Any Google Photos media (photos, videos) you share becomes public
Google Photos is a popular photo hosting service and application that millions of people use on a daily basis. Part of its popularity comes from the fact that the service is deeply integrated into most Android devices.
Google Photos supports management features including options to view photos, create albums, and share photos or albums with others.
Sharing works fluently; if you use the web version, all you have to do is pick one or multiple photos or albums, and hit the share button to get started.
You can create links to the selection, share the selection with select Google contacts, or on Facebook or Twitter.
Tech savvy Internet users may well be aware that the selected photos need to be publicly available if the "create link" sharing option is selected. They too, might not know however, that this is also the case if you share photos with Google contacts.
In fact, regardless of which share option you select, all photos and video files that you share are publicly accessible the moment you execute the command.
You can try it out yourself by opening this URL. I shared an image with Ghacks' author Mike, but you will notice that you can view it just fine.
Google confirms this on a support page but does not highlight the fact in the share interface where it would be more appropriate.
Google uses obfuscation of the address as the only defense against unauthorized access. The structure of the URL makes it unlikely that anyone may guess the URL to access photos unless a flaw in the algorithm is found to improve predictions.
Obfuscation may prevent brute force attempts but third-parties may get hold of links to shared media on Google Photos through other means such as network monitoring, accidental sharing, or unencrypted email.
Anyone with access to the link may view the shared media, even if they are not signed in to a Google Account.
Robert Wiblin published his findings on Medium noting that Google Photos does not reveal the fact to the customer. There is also no information that Google customers may look at to determine how often and by whom the shared photos were viewed.
To make matters worse, the service offers no information on how shared media can be disabled so that others may not access it anymore. Google Photos users need to access the sharing menu, https://photos.google.com/sharing, hover over the album, click on the menu that appears, and select "delete album" to delete the album or hunt down the option to stop sharing the link in the album options.
Google Photos uses a different system than Google Drive even though the interfaces look very similar. When you share a file using Google Drive, only selected recipients may access it initially unless the user explicitly changes the visibility.
Closing Words
There is nothing wrong with sharing media using Google Photos provided that you know that these images and videos will only be protected by the URL. Google should make this clear right there in the share menu and maybe consider integrating the Google Drive share functionality to make it possible to share photos and videos with individuals and groups without making them public.
Google users who don't want shared media to become publicly accessible may want to consider using Google Drive instead for the sharing, or use third-party services like Microsoft's OneDrive which support password protections and expiration dates.
Now You: What is your take on this?
People don’t give a f&#% about privacy nowadays. They even attack you if you uncover security/privacy problems. I wonder where this world is rolling ….
From my point of view, it is really the security issue. The fact that you want to share the pictures only with selected people has certain reasons. One of them mostly is that you do not want to share the pictures with other “anybody”. I like google photos features and utilities, they work fine, are easy and straightforward. I was thinking to extend my google storage and start to pay for it, to have enough space to make a copy of most of my pictures and easily share them with people who I want to select. Unfortunately, when I can copy the link of the shared album, paste it into the anonymus web browser and see there all the pictures, I start to change my mind. With this sharing politics, I can immediatly upload everything at facebook or instagram for free and not spend any money for the storage space!
Compressed low res photos tho & worst of all…you have to use facebook.
Don’t see what the big deal is. If you don’t like link sharing then just share directly with the person through the photos app on your phone. Problem solved. This doesn’t seem as bad as you are making it out to be.
problem not solved, AFAICT, since that sharing generates the same type of link that is unlisted but, if known, accessible from any computer without logging in to a specific google account.
This is equivalent to a password. Stop spreading FUD.
Quelle surprise!
Just a few days ago I’d updated Google Photos on my mobile, decided I didn’t like the new version and *attempted* a revert only to be hounded with pop-ups now telling me [I don’t know what I’m missing out on by not updating]! So I got suspicious even before I’d read this post…..
I’m using “Gallery” from F-Droid now, and have disabled and cleared Google Photos. I hope this is a good move…
Anyways, with the rumours I’ve seen online lately, I’m trusting Google less and less every day — not that I’d not had high trust in it to begin with — and I’m slowly moving away from as many Google services as possible, perhaps *all* of them, eventually!
Thanks again, Martin!
As previous posters wrote, this is common practice. Apple, Google, Microsoft are all doing the same, they all should be exposed. iphone is not a privacy phone like many naive people think. Another example, Office 365 has just been declared illegal in our schools in Germany due to privacy risks, but there are naive people who still think that it’s more private than Google Docs.
About a year ago Photos/Google started tweaking the unlimited free storage we’ve been accustomed to, “archives” got more aggressive, photos that normally sat for years, in your library, started disappearing all together. Previous comment hit on it: pay for storage, or We’ll humiliate You!!! My Dr. asked that I track my skin conditions’ progress with pictures – before I knew that sharing changed! 😵
Its pretty clearly stated in an album sharing prefs. Not saying its right, just saying they aren’t hiding it.
“Anyone with the link can see these photos and the people who’ve been invited or joined”
Never using a google app for the past 7 years. The concept of free and open source concept in Android was tampered by google; Since the Android Kernel is based on Linux.
Rooting an Android phone and removing all the google apps is the best practice. Side loading apk files from trusted sites is the second step. The third step is disabling MIC for a specific period of time [While on mobile data or WiFi], otherwise battery will drain out quickly.
Android developers must seriously consider to develop more useful open source microphone muting applications [battery friendly]. More people must invest in open source privacy apps against google monster through crowd funding.
People must unite to kill these bugging monsters. Never ever use a google app. Before 2019, the motto was Google is evil. Now the motto is Google is poop; never ever touch it.
Are you being hit with notices about people who look at your photo?
Since the demise of Google+ my feedback on Photos includes the lack of security and control over who sees shared photos. Another is is if you create then share a folder with one person, they are able to share it with whoever they like without you approval. Google either hasn’t thought about the implications or they don’t care that shared photos may be misused.
As Anonymous said above – this is common practice. Even Apple’s iCloud is able to create unique, hard to guess link to shared gallery which is viewable by users without iCloud account.
“To make matters worse, the service offers no information on how shared media can be disabled so that others may not access it anymore. Google Photos users need to access the sharing menu, https://photos.google.com/sharing, hover over the album, click on the menu that appears, and select “delete album” to terminate third-party access to it.”
Regarding this paragraph. You don’t need to delete the album to stop shared access to it do you? If you navigate into the album, click more options then click on options, you can now toggle link sharing off and the album should revert back to private. Not happy that it is publicly accessible because that would mean the shared library between my wife and I is also publicly accessible wouldn’t it? Every week I am getting new reasons to go to a paid O365 subscription account…
“Not happy that it is publicly accessible because that would mean the shared library between my wife and I is also publicly accessible wouldn’t it?”
How would “the public” “access” the photos shared with your wife, exactly?
This whole concept is largely click bait and rolls around every while, becoming no more meaningful with each retelling.
At some point this will get small enough traffic that it will finally stop recurring, nothing will have changed but the overall level of education and awareness of users I suppose.
Andrew you are right, I have added the info. Google still needs to address this and make it clearer, in my opinion.
So they are not really Private. Just “Unlisted” like YouTube has as one of the options.
The “URL as a password” approach is also used by privacy oriented file sharing services, so it’s probably ok in itself. Example :
https://upload.disroot.org/r/b9EFgmac#QuWPaWJDbwGnZfmvkEzcchQRomuVU/jy93MBuetz4oA=
The main problem in the Google Photos case according to your description seems to be the insufficient information to users that the URL should be treated as a password because it works for everybody.
I dont see what the big deal is. If I upload a pic to
Dropbox or Drive & share the link..anyone with the link can view only.
If I add someone to view an album in Photos , I don’t need to turn on link sharing.