There is an current uproar happening these days over Twitter’s lack of security for it’s users. The phishing incident, selling of Twply within a week after launch (giving credentials to the unknown buyer), and the Twitterrank debacle earlier all foster a deep sense of doubt and lack of trust.
As one of the participant in this ecosystem, we want to share our thoughts with regards to this issue. We will touch on how this has impacted our product design, why we are in this for the long run, our plans, and why you cannot really blame Twitter.
1) We designed Mr.Tweet such that you do not need to provide your password
First and foremost, you do not need your password to use MrTweet. You just follow us like you would follow anyone else, so that we get DM you.
if you are a heavy user, you can follow easily in a single click. For users who perhaps intend to follow just a few, feel free to click on the name, and you will go to a new window with the user’s Twitter page.
No need to give us your password to use the service
Click on the name to follow directly from Twitter. Again, no password required.
Of course, we would love a world whereby everyone trusts us, but we highly advise all users to be careful about who they provide their credentials to, and that clearly includes us.
Honestly speaking, there are a few features we are looking at that we think would kick total ass, but would require password authentication.
2) We are in this for the long run. Your trust is paramount.
We have invested lots of effort in developing the discovery technology behind MrTweet, and we are extremely happy for the reception we have received and the value we have added so far. It will be dumb for us to break that.
The fact that we are in this for the long run is also the reason why we invest a lot of time in our sharing our thoughts in blog postings, contributing back to the developer community, and communicating with users. We also share a lot of our internal beliefs in interviews, as per the recent one on Net@Night with Leo and Amber.
All in all, we try to communicate as much as we can given all the constraints. We are not going to be perfect by any means, but we try!
3) We will support authentication methods the moment it is implemented
We know Twitter is working on implementing OAuth on their site, and we will support that the moment it becomes available. That way, users can choose to provide passwords, or just authenticate using OAuth.
That said, OAuth is NOT the perfect solution. The user experience for alternative security methods still require many steps (logout of gmail and try this), and carries with them their own hazards to the user, perhaps even much more than normal.
Alternative security methods comes with their own inconveniences and hazards. Read this article on why this encourages phishing
4) Convenience and Security are Tradeoffs, so do not blame Twitter (ok, you can, but just a bit)
When unpleasant incidents like these happen, there is an overwhelming tendency to blame Twitter for not implementing better security measures, especially for 3rd party apps.
However, it is important to remember why you love Twitter – because of its simplicity and vast variety of wonderful applications.
Neither the simplicity nor ecosystem would not have been possible if Twitter had insisted on a high level of security right from the start. See, convenience and security are tradeoffs. I used to be in the military for a couple of years, and the first thing they taught us about security is to think of it as a door. You can leave the door unlocked, and that is the ultimate in convenience, but of course completely lacking in security.
The upside to this is that it does encourages lots of trust and convenience. When Twitter first got started, the neighborhood is a safe place, and the bad guys do not care, we loved this no lock policy. Now neighborhood is becoming richer, and the bad guys are starting to notice, so we must start locking our doors, we criticize Twitter for being haphazard about security.
In other words, please understand that Twitter’s main concern is not the engineering effort needed to implement tougher measures, it is the YOUR user experience they are most concerned about.
Folks like @al3x and @ev are relentlessly focused on the user’s and developers’s experience, and I believe that focus is a bottleneck in implementing these!
That said, I think Twitter can be A LOT more communicative to their users. Kris Colvin has a very well written rant here. Also see GetSatisfaction where there has been no response to this problem. I believe a well written blog posting would do wonders for its users where they communicate the difficulties involved.
5) Change your passwords right now
In the light of all these, we will end with one statement. To put your minds at ease, change your passwords now, and be careful about who to give your passwords to.
Alright peeps! That is all, and again, please hit us up if you have any questions about privacy and security. I am personally reachable at firstname.lastname@example.org / @mingyeow / facebook. See my blog for my cell phone numbers.
Take lots of care, and rock on for the new year!