Tumblr security / privacy master post
(psst — if you’re reblogging this, you might want to reblog it as text instead of as a link!)
I’m a software developer who’s relatively familiar with the Tumblr API. In the wake of the “fuckyeahreadmores” blog, I think it’d be good to spread some verifiably correct information about privacy on Tumblr.
1. If your blog is not password protected, anyone can see your posts. Period.
Blanking / obfuscating your theme does not hide your posts. They are still visible through the API, which is used by Tumblr’s mobile apps, as well as through [yourblog].tumblr.com/mobile/. The only way to hide your posts is to password protect or delete your blog.
2. Anyone can find your posts through tags containing no underscores or dashes.
To elaborate: underscores (_) and dashes (-) are coerced to spaces when searching for tags, but not when posting, so tags containing either of those characters are effectively nonexistent. It’s unlikely that Tumblr will ever change this behavior. It applies to both the web interface and the API.
Tags with forward slashes (/) are tricky. When you try to put a / in a search URL, it thinks it’s a directory separator and either ignores it or throws an error message. However, the API permits forward slashes in tag searches, so putting forward slashes in tags does not hide them.
All other ASCII symbols are valid in tag searches.
3. Anyone can reblog your non-answer posts.
The only post type that cannot be reblogged is ask / answer posts. There is no other way to stop anyone from reblogging your posts short of password protection. If you want to stop a post from being reblogged with absolute certainty, send yourself a question and put your private post in the answer.
4. Anyone can read your entire read-more posts.
This ties in with the first tip about how “anyone can see your posts”, but it’s worth mentioning separately. Even though the dashboard and [yourblog].tumblr.com/archive don’t show the whole post, the API returns the entire post, as does the URL [yourblog].tumblr.com/post/[postID]/mobile. Theme blanking does not hide your read-more posts.
5. All those times I said “anyone”? That includes blocked / ignored users.
Ignored users can still see your blog, find your posts through tag searches, reblog your non-answer posts, and read your entire read-more posts. If they are following you, your posts will not show up on their dashboard. Their likes, reblogs, and replies are hidden from your dashboard and the post’s notes, even for reblogs. This applies to everyone, including the ignored user themselves, meaning ignored users can figure out you’ve ignored them.
6. Making your blog invisible to search engines does very little.
I’m not sure how popular this misconception is (I believed it for awhile), but unchecking the setting “Allow search engines to index your blog” does not make your tagged posts invisible. Anyone who is logged in can still find them through tag searches. Logged-out users will not be able to find your posts through tag searches and web crawlers will be disallowed from indexing your site, but that’s all it does, as far as I can tell.
7. Password protection fixes all of this!
Password protecting your blog is the ultimate fix for all of these problems. Your posts will be invisible to anyone who doesn’t have the password, can’t be found through tag searches, can’t be reblogged, and won’t be indexed by search engines. However, your blog also can’t be followed by anyone as long as it’s password protected, and any followers you had before enabling password protection won’t see your posts on their dashboards any longer. It’s a bittersweet solution, but it’s very thorough.
In summary:
- If you want a post to be unable to be found through tags, suffix each tag with an underscore (_) or dash (-).
- If you want a post to be unable to be reblogged, post it as an answer to a dummy question.
- If you want a post to be unable to be read by everyone, post it to a password-protected blog and only send the password to people you trust.
- Read-more breaks and ignoring users are effectively snake oil.
You might want to check this post for any additions or corrections.
