Sunday, December 14, 2008

Twitter, APIs, and becoming lax on security

Recently I was testing out various iPhone apps for accessing Twitter, instead of simply going through the web browser on the iPhone. I finally settled on Twitterfon. I downloaded it directly for the iPhone from the iPhone app store.

After using it for a while it started inexplicably crashing. I tweeted about my issue, and then noticed a Twitterer with the handle twitterfon started following me. When I checked out their profile, they appeared to represent Twitterfon and had a link to post explaining a way to fix the crashing while waiting for Apple to approve their software update for the App store. The solution included providing your Twitter log-in. Now, here's the thing: Twitterfon is apparently created by Naan Studio, but I didn't know that. So, when I saw a page on some site based on a domain with which I was unfamiliar, and asking for my log-in info...I got suspicious. I did not provide my info and decided to wait for the update to be made available via the App store. (All this took place on my iPhone of course, so perhaps if I'd been on my laptop withe a larger screen and faster connection I would have explored more, but I didn't.)

I don't know quite why someone would do it, but it wasn't hard for me to imagine that someone could see the tweeting about Twitterfon issues, and create both the page to collect people's twitter log-in info and the Twitterfon Twitter handle and collect away.

I was reminded of this after reading this TechCrunch article on a new Twitter service, offered by someone TC proprietor Mike Arrington finds suspect.

The kicker is the final paragraph:
None of this matters that much for users. Except that they must type their Twitter credentials directly into Twitblog to test the service. That’s iffy at the best of times. But when a service is run by someone who’s shown questionable ethical behavior in the past, it’s a non-starter. The service also lacks terms of use and a privacy policy, so users won’t know how their private information may be used, sold or exploited.

No "terms of use and a privacy policy"????

I now a lot of us don't read those things carefully, if at all. Usually it's on sites where you need to register to use that site...you create an account, including your email address, and hope and pray it doesn't end up generating loads of spam or something else like that.

But I do think it's something we ought to be especially careful about when giving up private information like log-in information to a different, entirely unconnected service! Services like Twitter and Facebook have created an environment where third parties are gaining access to our log-in info. Facebook seems more secure, because it all happens within the Facebook universe, and because there is the assumption that Facebook has some authority over third party apps that are written for their site.

Not so with the various apps making use of our Twitter log-in info.

I realize it's a bit ironic that I handed over my log-in info to the Twitterfon app to begin with, but again: accessing it via the iPhone App Store gave it credibility.

How do you decide when or whether to share such info? Do you read terms of service and privacy policies? Do you notice when they aren't there? Are you getting cavalier about your log-in identities?

Most important of all: Are you one of those people who mindlessly lets Facebook apps send themselves to your entire friend community, rather than skipping that step? 'Cause you shouldn't be.

Labels: , ,


Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?