Addressing Privacy Concerns

There is an current uproar happening these days over Twitter’s lack of security for it’s users. The phishing incident, selling of Twply within a week after launch (giving credentials to the unknown buyer), and the Twitterrank debacle earlier all foster a deep sense of doubt and lack of trust.

As one of the participant in this ecosystem, we want to share our thoughts with regards to this issue. We will touch on how this has impacted our product design, why we are in this for the long run, our plans, and why you cannot really blame Twitter.

1) We designed Mr.Tweet such that you do not need to provide your password

First and foremost, you do not need your password to use MrTweet. You just follow us like you would follow anyone else, so that we get DM you.

if you are a heavy user, you can follow easily in a single click. For users who perhaps intend to follow just a few, feel free to click on the name, and you will go to a new window with the user’s Twitter page.

follow  
No need to give us your password to use the service

passwordnopassword  
Click on the name to follow directly from Twitter. Again, no password required.

Of course, we would love a world whereby everyone trusts us, but we highly advise all users to be careful about who they provide their credentials to, and that clearly includes us.

Honestly speaking, there are a few features we are looking at that we think would kick total ass, but would require password authentication.

2) We are in this for the long run. Your trust is paramount.

We have invested lots of effort in developing the discovery technology behind MrTweet, and we are extremely happy for the reception we have received and the value we have added so far. It will be dumb for us to break that.

The fact that we are in this for the long run is also the reason why we invest a lot of time in our sharing our thoughts in  blog postings, contributing back to the developer community, and communicating with users. We also share a lot of our internal beliefs in interviews, as per the recent one on Net@Night with Leo and Amber.

usontwitter  
This is us on Twitter. Hit us up with some nice @(s) if you have any doubts about your privacy

All in all, we try to communicate as much as we can given all the constraints. We are not going to be perfect by any means, but we try!

3) We will support authentication methods the moment it is implemented

We know Twitter is working on implementing OAuth on their site, and we will support that the moment it becomes available. That way, users can choose to provide passwords, or just authenticate using OAuth.

That said, OAuth is NOT the perfect solution. The user experience for alternative security methods still require many steps (logout of gmail and try this), and carries with them their own hazards to the user, perhaps even much more than normal.

Untitled-4  
Alternative security methods comes with their own inconveniences and hazards. Read this article on why this encourages phishing

4) Convenience and Security are Tradeoffs, so do not blame Twitter (ok, you can, but just a bit)

When unpleasant incidents like these happen, there is an overwhelming tendency to blame Twitter for not implementing better security measures, especially for 3rd party apps. 

However, it is important to remember why you love Twitter - because of its simplicity and vast variety of wonderful applications.

Neither the simplicity nor ecosystem would not have been possible if Twitter had insisted on a high level of security right from the start. See, convenience and security are tradeoffs. I used to be in the military for a couple of years, and the first thing they taught us about security is to think of it as a door. You can leave the door unlocked, and that is the ultimate in convenience, but of course completely lacking in security.

The upside to this is that it does encourages lots of trust and convenience. When Twitter first got started, the neighborhood is a safe place, and the bad guys do not care, we loved this no lock policy. Now neighborhood is becoming richer, and the bad guys are starting to notice, so we must start locking our doors, we criticize Twitter for being haphazard about security.

In other words, please understand that Twitter’s main concern is not the engineering effort needed to implement tougher measures, it is the YOUR user experience they are most concerned about. 

Folks like @al3x and @ev are relentlessly focused on the user’s and developers’s experience, and I believe that focus is a bottleneck in implementing these!

image  
A diagram showing the tradeoff between convenience and security in biometrics. Not like I know anything about biometrics, but it looks cool.

That said, I think Twitter can be A LOT more communicative to their users. Kris Colvin has a very well written rant here. Also see GetSatisfaction where there has been no response to this problem. I believe a well written blog posting would do wonders for its users where they communicate the difficulties involved.

5) Change your passwords right now

In the light of all these, we will end with one statement. To put your minds at ease, change your passwords now, and be careful about who to give your passwords to.

Alright peeps! That is all, and again, please hit us up if you have any questions about privacy and security. I am personally reachable at mingyeow@mrtweet.net / @mingyeow / facebook. See my blog for my cell phone numbers.

Take lots of care, and rock on for the new year!

Category: Service Updates

  • Great article!

    And service. Thank you.

    Best.
  • mingyeow
    thanks marc for the comment - much appreciated! Do let us know how we can do
    better too
  • thank you for letting me know. my twitter acount was stolen in the same way.
    i allready fixed it.
  • mingyeow
    Good luck. It is lucky that most people do not have that much sensitive data
    in their DMs yet.
  • Good Post. Tweeted this one :)
  • mingyeow
    Thanks for the support, let us know if we can do anything better. ;)
  • Great to see you guys communicate, and being sensitive to the many concerns we have about privacy. Oh, and for the personal, manual intervention to fix that little glitch I had. Rock on!
  • mingyeow
    Thanks! We are "talkative" by nature. haha. And yup, your privacy is
    important for us!
  • pedaah
    The phishing thing has really stirred things up!
  • mingyeow
    in a good way or bad way? ;)
  • I am a semi-addicted tweeter. I have not gave my password out. This is a common thing for most popular social networks. This is the hackers or script kiddies way of "initiating" twitter. Never give out your password. I mean the legit services are awsome but what Mr. Tweet did is amazing from a developers eyes. Not having to enter any of your data. Perfect.

    Thanks for the article. Very informative.

    And thanks for the great service. Btw, adding to my google reader for my iPod Touch. ;D

    Greetz,
    iSkirmish
  • mingyeow
    Very thanks for the compliments. We actually thought a lot about how to
    design the service such that we respect the user's options as much as we
    can, glad it paid off!
  • Good to see you responding with such reassurance so quickly after the phishing scam.

    If I'd needed to enter my password, I wouldn't have started using this service in the first place... :)

    Kx
  • mingyeow
    Thanks Kathleen! At some point, there will be features which require
    authentication, but hopefully you would have trusted us a bit more by then.
    =)
  • It's not really about trusting you, though - I might trust you very much but I still shouldn't have to give you my password.

    I'm very encouraged to hear that you'll be adopting OAuth as soon as it's available, and this blog post in general was extremely encouraging as well. Glad to see that you've got the right mindset about all this.
  • mingyeow
    Thanks for understanding Michael. The upcoming issue is that we need to
    implement authentication for some upcoming features. Getting users to create
    a new account with us seems redundant, yet giving us their twitter password
    seems silly.
    how?

    M
  • Well, in an ideal world of course we all have proper identities through a full open stack and authentication would be handled on all ends with OpenID.

    Of course, with a service like MrTweet which is so intrinsically tied to your twitter account, simply being able to do an OAuth flow should be enough for a basic level of authentication - oh, you have a twitter account? Great, we have everything we need (dm takes care of basic communication with direct unique links to things outside the 140-char limit, the fact that you could authorize shows that you have an account... etc.).

    I mean, oauth is the answer for a lot of things in your situation. You don't have any alternatives to asking for the password until they implement that.

    It's so frustrating, wanting to develop projects with twitter and being so limited. I really sympathize with your predicament.

    Are you going to be able to get into the twitter oauth beta?
  • "It's not really about trusting you, though - I might trust you very much but I still shouldn't have to give you my password."

    Thanks mtrichardson, that's exactly what I think too.

    Kx
  • mingyeow
    yup, so we make it such that you do not need to. =)
    M
  • I guess it happens everywhere doesn ´t it?
    But great from you to write about it, thanks for all.
  • mingyeow
    Yup, we try to be as upfront about it as possible. And also do some PR for
    Twitter too. =)
  • That about covers it. Nice work.
  • mingyeow
    Thanks Niall. =)
  • I'd like a way to rerun the original report. I'm either not seeing it, or it's not there. I've followed several people from the original list yet they're still showing up in your report that I should be following them.

    Also, if I don't have the bookmark at work/home, how can I view that report from an alternate location?
  • mingyeow
    Hi Andy, we are running bi-weekly updates, and it will be your turn soon!
    If you need it faster, just unfollow and follow us. =)

    M
  • DaveNF2G
    I still don't see the value of telling EVERYONE that they should or must change their passwords. The only passwords that need to be changed RIGHT NOW are the ones that are compromised. Like some of the other commenters, I do not give out my passwords for anything to anyone. I have a high index of suspicion for unsolicited links and I understand the way services for which I have accounts do business. Unless someone manages to hack an encrypted password database somewhere, I have no need to change my password except on a regularly planned cycle of password maintenance.
  • mingyeow
    Hi Dave, great point. The reason why we are saying this is due to the fact
    that we believe that most readers would have given up their password at some
    point, and it is just not clear where those passwords have gone to
  • The issue here is that twitter users have to give out their username and password to grant access to the apis for a third party. If twitter would hurry up and implement a token based authentication mechanism that the user can reset at will, then it would clear up most of the privacy concerns.
  • Hey, I am going to be programming a twitter application and would like to incorporate your services into. I was wondering if it was okay. Hit me up on twitter. ;D www.twitter.com/iSkirmish

    I won't be coding it until after march.
    Your help in this would be very helpfull for both of us. =]
  • mingyeow
    I agree, however, it would also make it hard for 3rd party apps to do that.
    Imagine any of the twitter iphone apps doing that, it would be a much much
    worst experience
  • Thank you for posting this article. I used the service "Mr. Tweet" after hearing the interview with Leo Laporte. I trusted his recommendation, and am very pleased with your service! You communication further instills my desire to use your fine service.
  • mingyeow
    Thanks mike! Much appreciated. We really try hard to communicate in a way
    that address the concerns of our users
  • Exactly. What we are crying out for is some form of token system. Any form of token system at this stage would be good.
  • Rob Neilly
    Been on Twitter for a while, but just started with Mr. Tweet. I appreciate both *services* and the very fact that they've been made available at all. A common sense, Web-wise approach is necessary for surfer or social networker! Thanks for the reminder, and for who you are and what you do.
  • mingyeow
    agree. i like e way you say it, common sense, web-wise! too bad even for
    someone relatively saavy like me, i have been caught a few times being
    nonsensical and web-foolish. :9
  • guys, guys, guys.

    check your images links
    file:///C:/Users/meow/AppData/Roaming/Windows%20Live%20Writer/PostSupportingFiles/a0a528f0-d06c-4030-a0f9-d780d92d4114/usontwitter3.png

    be more careful guys
  • mingyeow
    Hmmm.... i use Live Writer. How are the images showing up on your screen -
    are they broken?
  • Love how you've not only stated the pros & cons, but have offered solutions to the criticisms.

    The locked door analogy is a good one.
  • mingyeow
    Thanks for the encouragement! It is important to be positive I believe. And
    i learned the locked door in the military. :)
  • great summary keep it coming YO!
  • Thank you for taking the time to explain so well. Your advice has been invaluable.
  • mingyeow
    our pleasure! =)
  • To access the information on page sent to me recently my password was asked for. I did not give it and would not give it. Why ask?
    Possibly there is another Mr. Tweet using my @twitter?
  • mingyeow
    Hi Roz, you can just click on the name, and you can follow from twitter. No
    password needed in that case

    M
  • Excellent discussion! Thanks for posting this. You're ahead of the curve.
  • mingyeow
    Thanks Bill! We try to contribute back to the community by sharing our
    thoughts
  • Thanks for the reassurance and explanation of expectations. Some of us are newbies and will always need education. The bad guys will prey on inexperience.
  • Thanks Mr. Tweet. We all love twitter. I would also look at its capacity level as that message come up often. Gail Barsky, Esquire http://profitsmakeover.com
  • Elena
    Thanks for this post, my friend will be so exciting to check this. I really appreciate your work over here
  • Lawrencewright
    Hi Mr.Tweet,
    Great blog! I am following you on Twitter;however I have not received a DM with the link to join you!
  • Twitted! =)
  • Very Nice Article, Thanks
  • Just visit again your blog, now Twitted and Shared to Digg!
  • Hello, Can u please tell me, how to shared this page to digg?
  • Nice post there. Raised a few things I hadn't thought about before. Thx.
  • Interesting post. I have stumbled and twittered this for my friends. Hope others find it as interesting as I did.
  • thanks for the post
  • They are definitely great help to me . I need it a lot !

    Thanks for sharing !
  • dont share your username and password to any buddy make it private else you will be scammed,
  • ABEL409699430
    Woo this is a nice blog, i would love to read more.

    Thanks
    harsel gibs
    ______________________________________________
    debt collection agency | certified organic skin care | wa drunk driving
  • ABEL409699430
    Woow This is best blog i have read on the tpoic

    regards
    jenny yully
    ______________________________________________
    warcraft gold sale | car dealers in indianapolis | argentina apartment rentals
  • ABEL409699430
    I already diged this my firend.

    respect
    paul
    ______________________________________________
    how to beat a drug test | <a href="http://www.PASSMYDRUGTEST.com " target="_blank">pass a drug test | pass drug test home remedy
blog comments powered by Disqus

Back to top