Google to strengthen Calendar privacy warnings

Computerworld - Google Inc. is working on making privacy warnings around its Calendar application stronger amid concerns that some users of the service may unintentionally be exposing more information than they mean to.

The Web-based calendar was launched last year. Similar to other desktop calendar applications, it allows users to store event information, contacts and other data. The information is kept online by Google and can be accessed over the Net from anywhere. Users have the choice of making their calendar entries private -- the default choice -- or allowing public searches of the information.

The idea is to give users an easy-to-use tool for discovering and sharing event information with others, according to Greg Badros, engineering director of Google. "We wanted to make the settings as easy as possible to make a calendar public," Badros said. It is currently used by "millions" of users worldwide, a spokeswoman said.

The problem, however, is that people sometimes appear to be storing information on Google Calendar that they might not have intended to share with others.

For instance, when Computerworld conducted a quick search Thursday for private data using Google Calendar’s public search feature, the feature returned several user names and passwords for accessing various sites and e-mail accounts. Included in the data were at least one username and password to a bank account, another to a retail store credit card account, and one to a private wedding blog.

The information yielded by such searches is not restricted to personal data. Even a few corporate calendars can be found on Google Calendar, with meeting dates, project codenames and dial-in information for internal conferences. 

By default, information users enter into Google Calendar is marked as private. Such information gets shared only if the users explicitly allow the information to be shared, Badros said. But a user might disable those defaults and later forget that he or she has done so. The goal is to give users a more visible and persistent warning that information stored on Calendar is accessible to anyone if the default privacy settings are disabled by the user.

Badros today would not say when Google hopes to makes the warnings on Calendar more explicit. "We are working on improving the messaging there," Badros said. "There must be a persistent reminder that the Calendar is public such that other people can find them," he said. "To me the biggest weakness is that we did not make people as aware of that as well as they could have been," he said.

"We do a great job of telling people as they change settings that they are making the settings public," Badros said. For example, when a user enables settings to make a calendar public, the entire screen goes grey and the user cannot take further action without first acknowledging that he or she is aware of the change that is being made, he said.

 "But sometimes people go deep into a setting and then later forget the changes they made," he said. As a result it is "worthwhile" to make the admonitions more visible and persistent, he said.  Google cannot totally prevent users "from shooting themselves in the foot around this," Badros said. But, he states, better warnings should mitigate some of the issues.

Read more about security in Computerworld's Security Knowledge Center.