17 comments

[ 2.8 ms ] story [ 44.3 ms ] thread
Wow, this is pretty awesome. If I look at mine, you can clearly see links between certain groups of friends / family.
What the ...?

Never ever share your login credentials with a third-party.

This could have been done as local open-source tool. Why is this a web app?

You can do this yourself with tools like Gephi.

It's not asking for your login credentials, it uses an oauth system and asks for permissions.
And plus, you know the NSA is looking at your mail anyway, so what further harm could a bunch of MIT grad students do?
I have more trust in the grad students.
> Never ever share your login credentials with a third-party.

It uses Google's OAuth; the site never sees your password

> Why is this a web app?

Because it's for the average user, and people who don't have time or skill to export their data, research graph formats, then write some ETL to get it into that format, then download Gephi to view it. It makes great sense as a webapp.

> You can do this yourself

You're completely missing the point

It's odd that I have yet to see a single website that handles oauth failures gracefully. (e.g. hitting the cancel button).
Good point. We'll take care of this during our next server update. Thanks!
Works great, perfectly determined which people in my workplace are programmers and which are biologists (by giving them a different color).

Could one subvert the graph building with the following? Construct an email address A1 that will forward emails to you from person B. Likewise, you communicate with B through their B1. After a period of time (or n messages), switch the pass through entity to a different email address A2 and make a rule on the mail server to bounce the emails from B if they try to reach you at A1. Keep using A1 with someone else.

Interesting, but not very useful to somebody who's an avid deleter of old e-mails. Kind of paints an odd picture.

Also, anyone else get a stuck logout&delete button after getting the data? Ended up having to revoke access via Gmail Accounts.

Same here... both logout buttons did not work.
That's the first we've heard of that error. When the user logs out, they are also presented with the link to revoke access via Gmail. Sorry you weren't able to get to that page. If you want to make sure that your data is deleted, we can do a manual delete of your metadata (if it exists on our server) for you. Just write to us at the address on the website.
very interesting, analyzed 40k+ emails and I didn't find that much I didn't already know. More surprised about what can be seen with just an oauth token.
It's not just any OAuth token it's a token that asks for permissions to "view all your mail" among other things.

Most Oauth tokens won't ask for this highly elevated permission.

OAuth is not designed around Authentication, the Auth in OAuth is actually about Authorisation. It was designed for this purpose, to authorise others to have access to your mail, or contacts, etc. That it has been co-opted for Authentication purposes (particularly in Oauth2) has just been a side effect.

Well, when you use Gmail, you must pretty much be ok with the idea of being tracked...
Hi, one of the team members of Immersion here. If you have any questions, I'd be happy to answer them. Thanks for your feedback and comments!