Do you know who your Grouply Friends are?

February 29, 2008

Ungrouply Behavior Mod,

Since the message below was censored by the GrouplyImprovements clownmod (volunteer Grouply “public relations officer” Texas Critter), you have my permission to publish it.

Netbud

———————————–
— In
http://tech.groups.yahoo.com/group/GrouplyImprovements/message/856
— “Rich Reimer” <rreimer91@…> wrote:
> I would have posted this, but we were going back and forth
> on changes (which we have made very quickly) so I did not
> want to confuse people.
>
> Per my email to you, we have fixed it yesterday so you can
> delete a friend by going only to the search listing
> page.  Please try it out.

I don’t see where anything I wrote “confused people.”  Nobody asked for a clarification.

You “would have posted” precisely what?  That you added a new feature to delete Friends that did not exist before?  Or a revision to that feature to allow deletion of Friends with closed profiles?  Or a notice to users that they should check their Friends list to see if they were affected by the bug that allowed people to get on a user’s Friends list accidentally, possibly granting them access to private profile data, depending on the individual’s privacy settings?

When I suggested privately to you that you post something about it, you did not respond to that suggestion, so I made it public in the interest of those who may have had their privacy breached by the bug (now fixed, but still could be the cause of the presence of unwanted Friends who gained presence on Friends lists before the bug was fixed, and before you provided the ability to delete entries on the Friends list).

In the interest of protecting privacy of confidential profile data, will you at least publicly acknowledge that there was a programming bug that did allow people to get on a user’s Friends list inadvertently, so that Grouply users will understand from an authority other than me that they really do need to check their Friends list if they have not done so within the past few days, especially if they ever sent out any invites, or responded to one (invites being the source of the bug)?

I also suggested to you privately that you offer Grouply users a place where they can see a list of known bugs that have been reported, and their status (fixed, in progress, etc.), so that they don’t have to depend on unofficial groups like this for such information.  You did not respond to that suggestion, either.

Or is it your intention that to get the latest scoop on the status of solutions to problems in your beta product, all Grouply users must hold membership in this [Grouply Improvements Yahoo!] group?  Is it not enough that they hold membership in Grouply’s public beta test?

People giving you the benefit of their time and labor to participate in your public beta test should have access to some kind of reporting mechanism on what problems have been reported and their status, ESPECIALLY for bugs that affect the security or privacy of their personal information, which they put at risk to participate in your beta.

Frankly, being only a beta, I don’t understand why it deserved TrustE certification, when the product was not sufficiently tested to confirm that there were no bugs in access to private data.  However, as I understand what I read of TrustE’s consumer reporting service, they ask that a consumer report a problem to them only if their licensee company does not address it satisfactorily.  You fixed the bug, but it should be reported to all users who may have been affected by it, when it involves security of privacy.

I think it would be a significant Grouply Improvement if Grouply provided an online source for registered Grouply users to see a list of important bugs that could affect privacy, confidentiality, or security, and progress in fixing them.  I’m disappointed that you did not reply to this suggestion when I made it to you privately.

As I told you in email, I’ve been involved in beta projects before, as a user and as project manager of them.  It is not unusual for the beta project manager to provide registered beta testers with status reporting on issues, at least important ones.  You could easily do that in your blog or on a web page accessible only to registered beta testers, or in a Yahoo! Group.  But leaving it in the hands of an unidentified third-party volunteer (“Texas Critter,” in this case, moderator of this group) hardly seems professional.  I suggested multiple ways for you to approach it, and you did not respond.

I was fair to Grouply in the way I publicly reported the Friends List issue.  Will you at least acknowledge the accuracy of my report?

By the way, I can no longer further test your new Friends deletion routine for people with closed profiles, because I already deleted all the people on my Friends list, the first time you tried to offer a Friends deletion routine that lacked the ability to delete ones who had closed profiles.  You’ll have to get somebody else to test that for you.

———————————————
Prior messages in this thread:
——————————————–

From Grouply COO Rich Reimer:
http://tech.groups.yahoo.com/group/GrouplyImprovements/message/856
——————————————–

From Netbud:
http://tech.groups.yahoo.com/group/GrouplyImprovements/message/852
— In GrouplyImprovements@yahoogroups.com, “netbud” <netbud@…> wrote:
— In GrouplyImprovements@yahoogroups.com, Ben D <netbud@> wrote:
> 2)  When you visit the profile of another Grouply user
> (if they have not closed it with the “only me” privacy
> setting), your visit is recorded and reported to them in the
> “Recent Visitors” box at the lower left corner of their
> profile display … and thus reported to anyone else who
> visits their profile page.  Deleting a friend who
> showed up accidentally or by a bug (or even if you just
> changed your mind about the friendship) should not require
> you to report to them and to others that you visited their
> profile.  Grouply Support has not addressed this
> concern in my dialog with them about the various Friends
> List issues.

Since I posted this prior message, Grouply Support said that they would change the Friends list functioning so that when you click on a Friend they will be displayed as a search listing instead of opening their profile page.  As I understand what Grouply Support told me, on the search listing page there will be a Remove Friend button or link.  When this is accomplished, it should resolve the problem of being unable to delete a Friend whose profile is closed (“only me” visibility), and enable you to delete a Friend without visiting their profile page and having that visit recorded and displayed to all others who visit that person’s profile.

——————————————–

From Netbud:
http://tech.groups.yahoo.com/group/GrouplyImprovements/message/850
— In GrouplyImprovements@yahoogroups.com, Ben D <netbud@…> wrote:

 Heads-up Grouply users:  CHECK YOUR FRIENDS LIST.

After joining Grouply, I discovered that I had “friends” (total strangers to me) on my Friends list that I did not invite to be on my Friends list, and who had not asked me to be their friends.

After some dialog with Grouply Support, it was discovered that they got there through a bug involved with clicking on the link in a group invite I had sent.  It also works the other way: if you click on the join Grouply link in an invitation message, you automatically got added to the Friends list of the person who sent the invitation, and they to yours.

Here’s how it worked until it was fixed a couple days ago:

When you use the group invite routine, the default message created for you by Grouply says, “You can use this link to sign up: http://www.grouply..com/register.php?r=nnnnn,” where “nnnnn” is a number referencing your Grouply account.  If some stranger in the group joined Grouply by clicking on that link in the invitation message you posted to the group, they got automatically added to your Friends list (and you to theirs).  Conversely, if you joined Grouply using such a link in an invitation, the sender of the link became your Friend and you theirs.

Grouply “Friends” can have special access to personal, private information in your profile, depending on your privacy settings.  This opened the door to undesirable and unauthorized access to private, confidential information by surprise “friends.”  Depending on your privacy settings and what information you entered in your profile, this can include access to your name, email address, postal address, phone numbers, group memberships, etc.

It has been fixed so that now when you use one of those invite links, you show up as a Friend *Request* in the privacy settings page of the person who sent out the link, and vice-versa: if someone clicks on that link in an invite you sent out, they then show up as a Friend *Request* in your privacy settings page.  In the list of Friend Requests, you can click Ignore to deny their joining your Friends list and gaining friends-only access to confidential information in your profile.

This problem was fixed a couple days ago, but people who either joined Grouply via an invitation or sent invitations out to their groups prior to a couple days ago should check their profile pages to see if they have unwanted Friends there who came on board prior to the fix.  This can be especially important if they kept the default privacy settings upon joining Grouply, and/or if they put any personal information in their profile, or did not turn off access to things like their email address, postal address, phone numbers, etc.

Deleting a Friend also has some troubles.

When I discovered my unwanted friends, I found there was no facility for deleting them.  While viewing the Friends list on my profile page, there was no button or link for “delete friend.”  After reporting this to Grouply Support, they added it, but not on the Friends list.  To delete a Friend, you have to click into their profile from your Friends list, where you will find a button to remove them from your Friends list (and, reportedly, simultaneously remove yourself from their Friends list).

I have two problems with this:

1)  If a Friend has a closed profile (privacy setting at “only me” visibility), you can’t get to that Remove Friend button in their profile page.  You’re stuck with them.  When you click on the link to a Friend in your Friends list, and that person’s profile is closed (“only me” visibility in their privacy settings), you get only their search listing, not their profile, and no Remove Friend button.  Grouply Support said that they will work on making a Remove Friend button available there in the search listing for those people who have closed profiles.

2)  When you visit the profile of another Grouply user (if they have not closed it with the “only me” privacy setting), your visit is recorded and reported to them in the “Recent Visitors” box at the lower left corner of their profile display … and thus reported to anyone else who visits their profile page.  Deleting a friend who showed up accidentally or by a bug (or even if you just changed your mind about the friendship) should not require you to report to them and to others that you visited their profile.  Grouply Support has not addressed this concern in my dialog with them about the various Friends List issues.

I do not understand why one’s own Friends list in their own profile display cannot or should not have a button for deleting friends right there instead of having to go to their profile to do it.  So far I have not received a satisfactory answer to this from Grouply Support.

All else aside, my main reason for raising this issue here is to alert Grouply users that they should check their Friends list (in the My Profile tab) to see if any unexpected friends showed up, because Friends have special access to confidential data depending on what privacy settings you used, and the default set of privacy settings does grant them that access.

I felt that Grouply should have reported this potentially serious confidential data access control problem and its fix, so that people who joined prior to its fix could be alerted to check their Friends list if they had not visited their Profile page since having sent out invitations, or if they joined from the link in an invitation.  I suggested it to Grouply Support, but they did not respond to the suggestion.  I find that unfortunate.  Users should be notified of an important issue like this.

Advertisements