Skip to content
Jul 16 / Loren

Privacy versus software bugs … d’oh!

The Electronic Frontier Foundation recently launched a nice service that monitors the legal terms of service and privacy policies of prominent web sites and tracks changes that may impact their users. These documents are universally “subject to change without notice” so having an RSS feed lets customers know when changes happen as they are made. If you are the sort of person who actually reads these documents you can just follow the alterations.

[Note: the rest gets technical.] At some point this service got configured to track what appears to be a test document, and so long as this document doesn’t change there is no effect. Last night access permission to that test document changed, becoming no longer available. The web server in turn duly refused to service it (to a request presumably from itself), returning an HTTP 403 error. This, in turn, was interpreted as a change in the policy to now read “403 Forbidden” (a most unusual and terse privacy policy) and was reported to the feed. Ironically, in a commonplace programming oversight, the error also showed debugging information including the name of the file access was forbidden for, which includes the programmer’s user account name (a common first name I won’t copy here). Does this bug in a very well intentioned effort to protect our privacy violate the privacy policy of the EFF in publicly disclosing the programmer’s name?

Leave a Comment