Google Photos is a popular photo hosting service and application that millions of people use on a daily basis. Part of its popularity comes from the fact that the service is deeply integrated into most Android devices.
Google Photos supports management features including options to view photos, create albums, and share photos or albums with others.
Sharing works fluently; if you use the web version, all you have to do is pick one or multiple photos or albums, and hit the share button to get started.
You can create links to the selection, share the selection with select Google contacts, or on Facebook or Twitter.
Tech savvy Internet users may well be aware that the selected photos need to be publicly available if the “create link” sharing option is selected. They too, might not know however, that this is also the case if you share photos with Google contacts.
In fact, regardless of which share option you select, all photos and video files that you share are publicly accessible the moment you execute the command.
You can try it out yourself by opening this URL. I shared an image with Ghacks’ author Mike, but you will notice that you can view it just fine.
Google confirms this on a support page but does not highlight the fact in the share interface where it would be more appropriate.
Google uses obfuscation of the address as the only defense against unauthorized access. The structure of the URL makes it unlikely that anyone may guess the URL to access photos unless a flaw in the algorithm is found to improve predictions.
Obfuscation may prevent brute force attempts but third-parties may get hold of links to shared media on Google Photos through other means such as network monitoring, accidental sharing, or unencrypted email.
Anyone with access to the link may view the shared media, even if they are not signed in to a Google Account.
Robert Wiblin published his findings on Medium noting that Google Photos does not reveal the fact to the customer. There is also no information that Google customers may look at to determine how often and by whom the shared photos were viewed.
To make matters worse, the service offers no information on how shared media can be disabled so that others may not access it anymore. Google Photos users need to access the sharing menu, https://photos.google.com/sharing, hover over the album, click on the menu that appears, and select “delete album” to terminate third-party access to it.
Google Photos uses a different system than Google Drive even though the interfaces look very similar. When you share a file using Google Drive, only selected recipients may access it initially unless the user explicitly changes the visibility.
There is nothing wrong with sharing media using Google Photos provided that you know that these images and videos will only be protected by the URL. Google should make this clear right there in the share menu and maybe consider integrating the Google Drive share functionality to make it possible to share photos and videos with individuals and groups without making them public.
Google users who don’t want shared media to become publicly accessible may want to consider using Google Drive instead for the sharing, or use third-party services like Microsoft’s OneDrive which support password protections and expiration dates.