It seems that in addition to boring all of you on a (more-or-less) regular basis, I've taken on a second--or I suppose fourth--job: playing bogeyman to paranoid Flickrites. This isn't my first try at scaring the unaware, but I thought I was headed for retirement. It seems, though, that someone has found one of my old Flickr hacks and posted it to the Flickr help forums. Aside from bringing to our attention some formatting artifacts introduced by the server change in December, the post points up one eternal truth: most users of any technology don't understand it. But then I don't understand most Flicker users, so I guess it all evens out. Why would you use a photo sharing site if you don't want to, well, share your photos? One of life's great mysteries, right up there with the sound of one hand clapping.

All joking aside, if you really care whether other people can access your images, here are some useful rules of thumb:

* There's a difference between security and privacy. People seeing your images isn't a security issue, it's a privacy issue. If people can maliciously enter into parts of your system they shouldn't be in and possibly corrupt your data, that's a security issue. Flickr, therefore, does not have a security problem. To the best of my knowledge, they've never been hacked. Your images stored on Flickr are as safe as anywhere on the internet.

* There is no such thing as an image a user can't download. The fundamental assumption of HTML and it's brethren is that the server gives information to users to use in a way that makes sense for them. You can wrap things in javascript to disable right clicking. You can even wrap things in Flash streams so they don't look like images. A clever user with a sufficiently criminal mind will take about 30 seconds to dismantle your handiwork. A less-than-clever one may need an hour and a google search. The fundamental truth, though, is this: once information travels over the wire to a user's computer, they can do pretty much anything they want with it.

* Unless the url says it's secure, it isn't. If you're paranoid, you should really assume that anything you access through a url that doesn't start with https:// is being widely distributed behind your back. This goes double for unencrypted email.

* When it comes to privacy, you don't get something for nothing...or even next to nothing. Privacy and security come at a cost. Normally a pretty high cost. Don't expect them for $0 or even $39 a year. Just don't. sites like Flickr exist as places for people to get together, share, and have fun. Flickr is the Central Park of the photoblogging world, complete with people jumping fences and letting their dogs off the leash. You knew that when you signed up. If your idea of fun looks more like Fort Knox than the Ramble, look elsewhere.

* Corollary: If you're really losing sleep over this and it's professionally important, you should be willing to pony up the cash. There are products out there to help. Seefile makes a very nice webserver/gallery package for professional photographers; so do some other people. You can also roll your own without too much trouble, and your webhost should be able to help you set up some SLL certs to help secure whatever solution you choose. If this is your livelihood we're talking out, the cost is a pittance, and a tax-deductible pittance at that. If it's not your livelihood, what are you losing sleep over?

* Know your threat model. If you're really worried about someone stealing your images, ask yourself a couple of questions: 1) Who is going to steal them? 2) Why will this person steal them?  3) How can they steal them? 4) What material harm will it do me if they do steal them? Lost revenue? How much? 5) How likely is this scenario, really? Once you have those answers, you can formulate a realistic security and privacy plan that will meet your needs. If you can't come up with meaningful answers to all five questions, you're probably losing sleep over nothing.