Google also has to know that the file is there, before indexing it, either from a link available to Google, or from the website's sitemap, or by activating directory listing in Apache, or some other shit like that.
This is very simple. If you're using Chrome Browser, ChromeOS, or Google Toolbar, then google is using their pagerank tech ... or essentially sending the url you type into the browser to their servers for ranking purposes. If you can access it freely on the net, assume it is already indexed, even if there are no links to it.
> The Google toolbar sends information to Google for every page visited, and thereby provides a basis for computing PageRank based on the intentional surfer model.
For it to display a pagerank, it has to send the url to Google (otherwise, how is it going to know what to display the rank for?). Google can then send the crawler to that address later.
> If valid, I'd consider this an almost dangerous breach of privacy.
I don't believe they monitor who is going where. Just where people are going. Although it would be trivial for them to monitor who is going where ...
Also, an FYI, if you are logged in to Google and you're using their search engine, then they ARE monitoring you. Check out Google Web History.
I was concerned more with content indexing of URLs that are not meant to be public, to the point where that content could show in search results. Imagine my editor emails me a link to a blog article for approval before publishing. Or, as a designer, you create a draft of a web page to show to your client; and for the convenience of said client, you prefer not to have it password protected (nor take the time to set it up - you have enough to do!)
In both cases, imagine that someone loads the URL in their Chrome browser. If that action resulted in the URL being added to the googlebot's itinerary, even though no publicly visible webpage links to it, the result could be the exposure of information that we don't want. Or for the blog post example, it could even affect SEO by causing a duplicate content penalty.
Of course we can password protect the page, exclude the urls in robots.txt, etc. But there is a labor cost and inconvenience to having to do that, and there is always risk that something would slip through.
That said, what I write above is likely pure speculation; I don't know of any evidence that Google is actually doing this, and it seems unlikely to me that they would.
Also, searching on link:http://www.sosasta.com/uploaded/ doesn't show anyone linking to it. Even if the directory is there, it had to get there in the first place somehow.