If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Privacy setting is broken by design

RESOLVED FIXED in Future

Status

addons.mozilla.org Graveyard
Collections
P3
normal
RESOLVED FIXED
8 years ago
2 years ago

People

(Reporter: Wac, Unassigned)

Tracking

unspecified
Future
x86
Windows XP

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

The privacy setting of a collection is controlled by an option of "Who can view your collection?". However this option has implementation faults and is broken by design.

This is the scenario.
Day 1, it's a public collection when you create it.
Day 2, you decide it should be private and you change the status of the collection into private.

A user will expect, judging from the description of the privacy option, the collection is no longer public now so any personal or private information, if any, written in the collection is safe.

Nevertheless some anonymous visitors may have visited your collection on Day 1. They may have bookmarked your link, share the link in blogs, forums, newsgroups etc. Change in privacy status doesn't help in this issue.

Search crawlers may have indexed your collection on Day 1 too. Change in privacy status doesn't help in this issue either.

This is a major design flaw which gives users a false sense of security and privacy. Fundamental mistakes have been made on the implementation of the private collection system. This is only one of the problems caused by the incompleteness of the protection. There are other ways, problems and bugs which will cause a private collection to be *not* private. Some may not be very clear how exactly it happens (I only got a rough idea). I'll do more testing and research on it and file other bugs later.

Reproducible: Always
Severity: major → normal
Priority: -- → P3
Target Milestone: --- → Future
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 507317
Verified duplicate.
Status: RESOLVED → VERIFIED
(Reporter)

Comment 3

8 years ago
I don't understand why it's marked as duplicate. Yes that bug is somehow related but they are not really identical. Bug Writing Guidelines says we should **strictly report one bug per ticket**. Don't group similar bugs together. 

This is a bug about the design flaw of private collection. A user expects its collection becomes private when:
(1) it marks the collection as private at start
(2) he changes his mind later and change this collection from public to private

However the collection won't be private in neither Case 1 nor Case 2 because of how private collection actually works. But search engine is only part of the problem. It isn't the whole of the problem.

Bug 507317 is about collection being exposed in addons.mozilla.org because of some bugs found in the website, leading to private collection being indexed/cached. The problem is not caused by the reasons indicated by Bug 507317. All comments in Bug 507317 are not really relevant to this one either. Don't group similar bugs together please. It's hard to keep track of it.
Status: VERIFIED → REOPENED
Resolution: DUPLICATE → ---

Updated

7 years ago
Status: REOPENED → RESOLVED
Last Resolved: 8 years ago7 years ago
Resolution: --- → FIXED
(Assignee)

Updated

2 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.