Tag cloud privacy issue
Oct. 7th, 2010 11:11 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
lederhosenReported as bug on LJ - not sure whether DW has the same bug.
If I look at somebody's tag cloud on their journal, it only shows me tags that are found in the posts I have permission to view (e.g. if I'm not logged in, I can only see tags that appear in at least one public post).
However, as long as I have permission to view *at least* one post with that tag, the tag cloud gives me info about the *total* number of posts with that tag (not just the ones I'm allowed to access).
Example: Sue makes a public post about the great holiday she just had, and tags it 'holiday', then forgets about it.
A couple of years later, she decides to go on another holiday. She starts posting about it, but she's been having problems with a creepy ex so she makes these posts friends-locked.
However, because she's using the same tag - and because there's a long-forgotten public post with that tag - her ex can see that the 'holiday' tag is getting bigger, and by mousing over he can tell exactly how many 'holiday' posts she's made. He can check back in to figure out when she's updating and get an idea of when the house might be vacant.
IMHO, if a user decides to restrict access on a post, LJ should not be providing *any* info about that post to people who don't have the appropriate access permissions.
If I look at somebody's tag cloud on their journal, it only shows me tags that are found in the posts I have permission to view (e.g. if I'm not logged in, I can only see tags that appear in at least one public post).
However, as long as I have permission to view *at least* one post with that tag, the tag cloud gives me info about the *total* number of posts with that tag (not just the ones I'm allowed to access).
Example: Sue makes a public post about the great holiday she just had, and tags it 'holiday', then forgets about it.
A couple of years later, she decides to go on another holiday. She starts posting about it, but she's been having problems with a creepy ex so she makes these posts friends-locked.
However, because she's using the same tag - and because there's a long-forgotten public post with that tag - her ex can see that the 'holiday' tag is getting bigger, and by mousing over he can tell exactly how many 'holiday' posts she's made. He can check back in to figure out when she's updating and get an idea of when the house might be vacant.
IMHO, if a user decides to restrict access on a post, LJ should not be providing *any* info about that post to people who don't have the appropriate access permissions.
