Update on Google Calendar
As a follow-up to my post noting some issues I’ve found with Google Calendar – namely what seemed to be a security hole, I was extremely pleased to see an email from Google on the matter:
Hi Phil,
We came across your blog post about sharing Google Calendar and wanted to follow-up with you: https://philfreo.com/blog/big-security-flaw-in-google-calendar/
We understand that you’re concerned about the security of Google Calendar because you can see all of your friend’s events although he only shared his free/busy information with you.
We suspect that the reason why you can see the details of your friend’s events is because his events are marked as public events. When events are marked as public events, other users can see them even if the calendar itself is set up as a private calendar.
To resolve this issue, can you please ask Bryan to check the privacy settings of his events? To do so, he’ll need to click on events, then select “edit event details” > “Options” > “Privacy.” Under “Privacy”
section, if “Public” is selected, he needs to change the selection to “Default” or “Private.”Lastly, we understand that many users want the ability to create one main calendar that they can share with their friends without clattering their friends’ calendars. We also understand that our printing features need some improvements. We really appreciate your constructive feedback on Google Calendar and will keep them in mind as we work to improve the quality of Google Calendar.
Regards,
The Google Team
I did have Bryan check and indeed, the settings on each individual event had been set to “Public” rather than to “Default”. While I’m still not sure how that happened (he didn’t do it on purpose), it is much more relieving to know there was a good reason for what otherwise looked like a security hole.
Additionally, it is great to see Google say that they understand the other problems with Google Calendar (such as multiple calendars per person cluttering a friend’s calendar, as well its very ugly print interface). I now have more confidence that it is something they are working to fix.
I have now integrated Google Calendar on another website and am very pleased with how easy it is to give multiple people access to add/edit events. Additionally, subscribing to the calendar’s events make it a wonderful way for people wanting to keep up with the latest events from an organization without having to constantly check back. This was the perfect solution to the previous way it was happening: dozens of email reminders sent a week via the listserv.
However, since Google apparently is listening, I might as well point out a few more things I’d like to see changed in their iframe page:
- More styling options. For example, there is no way to change the color of the month name from black, and it looks very bad on a grey background.
- Event wrapping. With often < 700 pixels to work with, you can’t see much in terms of detail when the events don’t wrap. I would much rather lose vertical/height space than how it currently is.
Once-börnd-twice-shy said,
October 4, 2009 @ 7:37 am
Hi Phil,
thanks for your post about the security problems with google calendar.
It helped me a lot because the problem still exists today.
I ran into the same problem that Bryan had: some of my events are marked public – even though i didn’t want them to be.
At last I figured out what happend: A tool driven syncronization between outlook and google is not allowed in our company. Therefor i have exported all my events from my company MS outlook account as ics files and afterwards imported these ics files into the google calendar.
The problem was that almost ALL my exported outlook events where marked as “PUBLIC” by default.
So google calendar decided, while importing them, to view them to everybody afterwards – and therefor ignore my general security settings.
Right now I can’t find a general solution for this problem.
Everybody using “import” may still run into this security problem.
As an owner of your calendar it’s almost impossible to realize that your imported events are public unless you navigate into each of your imported events.
I don’t know if the behaviour is a misconfiguration of outlook or a general behaviour of outlook.
The result is a major security issue for me – the user.
So – unforunately after 3 year the problem still exists …
Regards,
börnd
Phil Freo said,
October 6, 2009 @ 9:11 pm
Interesting. Perhaps you can view the file Outlook exports using a text editor and see if there’s any mention of the events being public. If so, a find/replace would probably do the trick. If the problem lies in Google Calendar’s import process, that would be much worse. Have you tried the official Google Sync program that exists now?
Once-börnd-twice-shy said said,
October 7, 2009 @ 6:04 am
Hey Phil,
Yes: Within the ICS file exporting an event I found a line containing “CLASS:PUBLIC”. So, changing that line into “CLASS:PRIVATE” was the solution.
Nevertheless using a text editor wasn’t convenient enough for a daily use, of cause. Fortunately i’ve got cygwin installed on that machine. So I wrote a little script to change these lines automatically.
By the way: I’m not allowed to install additional software on my company computer.
So, as far as i understand Google Sync is out of reach for me. Unfortunately …
In the begining it looked like a general MS Outlook fault to me – but now i’m quite sure it is not:
I found a post on Google saying that they expect the setting to be set to CLASS:STANDARD and they don’t feel right to overwrite the imported values. But, with respect, that is not correct. Refering to RFC there is no such value defined like CLASS:STANDARD! You may use that value – but it’s proprietary. You simply can’t blame microsoft for not supporting that.
The RFC 5545 defines CLASS as: “PUBLIC” / “PRIVATE” / “CONFIDENTIAL” / iana-token / x-name
And the value PUBLIC is the default value!!!
So, Outlook uses the default value for export – that can’t be a fault that big.
It looks like Google interprets the default setting PUBLIC like this: everyone using the default wants all their event to be exposed to the whole internet even though his general setting is set to don’t show event details to anyone?!
IMHO Google HAS to overwrite that value if the users Google Calendar general setting says so. But they don’t do that … and i think that’s a mistake and the root of the problem.
I admit reading RFCs has got to do a lot about interpretation.
But, c’mon Google – you can’t be serious about that interpretation.
I’m concerned that my situation is not that exotic:
Your Company does not let you install software on your computer. Your Company uses outlook. You personally use Google Calendar. Nevertheless you want to transfer company events to your Google Calendar. So you will likely use ICS export to do so. As a result you’ll exposing your business events the the world without even noticing – because nobody tells you and you trust the security settings you did in the Google Calendar.
I’m very concerned that there are much more people in the world having this issue without knowing.
King regards,
börnd
(please excuse my bad english – for i’m a native german)