Previously, an unlisted album name would show as e.g.:
So, knowing a Google user name – which can be crawled from Google search results, for example – you could append names like “private” or “girlfriend” and hit on albums the user did not select to be public (with Picasa, that’s something else than selecting them to be private). With a little automation, I found around a dozen unlisted albums... and at one time, even Larry Page’s unlisted album was live.
Then, Google automatically redirected everyone from above URL to e.g. (and they also amended their wording in the private vs unlisted interface):
And finally, they now disabled this redirect for everyone except the album owner (and in the future, they might disable the last remaining redirect as well – they’re still displaying the “ Important! The address for this page has changed. Please update your bookmarks” note).
As Zmarties notes, Google itself still lists unlisted albums on their web search engine, though; in fact, now that there’s an authkey parameter, you can specifically restrict your search to these albums (even though the pages include a “noindex” directive, Google will list their plain URLs). However there’s a good chance the album owner – or one of his friends – linked to these URLs on a public page at one time or another in the first place.
Still, a third choice would make sense for album owners; visible to 1) everyone, 2) only people knowing the URL, and 3) only people I invited. Then you’d have the option to not invite anyone at all, and truly keep some pics private. Also, this wording would make sure no one figures that by not selecting public they make the album private.
>> More posts