|Wake Up People!
||[Feb. 14th, 2008|10:10 am]
I Should Get Out More
I got an email today from the administrator of one of my Yahoo! lists. He mentioned a site called Grouply, and said that if anyone joined it, their email addresses would shortly turn into Grouply addresses, and then he'd eliminate them from the list. That intrigued me, so I decided to do a little investigation.
On the surface, this looks like a good deal. Grouply is supposed to allow you to consolidate your Yahoo! and Google Groups so that you get only a single, readable digest email instead of one for each group and can surf all of your groups from the Grouply site, it incorporates social networking capabilities, and it has some nice additional features like cross-group calendars and such. Looks like a great Web 2.0 site! TRUSTe certified! Positive reviews on websites! Sign me up!
Except... The manner in which Grouply does all this raises quite a few security questions. In order to create your account and have it integrate with your Yahoo! and Google, you have to give it your user name and your password! Think for a moment of all the stuff you have in your Yahoo! account. You might use it as your primary email; you might use it for your primary IM communications; you might have your stocks in Yahoo! Finance; and so on, and so on. Many people use Yahoo! for a lot of small stuff, and all of that becomes exposed the second you join Grouply. Their T&Cs claim that they don't use your data for anything other than what is stated, but how can you trust them? They have employees with bad days just like everybody else; except a rotten apple in that batch could easily steal your online identity. This is especially true if you use your Yahoo! ID as your OpenID for other sites.
It's a huge risk and security hole, and I can't discourage people enough from joining Grouply. Most Web 2.0 sites that integrate a number of other sites (like Plaxo) just incorporate your data -- your actually telling Plaxo what information to look at, and it drags in the data that's already available. You can tell, since they never ask for your password. This is a whole other step into a shadowy territory, where your identity is at a real risk.
And while I'm at it, this Meebo thing, it looks like the same thing, but for IM. And the same thing applies -- since you have to give it your passwords, you're leaving yourself open to identity theft or other shenanigans. Even if these sites never lead anyone to steal your identity, everything you do through them can be tracked.
Just say no, people.