It’s 2009 and people are still, well, naive. Just read a post by Robert Scoble about how Twply – apparently a service that sends replies you get at Twitter to your email – is using usernames and passwords for its users to send twitter messages with the users’ account (and of course, keeping that data to do as they please in the future). There’s 3 parties to blame about this whole thing:

1) The user: if you consider your twitter account account a part of your identity (like I do), you shouldn’t be giving out your password to anyone. Particularly a service that has no terms of use or privacy policy showing. These people could be hijacking your account tomorrow and you would be to blame because you gave them the means to.

2) Twitter: because they’ve been sitting on their OAuth implementation for over a year now. Essentially, it would give users a way to provide external services with temporary access to the account, without actually giving the entire account away. This would provide a safe way for services to communicate without the user actually being in jeopardy. Twitter folks, what the hell?

3) Twply: because they’re violating trust and being shady. Interestingly, someone asked them (over Twitter, no less) if the passwords people were giving were encrypted on Twply’s service to which they replied “yes they are“. Well, they can’t be or they wouldn’t be sending them to twitter, would they?^[1]

The subject of trusting web applications and services with your data is complex and tricky. But there’s definitely apps out there that make it really clear that they’re shady. Problem is, naive users (looking for the latest bling because they see pundits mention the service) will still be lured in.

Footer notes

^[1]: To put it simply, let’s say you give TWply your password, and they encrypt it. If they do encrypt it properly there’s no way to reverse the process, which means they can’t authenticate as you with Twitter (because instead of sending Twitter your password, they would be sending the encrypted version of it, which would be invalid). It is 99.999% safe to assume that these people are lying, here.

Updates

And *bam*, they’re sold! Not only do they have your passwords, they’ve sold themselves (and your data) to someone else to do as they please (remember folks, there’s no terms of use or privacy policy, here). With the passwords for accounts like @techcrunch, I was betting on a bit more than $1.200, but you know, they made a quick buck. My best recommendation: if you did give these people your password, go change it.

I have recently decided to dedicate part of my time to the practice of design thinking. I have been speaking and writing about user experience, strategy and design thinking for a while but due to ongoing projects (within our company) it’s been a while since I’ve been able to focus on helping companies and people create new values and products through design.

I’d like to leave you with a video of BusinessWeek’s five questions with Tim Brown, CEO of IDEO and someone who’s brain I’d love to pick every once in a while. In the first few minutes of this video, Tim goes through what he defines as Design Thinking as a practice, and how companies (much like yours or mine) can benefit from the discipline. Inspiring stuff. Have a look:

I’m making getting back to doing more design and strategy one of my resolutions for 2009. This means that if you ever need a consultant with a flair for building products and experiences today, get in touch, I am dying to get back to work with people passionate about ideas.

Note: This being the first post of the year, I thought I’d commit to something else in addition to more work on design thinking – blogging more. I’ve gone through posting highs and lows in my years of blogging, but I plan on redeeming myself from all the lows during 2009. Happy new year!