So, about two weeks ago,
![[info]](http://p-stat.livejournal.com/img/userinfo.gif)
fxl posted
a warning to fellow users of LoudTwitter about the possible security implications of using the service as they didn't have a proper TOS or any other type of privacy statement.
As a LoudTwitter user I was pretty alarmed by this revelation so I left the developer of LoudTwitter the following message on his blog:
Are you planning to update your privacy policy? What's to stop someone associate with you from stealing passwords and then having unauthorized access to a user's blog? How do you ensure peace of mind for those folks using your service?
Posted by: Mr. Sparkle | April 13, 2008 at 11:14 PM
In the meantime I stopped my use of the service and deleted my account. I was kinda beginning to lose hope that he'd write me back or respond to my post or something, but today I received this message in my inbox:
Hi,
I don't see how loudtwitter would allow anyone to steal a password, but If you have any information on the matter, please send specifics.
Thanks,
So, I sent him back the following mail:
Hello,
Your TOS mentions nothing about how you protect the data of your user
base. Hypothetically, you or a person associated with you has access to
those passwords and are therefore a security risk.
I don't mean to imply that you are that kind of person, nor is anyone
else who has access to your system. But what kind of assurances do you
give the user off the street that your system is secure?
Personally, I think LoudTwitter is a great idea and well executed. If I
didn't think so I wouldn't have taken the time to communicate these
concerns to you.
However, without some sort of assurance of privacy many people including
myself are hesitant to use and support your service. A guy can't be too
careful on the internet nowadays.
Regards,
Then I went out to dinner with Zang (we had yummy Mexican at a restaurant up in Cardiff), ate too much, and came back home to check mail and relax. In my mail was this reply:
Hi,
Thanks for your feedback.
Yes, the TOS page was kind of a joke when there was really only one
user in the system: the friend I hacked the service for. Since then,
I've been too lazy (or to busy with my day job) to think or care about
updating it.
It's now done.
That being said, I don't like to have the responsibility to store
user's password in LoudTwitter database, since it's technically
interesting I'll try to play a bit with Oauth to see if it can
provide some answers there.
Thanks,
Sure enough
the TOS is updated and looks better (albeit a few spelling errors, but I have teh spelling nazi). I'm really thankful that the LoudTwitter developer took the time out to take care of this. It would be so easy to just respond to my query with "STFU I DO WAT I WANT CUZ IM COOL AN YOR TEH SUXORZ!!!1". I've definitely seen that attitude on other developer forums.
Anyhoo, as you know I usually keep my journal entries locked tighter than your sister's legs, but I'm opening this one up. If you know anyone who might be interested in this, feel free to link to this post (not that I could stop you anyway, ya hot-linkin' bitches =P ).
