Private highlights are not private; they're public at Diigo About and elsewhere - 127 views

• 
  #1 Graham Perrin on 09 Jun 09

   

  I normally do not disclose security/privacy issues in the forum but this bug, or something like it, has cropped up a few times in the past. Maybe this is a regression. Here goes:
  
  Using Diigo toolbar in Firefox 3.0.10, I take the sidebar option to
  See: only Private Annotations
  
  Then: I add my two highlights, which Diigo describes as private.
  
  Bug
  
  http://about.diigo.com/about/http%3A%2F%2Fwww.wired.com%2Ftechbiz%2Fit%2Fmagazine%2F16-03%2Fff_free%3FcurrentPage%3Dall reveals private highlights to the public.
  
  See also
  
  need help understanding highlighting function in groups (2008-04)
  
  Private highlight showing up on RSS feeds (2008-05)
  
  Q: Highlighting and privacy? (2008-05)
  
  Option for Private as Default for Annotations needed (2008-12)
  
  Diigolet should allow the user to prefer obscurity as a default for new bookmarks (2009-01)
  
  Question about privacy of my sticky notes and bookmarks, and group sharing (2009-01)
  
  public and private highlights, and public/private/group stickies and comments (2009-04)
  
  so highlighting is NOT private...? (2009-05)

   

  <div class="cArrow"> </div><div class="cContentInner">I normally do not disclose security/privacy issues in the forum but this bug, or something like it, has cropped up a few times in the past. Maybe this is a regression. Here goes: <br /> <br /> Using Diigo toolbar in Firefox 3.0.10, I take the sidebar option to <br /> <i>See: only Private Annotations</i> <br /> <br /> Then: I add my two highlights, which Diigo describes as <i>private</i>. <br /> <br /> <b>Bug</b> <br /> <br /> <a href="http://about.diigo.com/about/http%3A%2F%2Fwww.wired.com%2Ftechbiz%2Fit%2Fmagazine%2F16-03%2Fff_free%3FcurrentPage%3Dall" rel="nofollow" target="_blank">http://about.diigo.com/about/http%3A%2F%2Fwww.wired.com%2Ftechbiz%2Fit%2Fmagazine%2F16-03%2Fff_free%3FcurrentPage%3Dall</a> reveals private highlights to the public. <br /> <br /> <b>See also</b> <br /> <br /> <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/need-help-understanding-highlighting-function-in-groups-3019" rel="nofollow">need help understanding highlighting function in groups</a> (2008-04) <br /> <br /> <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/private-highlight-showing-up-on-rss-feeds-3784" rel="nofollow">Private highlight showing up on RSS feeds</a> (2008-05) <br /> <br /> <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/q-highlighting-and-privacy-3953" rel="nofollow">Q: Highlighting and privacy?</a> (2008-05) <br /> <br /> <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/option-for-private-as-default-for-annotations-needed-8935" rel="nofollow">Option for Private as Default for Annotations needed</a> (2008-12) <br /> <br /> <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/diigolet-should-allow-the-user-to-prefer-obscurity-as-a-default-for-new-bookmarks-9588" rel="nofollow">Diigolet should allow the user to prefer obscurity as a default for new bookmarks</a> (2009-01) <br /> <br /> <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/question-about-privacy-of-my-sticky-notes-and-bookmarks-and-group-sharing-41017" rel="nofollow">Question about privacy of my sticky notes and bookmarks, and group sharing</a> (2009-01) <br /> <br /> <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/public-and-private-highlights-and-public-private-group-stickies-and-comments-43929" rel="nofollow">public and private highlights, and public/private/group stickies and comments</a> (2009-04) <br /> <br /> <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/so-highlighting-is-not-private-45791" rel="nofollow" target="_blank">so highlighting is NOT private...?</a> (2009-05)</div>

  ...

  Cancel
• 
  #2 Wade Ren on 09 Jun 09

   

  good question. We have decided to use the term "personal highlight" in place of "private highlight" .
  
  basically, you can see "personal highlight" if you visit that user's bookmarks.

   

  <div class="cArrow"> </div><div class="cContentInner">good question. We have decided to use the term "personal highlight" in place of "private highlight" . <br /> <br /> basically, you can see "personal highlight" if you visit that user's bookmarks.</div>

  ...

  Cancel
• 
  #3 Michael Stiso on 09 Jun 09

   

  Is there no way to make private highlights, then, other than by making the whole bookmark private?

   

  <div class="cArrow"> </div><div class="cContentInner">Is there no way to make private highlights, then, other than by making the whole bookmark private? </div>

  ...

  Cancel
• 
  #4 Wade Ren on 09 Jun 09

   

  correct. if you make the bookmark public, others can see your personal highlights (as sort of clips) when they visit your bookmarks on the diigo site. but your private sticky notes will always stay private

   

  <div class="cArrow"> </div><div class="cContentInner">correct. if you make the bookmark public, others can see your personal highlights (as sort of clips) when they visit your bookmarks on the diigo site. but your private sticky notes will always stay private </div>

  ...

  Cancel
• 
  #5 Graham Perrin on 09 Jun 09

   

  Wade Ren wrote:
  
  > use the term "personal highlight" in place of "private highlight" .
  
  That's less troublesome, but still troublesome: personal is often equated with private.
  
  Suggestions
  
  1. Stop using an adjective, so for example
  
  highlight by Wade Ren
  
  - noun and ownership suffice :)
  
  2. Announce and explain the change
  
  - so that people can (i) review their bookmarks then (ii) convert to private any bookmark that is unintentionally public.
  
  Big thanks!
  
  Graham

   

  <div class="cArrow"> </div><div class="cContentInner">Wade Ren wrote: <br /> <br /> > use the term "personal highlight" in place of "private highlight" . <br /> <br /> That's less troublesome, but still troublesome: <a href="http://www.macmillandictionary.com/dictionary/british/personal" rel="nofollow"><i>personal</i> is often equated with <i>private</i></a>. <br /> <br /> <b>Suggestions</b> <br /> <br /> 1. Stop using an adjective, so for example <br /> <br /> <i>highlight by Wade Ren</i> <br /> <br /> - noun and ownership suffice :) <br /> <br /> 2. Announce and explain the change <br /> <br /> - so that people can (i) review their bookmarks then (ii) convert to private any bookmark that is unintentionally public. <br /> <br /> Big thanks! <br /> <br /> Graham</div>

  ...

  Cancel
• 
  #6 Wade Ren on 10 Jun 09

   

  the reason that we use "personal highlight" instead of "highlight" is that this type of highlights will not be seen on the original page by anyone else (except through annotated link) .
  
  This makes it different from "public" or group highlights that others can see on the page.

   

  <div class="cArrow"> </div><div class="cContentInner">the reason that we use "personal highlight" instead of "highlight" is that this type of highlights will not be seen on the original page by anyone else (except through annotated link) . <br /> <br /> This makes it different from "public" or group highlights that others can see on the page. </div>

  ...

  Cancel
• 
  #7 Graham Perrin on 11 Jun 09

   

  If you're going to describe it as anything, describe it as public.
  
  Personal will be misleading to some users.

   

  <div class="cArrow"> </div><div class="cContentInner">If you're going to describe it as anything, describe it as public. <br /> <br /> Personal will be misleading to some users.</div>

  ...

  Cancel
• 
  #8 Graham Perrin on 27 Jun 09

   

  1. sign out from Diigo
  
  2. browse,
  
  http://www.diigo.com/user/Grahamperrin?tab=9
  http://www.diigo.com/user/Joel?tab=9
  http://www.diigo.com/user/Maggie?tab=9
  http://www.diigo.com/user/Wade?tab=9
  
  3. for any bookmark, click All annotations or Expand.
  

  ---

  
  
  It's all there, with our names all over it. The personal and the public stuff (but nothing private), all together. Plain as day, to the public.
  
  It's all blended, all obvious. Why bother to describe a fraction of that stuff as personal?
  
  Suggestion
  
  Just name these things annotations, comments, highlights, whatever.
  
  Adding personal to the names is misleading, and ultimately unnecessary.

   

  <div class="cArrow"> </div><div class="cContentInner">1. sign out from Diigo <br /> <br /> 2. browse, <br /> <br /> <a href="http://www.diigo.com/user/Grahamperrin?tab=9" rel="nofollow" target="_blank">http://www.diigo.com/user/Grahamperrin?tab=9</a> <br /> <a href="http://www.diigo.com/user/Joel?tab=9" rel="nofollow" target="_blank">http://www.diigo.com/user/Joel?tab=9</a> <br /> <a href="http://www.diigo.com/user/Maggie?tab=9" rel="nofollow" target="_blank">http://www.diigo.com/user/Maggie?tab=9</a> <br /> <a href="http://www.diigo.com/user/Wade?tab=9" rel="nofollow" target="_blank">http://www.diigo.com/user/Wade?tab=9</a> <br /> <br /> 3. for any bookmark, click <i>All annotations</i> or <i>Expand</i>. <br /> <hr /> <br /> <br /> It's all there, with our names all over it. The personal and the public stuff (but nothing private), all together. Plain as day, to the public. <br /> <br /> It's all blended, all obvious. Why bother to describe a fraction of that stuff as personal? <br /> <br /> <b>Suggestion</b> <br /> <br /> Just name these things <i>annotations</i>, <i>comments</i>, <i>highlights</i>, whatever. <br /> <br /> Adding <i>personal</i> to the names is misleading, and ultimately unnecessary.</div>

  ...

  Cancel
• 
  #10 Pariah Burke on 01 Aug 09

   

  Rather than look for a means of changing the descriptive language to cover a bug, why not actually fix the bug?
  
  I added highlights and annotations to several sites whose bookmarks were not public, yet Diigo exposed my comments and highlights any way. Worse, it published them elsewhere, which, for me, is published everywhere (my "public" Diigo bookmarks publish to Delicious; Delicious feeds to Ping.fm; Ping.fm posts to Facebook, Twitter, FriendFeed, MySpace, and others).
  
  I TRIED using Diigo to annotate required changes directly on pages for a client Website residing on my development server. I made the comments while in a digital meeting with my client, sharing my screen, and the audience for the annotations (after the end of the meeting) was me alone. Much to my embarrassment I noticed lots of hits to those pages over the next couple of hours. Diigo didn't keep my "private" annotations private; instead it pushed them to Delicious, which, in turn, ultimately published them to Facebook, Twitter, and two dozen other social media sites in which I participate.
  
  Why not simply give users the ability to genuinely create private notes and annotations? That would be a much more valuable service than public versus pseudo-public notes and annotations.

   

  <div class="cArrow"> </div><div class="cContentInner">Rather than look for a means of changing the descriptive language to cover a bug, why not actually fix the bug? <br /> <br /> I added highlights and annotations to several sites whose bookmarks were not public, yet Diigo exposed my comments and highlights any way. Worse, it published them elsewhere, which, for me, is published everywhere (my "public" Diigo bookmarks publish to Delicious; Delicious feeds to Ping.fm; Ping.fm posts to Facebook, Twitter, FriendFeed, MySpace, and others). <br /> <br /> I TRIED using Diigo to annotate required changes directly on pages for a client Website residing on my development server. I made the comments while in a digital meeting with my client, sharing my screen, and the audience for the annotations (after the end of the meeting) was me alone. Much to my embarrassment I noticed lots of hits to those pages over the next couple of hours. Diigo didn't keep my "private" annotations private; instead it pushed them to Delicious, which, in turn, ultimately published them to Facebook, Twitter, and two dozen other social media sites in which I participate. <br /> <br /> Why not simply give users the ability to genuinely create private notes and annotations? That would be a much more valuable service than public versus pseudo-public notes and annotations.</div>

  ...

  Cancel
• 
  #11 Graham Perrin on 02 Aug 09

   

  An underlying issue:
  
  * in some environments, simply drawing a highlight - of any description - creates a new bookmark that is public, without notifying the user that publicity occurs
  
    - as your bookmark is publicised, so your highlights are publicised
  
  * after the event (creation, public), each such bookmark must be corrected (conversion to private).
  
  At http://groups.diigo.com/Diigo_HQ/forum/topic/9588#10 (not the clearest of topics, sorry) I suggest that the user should be allowed to prefer private as a default for new bookmarks.
  
  Without this basic preference - privacy from the outset, at the level of the bookmark - discussions of privacy at other levels beomce relatively meaningless. We (Diigo Community) go round and round in circles on this one. And round.
  
  

  ---

  
  Pariah Burke wrote:
  
  > fix the bug
  
  > I added highlights and annotations to several sites whose
  > bookmarks were not public, yet Diigo exposed my comments and
  > highlights any way.
  
  To help debug your particular situation(s) please, could you post details to a separate topic? Thanks. We'll need to know things like:
  
  * your operating system, and version
  * your browser, and version
  * whether you used Diigolet
  * whether you used an installed version of Diigo
  * if an installed version, the version number
  * if an installed version, and if you used more than one computer, whether you preferred privacy as your default in each and every one of the installations
  * etc.
  
  Thanks.

   

  <div class="cArrow"> </div><div class="cContentInner">An underlying issue: <br /> <br /> * in some environments, simply drawing a highlight - of any description - creates a new bookmark that is <b>public</b>, without notifying the user that publicity occurs <br /> <br />   - as your bookmark is publicised, so your highlights are publicised <br /> <br /> * after the event (creation, public), each such bookmark must be corrected (conversion to private). <br /> <br /> At <a href="http://groups.diigo.com/Diigo_HQ/forum/topic/9588#10" rel="nofollow" target="_blank">http://groups.diigo.com/Diigo_HQ/forum/topic/9588#10</a> (not the clearest of topics, sorry) I suggest that the user should be allowed to prefer private as a default for new bookmarks. <br /> <br /> Without this basic preference - privacy from the outset, at the level of the bookmark - discussions of privacy at other levels beomce relatively meaningless. We (Diigo Community) go round and round in circles on this one. And round. <br /> <br /> <hr /> <br /> Pariah Burke wrote: <br /> <br /> > fix the bug <br /> <br /> > I added highlights and annotations to several sites whose <br /> > bookmarks were not public, yet Diigo exposed my comments and <br /> > highlights any way. <br /> <br /> To help debug your particular situation(s) please, could you post details to a separate topic? Thanks. We'll need to know things like: <br /> <br /> * your operating system, and version <br /> * your browser, and version <br /> * whether you used Diigolet <br /> * whether you used an installed version of Diigo <br /> * if an installed version, the version number <br /> * if an installed version, and if you used more than one computer, whether you preferred privacy as your default in each and every one of the installations <br /> * etc. <br /> <br /> Thanks.</div>

  ...

  Cancel

To Top