Graham Cluley's recent article about stealth-mode social networking newbies Connect.me has stirred up a lot of controversy.
The Connect.me site has exactly two pages - at least, it does if you don't sign up. The main page simply invites you to Reserve your username and get early access; this page takes you to a second page which simply says Login with [Facebook] [Twitter] [LinkedIn]. That's how you login, even if you're an existing user.
Oh. There's a link on the main page which opens up a half-screen of About text. The important part of this is: "We believe privacy, control, and portability are requirements, not features." The highlighted words look as though they're links to further information, but they're not.
Graham's article provoked numerous comments agreeing with us - some said that a site which asks you to sign up with no indication of (indeed, which deliberately suppresses) its proposed business is Just Plain Wrong. But others roundly said that we were unfair, and ought to have given these newcomers time to show us what they were all about before expressing an opinion.
I'm going to continue the controversy on Graham's behalf, by quoting and responding to Mr Reid.
Then I'll ask you, our Naked Security readers, to vote on the issue.
Here we go.
Hi Graham, this is Drummond Reed from Connect.Me. Great post! We couldn't agree more about the need to address privacy concerns around social sign-in.
Your post seemed to have help fuel the sign-up rate at Connect.Me today.
That's nice for you. Ironic, of course, but nice for you. In return, could we ask you to return the favour by saying something meaningful on your site about what you plan to do with the information you collect?
What will you store? Where will you store it? How do you intend to use it in future? Most importantly, how do I contact you to withdraw my permission to keep it? And how long will you take to delete it?
It will be great fodder for conversation at SXSW this weekend.
Have a good time, Drummond. (I'm sincere with that wish.) But talk is cheap. And SXSW isn't about security, privacy and on-line identity, is it? It's about musical and filmic content - creating it and publishing it.
How about coming to a security conference as well, and throwing yourself into the conversations you get at that sort of event? If you can make it to Infosec in London, England, in April (or to AusCERT in Queensland, Australia, in May) I'd like to invite you to the Sophos stand.
We'll love to have someone from connect.me take part in a panel discussion on our stand - and we'll buy the beers.
To put any fears to rest, we're not scammers. We're people from the Internet identity and privacy space working to help make a better, safer social web.
Thanks. That makes me feel better. I think.
But I've read words that are equally earnest, and which sound just as sincere, from Advance Fee Fraudsters, from peddlers of fake anti-virus, and from those call centres which say they're from Microsoft and they've phoned especially to help.
The point is that if you really care about privacy, you shouldn't ask people to enter into any sort of on-line social contract without explaining who you are, what your intentions are, and what mechanisms you have in place - now and for the future - to protect that privacy.
In fact, it'll almost be worse if you guys really do turn out to be legitimate. Because the tens or hundreds of thousands of users who've taken a risk on you and got away with it will be more inclined to take risks again. Next time they do, it probably won't be Drummond Reed, Nice Guy of the Net.
Please be more open and less marketroidistic! I suspect we agree about the end result. But not about how you have gone about reaching it.
And now, Naked Security readers, what do you think? Please vote in our poll: