"The only security measure is that the album link is hard to guess. It was pointed out that this link is really HARD to guess. It does not need to be guessed. All it would take for some strangers to get access to my private photos, is for one of my relatives to share this link by mistake."
FWIW, whenever I share sensitive documents on drive, I do so via a shareable link. I figured if I trust someone not to download the file and share it as an attachment, then I trust that person to not share the url publicly as well.
One distinction though, is that URLs are much easier to steal, as compared to login info. People often don't make an effort to hide their browser URL when using their laptop in a public location, nor do they clear their history when using a shared computer. In theory, someone determined can use these vulnerabilities to steal a URL address.
In practice, the above threat-model seems obscure and unlikely enough, that for a social service like Google photos, what Google has seems reasonable enough. I can understand the author's surprise, but I can also understand Google's policy here.
It reminds me of the old way Chrome didn't hide saved passwords. It made sense under the threat model they had for the feature, but it wasn't the security model end users expected would be the default.
A simple UI fix would be to explicitly call the sharing mode "unlisted" like some other sites do including Youtube, with a similar warning about linking to the content.
FWIW, whenever I share sensitive documents on drive, I do so via a shareable link. I figured if I trust someone not to download the file and share it as an attachment, then I trust that person to not share the url publicly as well.
One distinction though, is that URLs are much easier to steal, as compared to login info. People often don't make an effort to hide their browser URL when using their laptop in a public location, nor do they clear their history when using a shared computer. In theory, someone determined can use these vulnerabilities to steal a URL address.
In practice, the above threat-model seems obscure and unlikely enough, that for a social service like Google photos, what Google has seems reasonable enough. I can understand the author's surprise, but I can also understand Google's policy here.