Big privacy changes at SmugMug
I told you we’d listen.
After Philipp brought the issue up, we carefully listened to both our current customers and our potential would-be customers. Our current customers were a mixed bag. Luckily, most didn’t care one way or the other. Of those who did care, many didn’t want this change. š¦ But it was clear that lots of potential customers did. And as I said in my initial post, “Philipp is absolutely right.”
So we fixed the problem.
We made two big mistakes with this situation, one technical and one around setting user expectations. I was dumb for using autoincrement IDs alone, and we were dumb for calling the gallery setting ‘Private’ when that wasn’t clear enough. “Private” means different things to different people, and we should have known better. Both of these things, I believe, have now been remedied.
Here are the gory details and we have a dgrin thread with more:
- Your new galleries, photos, and videos are more private, and secure, than ever before.
- GUIDs did turn out to be both messy and expensive, as I thought they would be. We opted not to go that route.
- Instead, we created Keys for galleries and photos/videos and appended them to the relevant URLs. Kudos to Barnabus for planting this seed.
- The keys are made of 57 possible alphanumeric characters, and are 5 characters long, making the search space 57^5, or 601,692,057, strong. In theory, still guessable, but in practice, prohibitively expensive/difficult to do. Not to mention the fact that you have all the usual additional security and privacy settings you can turn on.
- Yes, this made our permalinks uglier. No, we’re not happy about it. But we think the tradeoff is worth it.
- Yes, older galleries and photos/videos are grandfathered. Their old URLs without the Keys still work. All new photos/videos, as well as old photos/videos inside of new galleries, require Keys to access. Same with new galleries.
- If you don’t want your older stuff grandfathered, simply create a new gallery and move your photos & videos from your old gallery into the new one. Key’d links will instantly be required for access (if you change your mind, just move them back and they’ll be re-grandfathered). Alternatively, you can set a password and turn off external links.
- The privacy options when creating a gallery and changing a gallery’s setting now use “Public” and “Unlisted” rather than “Public” and “Private” to better explain the difference and match customer expectations.
- When creating a new gallery, there’s a new option called “Lock it down” that’ll take things a step further and set all the right privacy *and* security settings to prevent unwanted access.
- This is a big, complicated release, so there will likely be bugs and bumps along the way. Let us know if you find any and I promise we’ll fix them.
I’m sorry this change took so long to ship. We were actually in testing last Thursday, January 31st, but then I was traveling from Friday to Wednesday, so we had to put it off. Thanks for your patience while we thought about the problem, discussed it with our community, and put together an update.
Special thanks to our customers and friends who weighed in with lots of detail both about the problem and the implementation, and Philipp for being so passionate and firm about the situation.
We’d love to hear your thoughts about this either here in the comments or over on this dgrin thread.
SmugMug's Don MacAskill 
You say “[…] this change took so long to ship” but I think it was fast enough considering all the possible implications and variations. It’s nice to see a big company like smugmug listening to its users and beyond š
I was trying to decide between SmugMug and Flickr for my first online album. I am not an avid photographer, so Flickr price tag had a certain appeal š
But the openness and quickness with which you dealt with this issue, and the way you involved your users and other commentators has earned my respect, and put me firmly in SM camp. I will be signing up soon.
Kudos to you (and your team) for an excellent job.
I’m glad you did this. I already have an account and I understood the distinction between private and public when I opened it. I wasn’t completely happy that it was so easy to guess an album but I don’t really have anything that needs to be hidden that well and still be accessible without a password, so I wasn’t concerned. (I guess it was more of a technical concern than practical and practice is what matters).
But still, I’m happy with this change and how quickly you turned it around. The naming change from Private to Unlisted is probably the most important part so people are more aware of what it means.
I used to have my pictures on another website that would talk about quick fixes when bugs came up but it rarely happened. That’s what drove me away, so keep up the good work!
You guys are awesome. Undoubtedly the best photo site on the web for consumers or pros. Keep up the great work, openness and uncomprmising user support.
You guys rock as always! I am impressed with the speed in which this was taken care of.
At first I was a little concerned about some of the loop holes, although I didn’t see them as critical, I was impressed that you were willing to address it publicly and openly.
You have made us aware of the problems, listened to our concerns, and acted quickly. For that you have earned more of my respect.
> I wasn’t completely happy that it was so easy
> to guess an album but I don’t really have
> anything that needs to be hidden that well
> and still be accessible without a password,
> so I wasn’t concerned.
Mark, just to clarify in case you missed this: photos set to password-protection also showed up publicly when iterating image IDs. So even if you set your old album to password protection and private, its pics were publicly crawlable — only disabling external linking stopped the pics from showing when iterating IDs. Not sure what the current status is as we didn’t test the site for some time now, but if old galleries remain unfixed, all that would still be the case — maybe Don can clarify if that’s the case or not.
This is a good fix for the problem. However, if technically possible, you should add the possibility of opting out of this feature (the new alphanumerical key). In my case I am not that concerned about privacy as I am about ease of use ( I handle a very large quantity of galleries). Good job!
Wow, that was quick! Personally, I have no problem with the way it worked before. It worked the way I was expecting, having read through the options. But you’ve definitely done your customers (and future customers) a good turn by making these changes.
I just checked the holes I found last week. The bugs that allowed me to view an image where external linking was even disabled have now been fixed, even on the old images. With the addition of the imagekey on the images it locks images down even tighter so that it will be harder for hackers to even find such holes in the future, and it prevents the ability to just iterate through images.
If you want the images protected, then they need to be password protected, and external linking disabled. Password protecting essentially locks the front door, while disabling external linking locks the back door, all windows, and covers the windows.
It would be very nice if you would start issuing API keys again…
Love it! You got me so excited to get one and start shooting video!