Shared publicly  - 
 
I use my phone camera to take pix of receipts for expense reports. I just add them to an Open Office doc, PDF it, and send it internally to our expense system. Quick and easy, never leaves the VPN so it's relatively secure.

Today a buddy sent me a link to his Picasa album. Because I was logged into G+, I also saw "my" Picasa interface. I didn't know I had a Picasa account.

There were all my pix of receipts, with my credit card number plainly visible on several of them.

I never signed up for Picasa, mind you. Apparently when I installed the G+ app to my phone, I agreed to let it post pix from my phone. I didn't know, or I missed that I also agreed to automatically upload EVERY SINGLE PICTURE I take to Google/Picasa. I was not aware of that, and would NEVER have agreed to do so had I been aware. I'm seriously pissed off. Some of those pix have been there for months.

I have no idea whether anyone had access to them, or if they're still on Google somewhere even though I deleted the album. Basically, I'm now calling my corporate card provider and asking for a new number and card. This SUCKS - all my airlines, car rental places, my cell phone provider and several other places direct bill my card. I'm going to have to go mess with probably a dozen or more accounts.

Now, to be fair - I have no doubt that this was user error, but I think I'm a relatively savvy user, and I generally read stuff pretty carefully when it comes to sharing my info. I completely missed that it was going to upload every single picture I took. If I missed it, there's a good chance others have as well.

Be real aware of what G+ is doing on your phone!
3
3
David Duncan's profile photoJan Wildeboer's profile photoElad Alfassa's profile photoRafael Teixeira's profile photo
24 comments
 
Opt-In should be default everywhere. Opt-Out is #fail. :-(
 
To be clear - I probably did opt-in, inasmuch as I remember being asked if I wanted to post pix.

I just don't recall seeing that it would silently post everything in the background. That is absolute #fail.
 
Are you sure you're not overreacting? I thought the notice about G+ auto-upload was super obvious. Seemed to me like if I didn't answer "Yes" when it popped up, then it would not have been enabled.

Anyway, it sounds like G+ isn't for you, Thomas. I really like the auto-upload feature. Also, are cretid card numbers really a major security concern, since they can be auto-generated at random (CCV and all) by lots of different programs out there, and so long as you check your statement once a month and report any unauthorized charges, you shouldn't ever be responsible for fraudulent charges?

Don't get me wrong, I understand your point here. Seems like the release of G+ is creating two schools of social networking fans (FB vs. G+), ala Apple vs. M$. FB has always scared the shit out of me (I honestly believe Zuck is straight-up evil), and Apple just makes me sick with their high prices and draconian M.O., but we all gotta pick something (or nothing, I suppose, but who wants that?). As my boss recently said, "Marshall drinks the Google kool-aid." Pick your poison, right?

Btw, linux runs my servers and most of my desktops, though I still use Windows for gaming every now and then :)

Also, those instant upload pics are always private unless you explicitly share them.
 
If anyone is reading this and wants to check if they mistakenly enabled this feature:
In the g+ Home screen (on Android), go to menu, select Settings and there is an Instant Upload section with. Full description and further options. Un-tick to disable.
 
After reading your post, I checked my picassa as well. There is an "Instant Upload" album that contains all the pics taken with my phone, but it is only visible to me. It has a little lock icon beneath the album icon.
Drew M
 
The photos are private, there is no way anyone can access them without making them accesable to others via a post or changing the privacy settings of that photo.
It is a clear box to check/uncheck, I can't remember if it was opt out, but its his own silly fault that he didn't read it correctly when signing up for G+. It is a good thing to have it as opt-out as it will auto back up all photos and make them very easy to share. Had you shredded those documents and realised he needed a copy you would be happy now.
 
There is a notification when you install the app that asks if you want to enable 'instant upload'. It is checked on by default but you can uncheck it right there. The album you upload to is private and is unable to be made public. You have to manually cilck on the photo and click 'share' and select people for anybody to be able to see it. They can also be removed from the album. They are not stored anywhere else.
 
Also, the uploads are not transparent. There is a notification every time (at least on android)
 
Instant Upload albums are set to private on creation, and only go public if you explicitly choose.

That said, this is not an intended consequence of the Instant Upload feature, so I'll file a bug with both G+ and Picasa.
 
I'm not pro- or anti-Google+ or Facebook. I think they're very different, and I like both of them.

My point was that although I'm not the sharpest tool in the shed, I'm also not stupid (I think). If I missed the intent of the uploader thing, others might have as well.

And the argument "oh, don't worry, it's private" just doesn't hold water. It's a foolish attitude. Google is just as likely to be exploited as anyone else (see e.g. http://www.readwriteweb.com/cloud/2010/09/googles-internal-security-brea.php). Once Google has something, don't believe for a second that because you delete it, it's actually gone.

This was only intended as a friendly warning to others - if you breezed through setup like I apparently did, this is somewhat easy to miss.
 
I vaguely remember that screen, Thomas. But looking at the screen cap, I imagine that when I read it, I thought "ah, cool, I can upload pix if I want to, just like I can on FB and Twitter." I didn't realize, or didn't pay attention to the fact that it was uploading all of my pix without prompting. Again, to be clear - I didn't read or absorb the message. This is my fault for not reading more deeply. But it SUCKS that the default behavior is opt-in and that it is not made really clear that every picture you take is going to be uploaded to Google. Had I realized that I would not have accepted it.
 
And, really - apps typically have that HUGE EULA that no one reads. I'm ashamed to admit that I don't really pay much attention to them any more, they're all legalese crap. I am willing to bet that I just saw "upload pictures" and thought "yeah, ok, I might want to someday, so yes" and clicked through. My bad!
 
If nothing else, this cautionary tale reminds us how the deluge of dialog boxes and EULAs has really numbed us to the ones to which we need to pay attention. And that's no judgment on TC either, he's not the first smart person I've seen caught by this. (Don't let him fool you into thinking he's not sharp!) ;-)
 
Totally does, Justin. You articulated much better what I was trying to get across. I got complacent, a pretty easy mistake to make, and it bit the crap out of me.
 
John - yup, been using it for a few weeks now.
Drew M
 
Thomas, to say that just because you've deleted out from google its not gone is a bit obvious really. these days whenever you delete any form of digital media, be it on a hard drive, a phone or any online backup, there will remain some kind of traceable copy. A hard drive can be recovered remotely and an email can be hacked.google is just as safe as any other media, in that there are ways to get these things and its not that safe. if a document is that important and that confidential take out on a digital camera encrypt it and send out then destroy the memory card.

Googles rules are taken out of context, for the picture to be shared you have to give google permission to redistribute it, its not that they well sell your pictures especially if they're private.
 
Camscanner doesn't seem subject to the problem. That said, I had a similar shock when I first installed g+. It's not obvious what that checkbox means until you find that first unintended upload. Lucky for me, I do use picasa so I caught it quickly. 
 
Interesting twist to this story: Over here in Europe we have quite strict regulations that do not allow thi skin dof opt-out setup. Opt-in is the official default accrding to our laws. And behold! Andorid in EU has this checkbox deselcted by default and you have to actively activate it. Seems we are treated a bit better ...
 
I also don't want to know how many people on a capped contract are surprised to find out they have to pay a huge bill as the traffic amounts went through the roof ...
 
Hmmm... not sure if I can say that they dont deserve that. I am also guilty of skipping the EULA on products but I still noticed the huge check box that said 'would you like to instantly upload your pictures?'.
Add a comment...