"unauthenticated access" is a stretch. It's like how rawgithubcontent links originating from GitHub.com on private repos contain a query parameter ?token= that is an API token for accessing that repo "without authentication" - it's in the URL, sure, but that URL itself contains a long, random series of characters that is needed to access the content.

I am not that concerned with these opaque URLs as they are basically unguessable (and you will need the URLs to download the data if you are destroying your Google profile, so no other authentication is possible)

But for how long are they retained? Are they generated during the takeout process or do they exist since the photo was uploaded?

"Secret yet public" is a new achievement in privacy derangement. The URL is secret. It is public if you share it, after which it is not secret.

It’s also really hard to audit, so if Google shares it and people access it, Google won’t know.

This is not cool for me because I don’t want my photos available to people other than me, even if they have my magic url with a token I didn’t create and can’t revoke.

How is a magic url really any different from a magic login cookie in this case? Yeah, I guess you can't revoke it, but what's the difference if the new cookie/url is equally unguessable?

I create and revoke tokens, that’s a big difference. With magic urls, I don’t know they exist so I can’t share or control them.

You can revoke a link. Go to the shared album page. (clicking on the link will take you there) Click the options menu item and there is a toggle for link sharing that will revoke the magic url and token.

You can revoke sharing links, but there are also direct links to photos that work for unauthenticated clients. They aren't presented in the UI as a sharing option; you have to use your browser to copy the link. In other words the only way to make these links public is through intentional user action.

This shouldn't be true any more, I just tried it out by grabbing the lh[0-9]* url for the image bytes and that won't open in an incognito browser without a Google Login. Can you share with me how to reproduce this "url copy"? If you want to send it privately just tack gmail.com onto my username.

Or you can file feedback from the photo web page and just tag me in it.

I just tried it with an lh3 url I got from chrome, opens fine in incognito. Repro easily: from /photo/ page, open image in new tab; copy address to incognito; expected: login challenge, actual: photo.

Ah so it does, but that URL has a bearer token that only lasts for one minute. Try it again after a minute.

Edit: I don't work on this stuff, but have seen it challenge me when trying to do this exact thing.

Secrets like passwords are not "security through obscurity". The existence of a key that can open a lock is not security through obscurity. "Security through obscurity" refers to obscuring techniques, not obscuring passwords and keys. No one has ever referred to RSA as "security through obscurity" because it requires obscuring your private key.