gmail?  Is that what you mean?  Trying to understand what
> you are getting at...
>
> And yes, seems like an easy fix that would increase privacy for users on
> shared computers without a huge loss of usability.
>
>
> >
> > Robert
> >
> > --
> > R. Guerra
> > Phone/Cell: +1 202-905-2081
> > Twitter: twitter.com/netfreedom
> > Email: rguerra at privaterra.org
> >
> > On 2012-07-04, at 7:52 AM, Katrin Verclas wrote:
> >
> >> Hi all --
> >>
> >> Question for you:  A colleague noticed in an Internet cafe (in a
> repressive country) that in FireFox and Chrome the browser history reveals
> the subject line of gmail. The history also reveals the name of the person
> a user Facebook-messaged and profile pages visited.  The same was not true
> for Yahoo or hotmail.
> >>
> >> See below for a sample screenshot that illustrates what I am talking
> about (using the latest version of FF on Mac OS)  It seems to be a function
> of gmail/FB not the browser (same happens in Chrome and Safari, did not try
> for IE).  As I said, Yahoo mail and Hotmail do not reveal the subject line
> in the history as far as we could see.
> >>
> >> So - is this and oversight or deliberate on the part of Gmail/F?
> >>
> >> It seems potentially rather problematic since most users do not delete
> their history nor use any private browsing features or software when in an
> internet cafe.  We looked at detailed name/subject line/FB social grapsh in
> the browser history of machines in the cafe for at least eight months
> back). With this information it is very easy to see an individual's
> activity without any other digital logs installed.
> >>
> >> Curious about this from a technical POV and whether it can be fixed by
> Gmail/Facebook.  We can involve the right people there; after understanding
> this better.
> >>
> >> In the meantime, this definitely should be covered in any trainings
> (that is - do not use a a sensitive or revealing subject line, delete your
> history, browse in private mode, etc)
> >>
> >> Thanks for any insights.
> >>
> >> Best,
> >>
> >> Katrin
> >>
> >>
> >>
> >> <Screen shot 2012-07-04 at 7.37.19 AM.png>
> >
>
>
> Katrin Verclas
> MobileActive.org
> katrin at mobileactive.org
>
> skype/twitter: katrinskaya
> (347) 281-7191
>
> Check out SaferMobile.org
> Using Mobile Technology More Securely. For Activists, Rights Defenders,
> and Journalists.
> https://safermobile.org
>
> MobileActive.org: A global network of people using mobile technology for
> social impact
> http://mobileactive.org
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120704/a36bf474/attachment.html>


More information about the liberationtech mailing list