If you look at the home page of
Canon-100 Yahoo Group you will see an assertion of "the risk of identity theft it can facilitate". Now I consider myself reasonably well versed in understanding what identity theft is, but hey let's get the verdict of a real authority. Let's go to
ftc.gov and see what they have to say.
Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.
Three words hit me from that sentence: permission, fraud and crime.
So let us understand what Grouply does and measure it up against the assertion on the Canon-100 Y!G.
Grouply requests that users register their Yahoo ID and password. In this way they are gaining permission. At least that is what I understand by "permission".
Grouply are not alone in requesting this kind of information. Household names that do similar include
Trillian,
Qnext and
Meebo. If you look further getting to around 20 tools and websites that do similar is very easy, and I would not be at all surprised if the diligent researcher could get to a 100 tools and services, or more.
Now on the
Yahoo Groups blog this issue was explicitly raised, and what Yahoo said was that if you were going to reveal your Yahoo ID and password to anyone then you jolly well ought to be careful. More than that they said that you are responsible for such an action - that's what their Terms of Service says.
Note that what they did NOT say is that you should not reveal your Yahoo ID and password. To say that would have been very easy for them to do. Nice, clean, job done. But they did not. No, what they said was - act responsibly.
Now I would like to briefly investigate two questions that are opposite sides of the same coin. Why hasn't anyone complained about the many other tools and services that are around and that also request a Yahoo ID and password, or more rather why do Yahoo Group owners get overly concerned.
Well to start with many of the tools and services such as Trillian and primarily aimed at chatting and instant messaging. Chatting has two characteristics that are different to Yahoo Groups, it is temporal and also (with no disrespect) can often be relatively "light" hearted. Conversations in Yahoo Groups can often get quite heated. Sometimes debate becomes very intensive and very personal. It can also be very informed debate. It can also be quite ground-breaking. Basically people who frequent Yahoo Groups often put their life and soul on the line.
Not only that, but the content of a Yahoo Group can also be very personal not just from an intellectual sense but also from a physical sense. I belong and contribute to several groups concerning medical conditions. I, personally, would not want the content of those groups revealed to people outside those groups. And I am not talking acne!
What goes in a group, stays in a group. Okay? That is what it is important to group owners and members alike. That's privacy, and that what Grouply does. Grouply exposes messages to users who are in already in a group. It does not expose those messages to people who are not members of a group, even if the group's archives are public.
(There are a couple of important refinements to this in progress for groups where the moderator restricts archive access to moderators only and groups with deleted posts. See GrouplyImprovements below for more info.)
Of course the problem of the all-encompassing Yahoo ID & password is that it potentially gives access to all of one's yahoo system. That includes email, instant messaging, groups, profile and whatever other products and services that Yahoo delivers. That's why you have to act responsibly.
This means that those people who just use Yahoo for its Groups activity may take a different perspective to ones who use Yahoo for a wide range of their products and services. And this is just one reason why Yahoo does not say "thou shalt not". They know that everyone is different.
They know that someone who is simply going to IM around friends on GoogleTalk, AIM and Yahoo Messenger is going to use a single easy to use, no install, no clutter, no ads interface service like Meebo or Trillian every chance they can get.
I know of high-powered computer system administrators use tools like Meebo to stay in touch with their customers. They know that their customers will use their own favourite tool and rather than being proscriptive, "hey, if you want to talk to use you have to us when your servers are down then you MUST use GoogleTalk" they prefer to say, "just use whatever way you have of communicating, we accept all kinds of IM technologies..." That's where IM aggregation tools step in.
Let me underline a point here. It would be extremely easy for any and all of these tools and services that are similar to Grouply to surrepticiously garner all of your Yahoo Groups information, profiles, groups and their archives. Once they have your Yahoo ID and password nothing you could do could stop them, except for changing your credentials. But they don't, at least in general. Most if not all of them act totally responsibly. To do otherwise would be quickly spotted by some Internet guru, perhaps using tools such as
TcpView from SysInternals that monitor TCP and UDP endpoints.
Now Grouply is an aggregation tool, one currently focused on Yahoo Groups, and potentially soon to include Google Groups. So focusing on Yahoo, they know that new products and services will come on stream all the time and that flexibility is a fundamental requirement if any one company is going to survive. They also know that people write passwords down on pieces of paper, that they share them will family and friends - and colleagues. They also know that people send passwords in (insecure) emails.
They, Yahoo, know like the rest of us should know that passwords are a very poor security system. They and you know that passwords are well understood and very flexible. Just act responsibly. Responsibly means things like changing your password occasionally, using strong passwords and maintaining its privacy.
And so Grouply enters the fray. A new service that delivers significantly beneficial functionality for some types of Yahoo Groups users. Yes, there will always be some people who do not wish to use Grouply because it offers them nothing.
Yet there are others who have their eyes open to new ideas, new ways of working. Such people are interested in working more effectively, whether that is faster or more informed or whatever. This is the information age, after all.
So we now kn0w that Grouply users, because of the information they are dealing with is primarily on Yahoo Groups that they are often sensitive as to how that data is managed. Therefore it is right that Grouply should act responsibly. I will go further than that they should act very responsibly. So what do we mean by responsibly?
- A properly formed company
- A comprehensive statement on privacy
- One that is backed by independent auditing authority
- And a company that is very responsive to user needs on privacy
Have I missed anything? What I have listed above sums up what Grouply is. Their statement on privacy is very comprehensive. To my knowledge there has not been one complaint against that statement, and if there has then Grouply has been very responsive to work with the person / people to ensure that those privacy needs are met.
To give an example of how responsive they are the Yahoo Group called
GrouplyImprovements was formed by people who are considered by many in-the-know as perhaps doyens of this industry. When they speak, people listen. The group runs independently and the Grouply team are "in there" as members, as contributors. They listen to what is going on, they answer questions and they interpret ideas, take them away and implement them in an orderly fashion back into the Grouply product and service.
And so we come back to identity theft. How someone can insinuate that Grouply is stealing Yahoo IDs and passwords is beyond my ken. Grouply state, up front what they are going to ask for. They have a well defined process for safeguarding that information, the essential points of which is covered in their
privacy statement. They say why information is required, and how it will be used. Further than that they say how it will NOT be used.
And how does it measure up against the FTC's powerful words "fraud" and "crime"? I think you will agree that if someone was going to commit such acts they would at least avoid having a decent privacy statement. I think you would probably find that a company interested in such acts would try to hide behind a veil of secrecy: instead Mark & Rich the company's founders are not difficult to find or talk to.
I would like anyone to show me another company that requests Yahoo IDs and passwords that acts more responsibly - and you can take that as a challenge.
Image via WikipediaSadly someone is running the Ungrouply blog with the intent of defaming Grouply. I would support this activity much more positively if and when new or useful points are made. Sadly one has to read lots of repetitive and often incorrect waffle to get to any pertinent and useful points. Take this thread on the subject of friends.
