[liberationtech] question about browser/Gmail subject line / browser history exposure

Robert Guerra rguerra at privaterra.org
Wed Jul 4 05:55:11 PDT 2012 

Katrin,

Likely what  is being displayed is the HTML page title, which google updates per each email that is viewed or composed.

The data being displayed is - sensitive data - as such would likely have been included in the privacy impact analysis that all GNI companies need to do. If there's a variation between them on this, then that should be pointed out. 

Robert

--
R. Guerra
Phone/Cell: +1 202-905-2081
Twitter: twitter.com/netfreedom 
Email: rguerra at privaterra.org

On 2012-07-04, at 7:52 AM, Katrin Verclas wrote:

> Hi all -- 
> 
> Question for you:  A colleague noticed in an Internet cafe (in a repressive country) that in FireFox and Chrome the browser history reveals the subject line of gmail. The history also reveals the name of the person a user Facebook-messaged and profile pages visited.  The same was not true for Yahoo or hotmail. 
> 
> See below for a sample screenshot that illustrates what I am talking about (using the latest version of FF on Mac OS)  It seems to be a function of gmail/FB not the browser (same happens in Chrome and Safari, did not try for IE).  As I said, Yahoo mail and Hotmail do not reveal the subject line in the history as far as we could see.
> 
> So - is this and oversight or deliberate on the part of Gmail/F? 
> 
> It seems potentially rather problematic since most users do not delete their history nor use any private browsing features or software when in an internet cafe.  We looked at detailed name/subject line/FB social grapsh in the browser history of machines in the cafe for at least eight months back). With this information it is very easy to see an individual's activity without any other digital logs installed.  
> 
> Curious about this from a technical POV and whether it can be fixed by Gmail/Facebook.  We can involve the right people there; after understanding this better. 
> 
> In the meantime, this definitely should be covered in any trainings (that is - do not use a a sensitive or revealing subject line, delete your history, browse in private mode, etc) 
> 
> Thanks for any insights.
> 
> Best,
> 
> Katrin 
> 
> 
> 
> <Screen shot 2012-07-04 at 7.37.19 AM.png>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120704/bd64285d/attachment.html>

More information about the liberationtech mailing list