Google changes JotSpot privacy settings after complaint

Researcher challenges Google after finding names and e-mail address of JotSpot users via Google search and wins--Google changes that and turns everything private.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Oct. 31, 2008 4:05 p.m. PT

2 min read

Google said Friday that it was modifying the privacy settings on its JotSpot online collaboration service after a researcher discovered that user e-mail addresses and names were being exposed to the Web without user consent.

Ben Edelman, Harvard Business School professor and security researcher, posted a blog entry on Thursday showing how JotSpot user names and e-mail addresses were easily accessible on Google search.

After being contacted by CNET News, Google issued a statement disavowing any responsibility by saying that the administrators of the JotSpot groups were responsible for setting the privacy controls. If the information was exposed on the Internet it was because the administrators had made it public.

Not satisfied with that response, Edelman pointed out the flaws with that excuse in an update to his original post.

JotSpot users didn't agree to have their names and e-mails made public and Edelman talked to several who said they indeed did not grant consent. Administrator permission is not sufficient to justify the practice, and administrators are not party to the privacy policy "contract" between JotSpot and the users, he added.

In addition, Edelman found that the language relaying this responsibility to administrators was not clear and likely led to administrators mistakenly exposing the information to the Web without meaning to.

"Google should prioritize defaults and options that accommodate reasonable users, reasonable administrators, and standard use cases," he wrote.

In other words, make the policy notice understandable and clear and make it rational. Clearly, those thousands of JotSpot users wouldn't have wanted to have their names and e-mail addresses exposed for strangers and spammers to see, even if the administrator of the group wanted it so.

In response, Scott Johnston, former vice president of products at JotSpot, sent an e-mail to Edelman outlining changes based on his feedback.

"Admins have always been in control of whether to make their wikis public or leave them set to private. JotSpot wikis are private by default, and unless an admin chooses to set it to public, none of the information in that wiki is publicly accessible," Johnston wrote.

"However, based on your feedback, we have taken action to improve the JotSpot user experience by setting the User Management page on all public JotSpot wikis to private, and we are in the process of removing these pages from our cache," the e-mail said. "All private wikis will be unaffected by this change, as their User Management pages have never been publicly accessible."