Google Blogoscoped is reporting that SmugMug’s private photos are really not that private. You’re able to get access to them with simple URL rewriting. The URLs are not appended with a GUID, and the photos pages are not password protected.

SmugMug has replied with a semantic argument:

Thanks for writing. This is expected behaviour. A private gallery just means that that gallery will not show up on your Smugmug homepage but it is accessible by knowing the direct URL to it. You do have the option of turning off external links so that no one can link to an individual photo. You may also password protect galleries so that no one can access them without a password.

This functionality is simply irresponsible. When a user sets a photo to be private, they expect the URL to be either password protected, or at least have a secret hash appended to the URL. Without such a hash, any visitor with a little bit of coding skill would be able to retrieve all your photos. SmugMug claims that they don’t have the bandwidth right now to implement such a GUID system.

The problem really is of expectation. On other sites, setting an object to private means either a GUID or password protected page. Regardless of the semantics of the wording, SmugMug needs to either follow the precedent, or put in big bold letters that your private photos can still be accessed by anyone.

At Scribd, our private documents require a secret password to be inserted into the URL.