I made a major discovery since my last post, in which I mused that I didn't think it made any difference to my privacy if I was a Library Elf subscriber or not.
It does, and how. Turns out anyone can see your [12/28- some] Library Elf RSS feeds.* Doesn't matter if they know your card number, PIN, or even your name.
Here's what happened: I had my Bloglines.com reader open for blog reading. I typed "library elf" in the SEARCH ALL BLOGS box. Imagine my surprise when I got 228 results, most of which are individuals' accounts - one more click gives you first names, email addresses, titles borrowed, on hold, etc.
Maybe that's why libraries haven't been offering RSS feeds for user accounts. I suspect it's a hole in RSS itself. Anyone know?
Unless you really don't care if anyone sees your record, you'll want to delete any ELF accounts now [12/28- if you use Bloglines or possibly other web-based RSS readers]. If not, personal information about you may be floating around - great for bringing you email scams targeted to your reading interests - or worse.
Personal note: I'm sad to find this - as it means I have to go back to horse-and-buggy days to check when my books are due. Well, not literally, but it's amazing how quickly we become accustomed to convenience.
*(At least if you use Bloglines as your RSS reader - though for all I know it may be true for all Elf users with RSS feeds)[Update 12/28 - Only true for users who sign up with Bloglines and possibly other web-based RSS readers-mm]
______________________________
Added later 12/27- It seems to me that even if libraries offered strong passwording, this RSS leak would remain. I'm speaking now about library users who voluntarily type in their library passwords when they sign up for an Elf account. The Elf apparently stores this forever unless the user changes or terminates the account. A strong password would only be a higher quality key left in an open door.
Updated library elf posts can be found under the tag patron records. Then PAGE DOWN.
Posted by: Mary | July 13, 2006 at 09:10 AM
Karen Coyle got a discussion going with tech folks on this issue at this Web4Lib thread
Posted by: Mary | December 29, 2005 at 09:25 PM
If LibraryElf doesn't support HTTP authentication (which implies password protection), then at best it's offering "security by obscurity"; anyone snooping just has to guess the URL of the feed, which may not be difficult. Bloglines has merely made that problem more obvious. But apparently Bloglines is at fault in not making it clear what they consider to be a "private" feed.
Posted by: Gary McGath | December 29, 2005 at 07:15 AM
reading this on my treo is hard :) agree that bloglines should define private much better or stop implying that the word means anything...
Posted by: kgs | December 28, 2005 at 11:54 AM
I furled this link a while ago: http://labs.silverorange.com/archives/2003/july/privaterss
It's one of the few discussions I've encountered about making RSS feeds private, but it's 2 years old.
I think this is not alarmist at all, and I think it's a bloglines problem... what does it mean to mark something private? Just that it doesn't turn up in blogrolls but it does turn up in search results? yuck.
Posted by: Christina Pikas | December 28, 2005 at 10:21 AM
As an extremely happy library elf user, I must say I find this rather alarmist and the issues misplaced.
While the content of the feed may include personal information, it is only being disseminated to those individuals. If someone configures their own feed (which includes personal information) to be available publically, I can't see how library elf would have any sort of responsibility in the matter.
To me, the real story here is that folks were sideswiped by bloglines releasing information that was market private -- that is a serious problem that needs immediate action on the part of bloglines.
--Andrew (who absolutely loves library elf & is rather suspicious of bloglines =)
Posted by: Andrew Forman | December 28, 2005 at 08:26 AM
The problem with dynamic RSS feeds is that they need a "key" to determine which data to load. This key would have to be viewable in the URL, so something like: www.mysite.com/rss.aspx?user=chris for example, would give you an RSS feed for items to do with "chris".
This has been a fundamental problem for my developing RSS feeds, because I do need RSS data that is password protected, but as of now, there is not a good mechanism to use for authentication in RSS alone. It's basically all or none.
I have one feed that I use basic HTTP authorization in, but that feed can not be viewed in bloglines; it needs an aggregator that can speak basic HTTP auth.
So this is not really Elf or Bloglines fault per se.
RSS is an open technology. Elf created RSS feeds to allow people the convenience of aggregating that information. Bloglines aggregates more than just your RSS feeds, it connects users who link to similar RSS feeds based on the URL.
Hence why so many Elf feeds were exposed.
Posted by: Chris Deweese | December 28, 2005 at 08:26 AM
Based on the replies of others, my earlier comment was clearly mistaken. Having been wrong the first time, let me ask a couple of question: LibraryElf requires a password to access one's RSS feed, right? If so, then not giving the password to any third-party aggregator should solve the problem. If not, then LibraryElf is literally publishing your information for the world to read.
Today Bloglines is showing "error" for all those feeds. Perhaps someone complained and they did some quick patch to hide them.
Posted by: Gary McGath | December 28, 2005 at 05:11 AM
This discovery is important and I want to thank Mary for finding it as well as the users who have expressed their concerns. I am one of the developers of Library Elf and I want to express that we are very concerned about what's happening on Bloglines.
It should be noted that the RSS feed from Library Elf is no different than other normal RSS feeds. This means that if you publish the link to your RSS feed, others will be able to view it. This is the way RSS works.
Nevertheless, it appears that Bloglines does not handle private subscriptions in a manner that we assume it should. My own personal Elf RSS feed on Bloglines is being publicly displayed even though I did not designate my account as public. Like you, I was surprised to see this so I sent off an email to Bloglines alerting them of this. After I sent it off, I discovered that Bloglines considers all feeds public unless the RSS feed is HTTP authenticated. Currently Elf does not implement HTTP authentication. Here is a quote by Mark Fletcher, founder of Bloglines "Currently the only way that a feed is marked private is if it contains a username/password used for HTTP authentication." (http://daringfireball.net/2005/02/feed_authentication).
So the privacy setting in Bloglines appears to have nothing to do with ensuring that your feeds are kept private! The statement on their website "Once sharing is enabled, all of your subscriptions and folders become public." is very misleading in my opinion as it implies that your feeds are private until shared.
It's important to note that this problem isn't isolated to just Library Elf. For instance, the Seattle Public Library offers RSS feeds for items out and holds for their users. If you were to type "Seattle Public Library" in the Bloglines search field, you will see a quite a few feeds on items out and hold notices for their patrons. I'm sure many of these patrons are not aware that their feeds are public either.
We've made changes to Elf to give users more control of their RSS feed (http://www.libraryelf.com/WhatsNew.aspx) . However this doesn't solve the Blogline problem long term. We will be looking into HTTP authentication for increased security as an optional way of generating Library Elf's RSS feed. In the meantime, we suggest that you unsubscribe your Elf RSS feed on Bloglines. Furthermore, for other public RSS aggregator services, we suggest you try to do a search in their system to see if your Elf RSS feed has been made public. If so, unsubscribe your Elf RSS feed as well.
Thanks for bringing this issue to our attention and we hope that you will continue to use Library Elf as we make improvements to its security.
BTW Glen we removed all references to email addresses in the RSS feed. Thanks for pointing this out.
Posted by: Jeff Chow | December 28, 2005 at 02:04 AM
My library offers RSS feeds for some patron personal information, so I've had some experience with these issues.
Jenny is correct that if you subscribe to your feed in Bloglines others may be able to stumble across your feed. My personal feed can be found via a search even though my account settings say "keep my Blog private". Not all that private, apparently.
Not all Elf feeds or feeds from libraries are exposed - only those where the patron is subscribed via a public aggregator like Bloglines.
That said, Elf is at fault for exposing the patron's email address. They should not publish users' email addresses in the feed or within the feed URL.
Public libraries that I'm aware of the offer feeds, including Hennepin, Seattle and Ann Arbor, use tokens in the feed URLs rather than patron barcode/pins to protect privacy. The tokens will only get you a list of the items out and patron's first name.
Posted by: Glenn Peterson | December 27, 2005 at 09:04 PM
I had my feed marked as "private" which apparently didn't protect it from being indexed.
I was one of the 228 people!
Posted by: Kelli Staley | December 27, 2005 at 05:36 PM
RSS is simply a data format for carrying information; what gets put into it depends on the software creating the feed.
It looks as if these people created public profiles for themselves and published their own Elf feeds in their profile. I can't see any other way that Bloglines could have gotten hold of the URLs for their feeds. This implies that they want other people to know what books they've borrowed, or else they're just dumb. To get hold of an arbitrary person's RSS feed, you at least have to know (or guess) its URL. I don't think Bloglines is in the business of guessing RSS URLs, so I have to suppose these users chose to publish them.
Posted by: Gary McGath | December 27, 2005 at 02:27 PM
I hope someone more technical than me will come along and leave a comment, but I'm pretty sure this is an issue with RSS, not Elf. It's an education issue that if you put any private feed in a public aggregator, anyone will be able to read that feed. The only patron feeds you should be able to read in Bloglines are the ones users have manually added, and the same would hold true for any feed coming from a library catalog or database.
Posted by: Jenny Levine | December 27, 2005 at 11:57 AM