« "This card is viewed by other accounts" - an update on the Library Elf and your privacy | Main | Library Elf quick to respond - "private" RSS feeds in Bloglines are public »


Updated library elf posts can be found under the tag patron records. Then PAGE DOWN.

Karen Coyle got a discussion going with tech folks on this issue at this Web4Lib thread

If LibraryElf doesn't support HTTP authentication (which implies password protection), then at best it's offering "security by obscurity"; anyone snooping just has to guess the URL of the feed, which may not be difficult. Bloglines has merely made that problem more obvious. But apparently Bloglines is at fault in not making it clear what they consider to be a "private" feed.

reading this on my treo is hard :) agree that bloglines should define private much better or stop implying that the word means anything...

I furled this link a while ago: http://labs.silverorange.com/archives/2003/july/privaterss

It's one of the few discussions I've encountered about making RSS feeds private, but it's 2 years old.

I think this is not alarmist at all, and I think it's a bloglines problem... what does it mean to mark something private? Just that it doesn't turn up in blogrolls but it does turn up in search results? yuck.

As an extremely happy library elf user, I must say I find this rather alarmist and the issues misplaced.

While the content of the feed may include personal information, it is only being disseminated to those individuals. If someone configures their own feed (which includes personal information) to be available publically, I can't see how library elf would have any sort of responsibility in the matter.

To me, the real story here is that folks were sideswiped by bloglines releasing information that was market private -- that is a serious problem that needs immediate action on the part of bloglines.

--Andrew (who absolutely loves library elf & is rather suspicious of bloglines =)

The problem with dynamic RSS feeds is that they need a "key" to determine which data to load. This key would have to be viewable in the URL, so something like: www.mysite.com/rss.aspx?user=chris for example, would give you an RSS feed for items to do with "chris".

This has been a fundamental problem for my developing RSS feeds, because I do need RSS data that is password protected, but as of now, there is not a good mechanism to use for authentication in RSS alone. It's basically all or none.

I have one feed that I use basic HTTP authorization in, but that feed can not be viewed in bloglines; it needs an aggregator that can speak basic HTTP auth.

So this is not really Elf or Bloglines fault per se.

RSS is an open technology. Elf created RSS feeds to allow people the convenience of aggregating that information. Bloglines aggregates more than just your RSS feeds, it connects users who link to similar RSS feeds based on the URL.

Hence why so many Elf feeds were exposed.

Based on the replies of others, my earlier comment was clearly mistaken. Having been wrong the first time, let me ask a couple of question: LibraryElf requires a password to access one's RSS feed, right? If so, then not giving the password to any third-party aggregator should solve the problem. If not, then LibraryElf is literally publishing your information for the world to read.

Today Bloglines is showing "error" for all those feeds. Perhaps someone complained and they did some quick patch to hide them.

This discovery is important and I want to thank Mary for finding it as well as the users who have expressed their concerns. I am one of the developers of Library Elf and I want to express that we are very concerned about what's happening on Bloglines.

It should be noted that the RSS feed from Library Elf is no different than other normal RSS feeds. This means that if you publish the link to your RSS feed, others will be able to view it. This is the way RSS works.

Nevertheless, it appears that Bloglines does not handle private subscriptions in a manner that we assume it should. My own personal Elf RSS feed on Bloglines is being publicly displayed even though I did not designate my account as public. Like you, I was surprised to see this so I sent off an email to Bloglines alerting them of this. After I sent it off, I discovered that Bloglines considers all feeds public unless the RSS feed is HTTP authenticated. Currently Elf does not implement HTTP authentication. Here is a quote by Mark Fletcher, founder of Bloglines "Currently the only way that a feed is marked private is if it contains a username/password used for HTTP authentication." (http://daringfireball.net/2005/02/feed_authentication).

So the privacy setting in Bloglines appears to have nothing to do with ensuring that your feeds are kept private! The statement on their website "Once sharing is enabled, all of your subscriptions and folders become public." is very misleading in my opinion as it implies that your feeds are private until shared.

It's important to note that this problem isn't isolated to just Library Elf. For instance, the Seattle Public Library offers RSS feeds for items out and holds for their users. If you were to type "Seattle Public Library" in the Bloglines search field, you will see a quite a few feeds on items out and hold notices for their patrons. I'm sure many of these patrons are not aware that their feeds are public either.

We've made changes to Elf to give users more control of their RSS feed (http://www.libraryelf.com/WhatsNew.aspx) . However this doesn't solve the Blogline problem long term. We will be looking into HTTP authentication for increased security as an optional way of generating Library Elf's RSS feed. In the meantime, we suggest that you unsubscribe your Elf RSS feed on Bloglines. Furthermore, for other public RSS aggregator services, we suggest you try to do a search in their system to see if your Elf RSS feed has been made public. If so, unsubscribe your Elf RSS feed as well.

Thanks for bringing this issue to our attention and we hope that you will continue to use Library Elf as we make improvements to its security.

BTW Glen we removed all references to email addresses in the RSS feed. Thanks for pointing this out.

My library offers RSS feeds for some patron personal information, so I've had some experience with these issues.

Jenny is correct that if you subscribe to your feed in Bloglines others may be able to stumble across your feed. My personal feed can be found via a search even though my account settings say "keep my Blog private". Not all that private, apparently.

Not all Elf feeds or feeds from libraries are exposed - only those where the patron is subscribed via a public aggregator like Bloglines.

That said, Elf is at fault for exposing the patron's email address. They should not publish users' email addresses in the feed or within the feed URL.

Public libraries that I'm aware of the offer feeds, including Hennepin, Seattle and Ann Arbor, use tokens in the feed URLs rather than patron barcode/pins to protect privacy. The tokens will only get you a list of the items out and patron's first name.

I had my feed marked as "private" which apparently didn't protect it from being indexed.

I was one of the 228 people!

RSS is simply a data format for carrying information; what gets put into it depends on the software creating the feed.

It looks as if these people created public profiles for themselves and published their own Elf feeds in their profile. I can't see any other way that Bloglines could have gotten hold of the URLs for their feeds. This implies that they want other people to know what books they've borrowed, or else they're just dumb. To get hold of an arbitrary person's RSS feed, you at least have to know (or guess) its URL. I don't think Bloglines is in the business of guessing RSS URLs, so I have to suppose these users chose to publish them.

I hope someone more technical than me will come along and leave a comment, but I'm pretty sure this is an issue with RSS, not Elf. It's an education issue that if you put any private feed in a public aggregator, anyone will be able to read that feed. The only patron feeds you should be able to read in Bloglines are the ones users have manually added, and the same would hold true for any feed coming from a library catalog or database.

The comments to this entry are closed.