LJ’s latest PrivacyFail
Sep. 1st, 2010 11:06 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
annathepiperI’ve seen a lot of news going around about this, but for those of you who haven’t, LJ has just turned on new functionality to crosspost to Facebook and Twitter.
On the face of it this seems fine. I crosspost regularly, as y’all probably know; all my posts these days originate from my WordPress blogs, but from there they head out to LJ, Dreamwidth, Facebook, and Twitter all at the same time. I’m fine with LJ allowing that to happen for stuff that originates on LJ.
What I’m not fine with is that you can apparently now also crosspost comments. Including comments on locked posts, or posts which are set to screen all comments. The crossposted comments will include a link back to the original post–and if that post is locked, sure, only the people who are authorized to see it will still see it. But there’s no way of knowing if those crossposted comments might quote bits of the original post.
So there’s big privacy fail here. There’s also just general fail of manners, because seriously, it’s just rude to link back to locked posts that people on other sites can’t read.
I wouldn’t have been turning on this functionality anyway since my crossposting originates off of LJ and I therefore do not need it. But I’m leaving it off also on general principle just because of this big gaping security hole. I encourage you all to do the same. Also, while I don’t often post locked posts or posts with screened comments, I do ask that if I do, please don’t crosspost any comments off of them.
The FAQ post about the new functionality is here. The new news post that mentions it is here.
If you feel passionately about this, I encourage you to submit feedback to LJ about it.
If you feel really passionately about this, enough to bail on LJ, I have Dreamwidth invite codes. Let me know if you want one.
Mirrored from annathepiper.org.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2010-09-01 09:54 pm (UTC)no subject
Date: 2010-09-02 04:13 am (UTC)So mostly I'm just trying to decide how annoyed this makes me. I am hovering around "mildly annoyed", partly for the potential privacy fail. And partly for just not really getting why people would want to crosspost comments to different systems anyway, since nobody on the other systems will have any real context for the conversation to begin with. It's just spamful, really--the reverse of people posting their Tweets to LJ, and people here on LJ don't have any context for those, either.
no subject
Date: 2010-09-02 03:22 am (UTC)I don't know if I want to start using Dreamwidth yet or not.
no subject
Date: 2010-09-02 04:16 am (UTC)Comments, on the other hand, I start having a problem with. On unlocked posts it's just spamful to post them to other systems anyway, and on locked or screened posts, it's just outright rude.
I don't believe anybody I regularly get comments from here would do that, mind you. So while I am annoyed about this, I'm hovering around "mildly annoyed", and more on general principle rather than out of any real fear I might have a privacy breach.
Others I know though are a lot more concerned with their privacy of their content, so I'm more worried about them. :/
no subject
Date: 2010-09-02 05:37 am (UTC)http://www.livejournal.com/support/faqbrowse.bml?faqid=279
"The cross-posting options will automatically be unchecked when commenting to a Friends Only or Private post, so that no protected comments are sent to Facebook or Twitter by accident."
no subject
Date: 2010-09-02 05:47 am (UTC)However, in your personal settings, there are also tickyboxes for turning on auto-crossposting for both your posts and your comments.
So the question would be whether your personal settings, if set to auto-crosspost, would override what's on the locked or screened post.
no subject
Date: 2010-09-02 06:04 am (UTC)no subject
Date: 2010-09-02 10:31 am (UTC)And they won't do that ... or rather, if you've got "friends" who are inclined to do that, you've already got a problem since, even as things were before, they can just copy stuff out of your locked posts and paste them anywhere on the internet anyway.
So what am I missing? How is this a privacy fail?
no subject
Date: 2010-09-02 02:21 pm (UTC)Suppose that somebody is posting about some aspect of their life that they need to keep restricted to a small set of people on the net. So they lock the post, or perhaps they screen all the incoming comments.
Then somebody comes along who is participating in the conversation, and maybe they have their settings set to auto-crosspost all their comments off to Facebook. And suddenly, a comment shows up over on Facebook to the effect of "Gosh, yes, your husband/boss/mother/sister/housemate/etc. really is being a dick, and my best advice is you do X, Y, or Z".
At best, people on Facebook are going to go "wait, what? What is the context of this comment?" At worst, depending on exactly what is said, it's possible to learn something about the OP that the OP may well really not have wanted to get over to Facebook.
And this is entirely without any active malice on the part of the commenter.
Now if I understand it correctly locked posts are supposed to automatically have those tickyboxes turned off. What I have not yet determined (and which I should test just to see) is whether those boxes stay off if you have your own personal settings set to auto-crosspost. I have already tested that yes, you can crosspost a comment off of a post that's marked to screen all comments, but I didn't think to test with my settings set to auto-crosspost everything.
no subject
Date: 2010-09-03 11:45 pm (UTC)If, however, we're talking about cross-posting of full journal entries and that setting your own entries to be cross-posted means that all comments on your own entries will likewise be cross-posted to your own Facebook/wherever and that, in such cases, your own screening at LJ is bypassed, that would indeed be bad. But the description doesn't seem to indicate that's what's happening.
no subject
Date: 2010-09-04 12:17 am (UTC)I set my personal settings to auto-crosspost comments.
I went to a locked post, started composed a comment, the box was not checked, I hit 'Post...', the comment did not appear on Facebook.
I then composed another comment on the same locked post, did check the box and the comment did get crossposted.
I started to compose a comment here and I had to explicitly un-check the box (since this post is not locked).
... all as expected. It looks like they thought this one out, for once.
Still debating whether I'm going to leave it turned on (it's a bit of a toss-up whether the majority of my comments will be suitable for crossposting). My bigger problem is having this account more directly linked with my real name, though I think I've already given away the store on that one.
no subject
Date: 2010-09-04 12:27 am (UTC)Once a comment is posted, it appears that LJ doesn't remember whether the comment was cross-posted or not.
Meaning if I go to edit the comment and it's on a post that's not locked and my account is set to auto-cross-post, then the edited comment will be cross-posted if I don't remember to uncheck the box, even if I'd unchecked the box on the original comment.
Not sure that this has any privacy implications, but I'm guessing it's going to be annoying (I'm not sure there's ever any reason to crosspost an edited comment, especially if it's going to show up on Facebook as multiple comments).
no subject
Date: 2010-09-04 12:42 am (UTC)(hmm... something else to test)
(oh cool.. if you cross-post a comment, then remove it from Facebook, subsequent edits of the comment are still blocked from appearing even if you check the box. So clearly, they are remembering the identity of the comment.)