At work, we’ve been wondering for some time how the contents of some Outlook event information marked private can become visible to somebody who you’re sharing calendar information as read-only, a common practice at our company. My colleague found an interesting tidbit in the Outlook help files today:

 Important   You should not rely on the Private feature to prevent other people from accessing the details of your appointments, contacts, or tasks. To ensure that other people cannot read the items that you mark as private, do not grant them Read permission to your Calendar, Contacts, or Tasks folders. A person with Read permission to access your folders could use programmatic methods or other e-mail applications to view the details of your private items. Use Private only when you share folders with people whom you trust.

(source)

 
So it seems that it is the Outlook client of the person who’s viewing your shared items that hides out the private data. Or put in more cryptological terms, if you are Alice and are sharing your calendar with Bob, Bob can, using his 1337 haxx0r skillz (or a Nokia phone) view all the details you have marked Private in your calendar.
 
Not Good. Actually, this is Not Good in considerable dimensions. From the user’s point of view, which is the one i consider the most important, what i mark private is private. As a user, i should be able to trust the software i use, and this feature just made a serious dent in the shield of trust. Outlook just looks trustworthy, but in fact it is only a front. From a technical angle, it is Exchange server, which orchestrates the sharing of information, should be the one to show or hide the data based on the relevant permissions of the viewer. After all, the Exchange server is the one that makes sure only authorized users and groups may access my other Outlook information…. or, is it only what i’m made to believe?