[Infowarrior] - Google Calendar suffers data 'leak'

Richard Forno rforno at infowarrior.org
Sun Feb 15 20:33:23 UTC 2009 

Google Calendar suffers data 'leak'

The Yomiuri Shimbun

http://www.yomiuri.co.jp/dy/national/20090215TDY02303.htm

Some users of Google Calendar, a personal schedule management service  
on the Internet run by Google Inc., have mistakenly disclosed more  
than 1,500 items of personal information, it has been learned.

The Yomiuri Shimbun has confirmed that anyone was able to view the  
personal schedule data in question, which was posted on nine user  
calendars.

Earlier this month, Google stopped the public calendar search function  
of the service, which enabled users to search other users' calendars,  
without providing users in Japan with an explanation.

Even now, however, the calendars of users can be viewed by other users  
if they know the relevant calendar address.

The free calendar service can be accessed by personal computer or cell  
phone just by typing in a user ID. The calendar can be used as a  
personal memorandum or by a group of specified users.

On the initial settings page, the options for sharing the information  
with selected users and making all information public are close to  
each other.

Some users have been confused about the difference between the two  
options, with some mistakenly thinking they have to check both boxes  
to be able to use the calendar on more than one device or to share the  
calendar with friends.

However, once a user has chosen "Share all information on this  
calendar," it makes his or her calendar available to all users.

A 39-year-old surgeon who works at a hospital in Tokushima Prefecture  
mistakenly disclosed on his personalized Google Calendar from April  
last year about 150 items of information, including the names of  
patients and their conditions.

In one case, the information contained a patient's name and indicated  
that the patient had been operated on to fit a colostomy bag.

The hospital explained that the surgeon probably was not aware the  
calendar was viewable to other users because he thought it was  
personalized. Apparently the hospital has yet to decide how to explain  
the information leak to patients.

A lawyer in his 30s unwittingly disclosed his schedule, which included  
the names of clients, appointment dates and court schedules. Some of  
the disclosed data was sufficient to identify the individuals involved.

"I meant to share the calendar only within our office," said the  
lawyer, who works at a law firm in the Tohoku region. "Putting  
information up on the Net is dangerous."

Other cases include a company in Kyushu that unwittingly disclosed the  
date it was going to pay out bonuses, and a nail salon in Tokyo that  
unintentionally revealed a record of internal memos, including what to  
do with fees when customers expressed dissatisfaction with their  
service.

"We don't have any information on specific personal information  
leaks," Yoshito Funabashi, the public relations department director of  
Google Japan, said after the company removed the public calendar  
search function.

While a brief notice appeared on Google's English-language site, the  
company has not explained to Japanese users why the change was made.

Since the calendars are still viewable by typing in the relevant  
addresses, users who mistakenly set up their calendars to be shared  
with other users are still at risk of disclosing personal information.

Funabashi described the removal of the public calendar search function  
as "an improvement to enhance convenience."

Only last year, Google had problems with its map information service,  
Google Maps, when maps of schoolchildren's homes made for teachers  
using the service were mistakenly made accessible to other users of  
the Internet service, revealing private information about the children  
and their homes.
(Feb. 15, 2009)

More information about the Infowarrior mailing list