Searching Privacy Rules and their Limits

Evening bubblers,

I’ll start this post off with an example:

Say you have a platform that has Jobs postings. Each “Job” thing has a field, called “salary estimate”, which is a number that the poster uses to help attract candidates based on ballpark values. However, the way the app is set up, the poster doesn’t want the potential employees to see the actual number (as they would hope to perhaps hire for lower). Its purpose is used to determine which searches the job should show up.

So you set up a privacy rule that looks as follows:
Potential Employee:
-Find in Searches? Yes
-View all Fields: No
-View Specific Fields:
-“salary estimate”: No

A potential employee goes to their “Find Jobs” screen. In that screen, they can enter a “minimum salary” input, which will only show jobs that have a higher estimated salary than that field (using the Search: “Do a search for Jobs where salary estimate >= minimum salary input’s value”. Using the above privacy rule, the user can perform this search, even if they can’t see the specific value of the estimated salary field.

The problem is that the user can use this to FIND OUT what a Job’s estimated salary is, even if they can’t see it explicitely. How? Perform a number of repeated searches, increasing their minimum salary until the job no longer shows in the list. Once they reach the point that the job no longer shows up, they know that is the threshold.

Of course, there are a number of ways that you can work around this issue. For example, add a “salary range” field to keep the searches general, or even limit the input of the minimum salary to fixed intervals. But it does bring to mind an interesting question:

If an item is marked as able to be found in searches in an apps privacy rules, bubble will allow searching on all of its fields. So what is to stop a person from using this to glean information? The answer I can see to this is to only set searches on fields that won’t expose data.

But how are searches handled on bubble’s end? Are there any controls to stop a user from substituting the search paramaters of a search? For instance, if the above scenario was fixed by changing the search to be using predetermined steps outlined by an option set, could the user go in using the developer console and change the submitted parameters to search for their own provided values? If so, perhaps there is a need for finer controls over what fields can and can’t be searched on.

I want to be clear though, I’m not advocating for changing the behavior of searching such that only those fields that can be VIEWED can be searched upon. There are legitimate uses for searching on data that the user otherwise couldn’t view. Two more examples are:
-Preventing duplicate email list signups by doing a search for email addresses, even if you don’t generally want your email list exposed to users
-Searching by distance to a specific street address (which is a private field).

1 Like