#StandWithUkraine
Andrey “Rarst” Savchenko —  — Thoughts — developer, ghacks, gmail, trust

Trust and accounts

I know that when I think world has few screws loose it is more about me. Sometimes it is clearly about world.

Few days ago I got effectively anonymous email, that suggested I review gmail notifier – small app to check multiply gmail accounts. From there situation played out interesting.

[Updated 2009-09-27 with additional info from developer]

trust

trust

Photo by Lars Plougmann

Post at ghacks

Bit later Martin had posted about it at ghacks. By then I had browsed site and I really disliked some development decisions that went into app:

  • reads remote configuration file for compatibility;
  • some kind of web-templates (again – remote as far I understand);
  • mandatory silent updates.

That was about what I wrote in comment under ghacks post.

Feedback on feedback

Aside from edgy comment from another ghacks reader I also got follow-up email from developer. I can’t claim I got mood right (he doesn’t seem to be native English speaker, neither am I) but it was hardly positive.

His main points were:

  • web-based apps are legit development technique;
  • he rescinds his desire to get app reviewed by me.

Development side

Ok, I see no reason to go web with tiny notifier app, but if that works for developer let it be.

I have huge trouble with remote configuration and mandatory silent updates. Of course updates are nice. As long as user has choice to confirm or decline and get accurate information on update content.

[Update] Developer had cleared up that updates will be downloaded automatically but can be declined by user. Remote configuration controls:

  • Imap server address + port + expunge thresholds
  • Max Email length
  • Max password length
  • Window size
  • Google search URL
  • Polling interval
  • UI margins
  • Latest version

Seriously, hadn’t we had enough stories of updates breaking stuff? To allow another person to make mandatory, silent and remote changes to your PC configuration is insane (unless it is admin at your work :).

Security side

It seems people have issues with interpreting online situations. So while cooling off I had thought out decent real life analogy. Someone comes to you and says:

Give me your credit card and car keys so I can go buy groceries for you. And by the way tell all your friends to do the same.

From there you have a choice – do it or not. Naturally your decision would be greatly influenced by who that man is:

  • maybe friend;
  • maybe employee of company that specializes in buying groceries, that is authorized by your favorite store;
  • maybe nobody to you.

Somehow people online are happy to throw accounts (that are often keys to highly important personal and financial data) to anyone who asks. And this is also very insane.

There are many factors that can make such trust justified:

  • companies and developers with established reputation;
  • software with millions of users;
  • open source code that anyone can audit.

On other hand if you ask for trust with nothing to prove yourself – don’t be offended by lack of trust because you had done nothing to earn it.

Overall

I don’t and won’t trust my account to developer that puts his convenience before my security.

Would you?

Related Posts

5 Comments

  • kelltic #

    Me, I want to be asked before the download. Only my anti-virus gets to download and update without telling me first --- I think --- Sometimes I just know there are things running that shouldn't be. Who can say not? And mandatory is one of my most hated words, at least when it applies to me. Most of us technically challenged shareware enthusiasts out here aren't careful enough about what we download (I have a couple of horror stories of my own) so it's a good thing we have people like you who actually look a little deeper - and translate for us. "mandatory silent updates", I would have understood, but web-templates ?????, remote configuration file ????? Back to that whole online thing but that isn't what you were talking about, exactly. This is something I sorely miss about my old dial-up connection. When I was offline. I was offline. Period. You can't get me while I'm not plugged in. Now, I'm suspicious all the time of what might be walking in and out of my doors, er, uh, ports. Too bad about the developer rescinding his "invitation". Guess he got his app kicked, anyway, didn't he? :)

  • Rarst #

    @kelltic I am quite confident that you can disconnect any connection as easy as dialup. :) Personally I don't feel that web-based apps are mature enough. One of my core issues with Twitter clients. It is used not because it fits the task perfectly, but because it is easier for developer.

  • Transcontinental #

    "I don’t and won’t trust my account to developer that puts his convenience before my security. Would you?" Definitely not. Flexibility and details are always proportional to the amount of privacy one is willing to share. There are limits in my opinion. Moreover I believe it is always wise to avoid concentrating all powers on one software. Surfing is one thing, email is another and so on. Big companies dream of being the user's one and only reference, and small developers as far as they're concerned tend sometimes, willingly or not, to mistake data and privacy concerns. I do say, don't say everything :)

  • Rarst #

    @Transcontinental Moreover I believe it is always wise to avoid concentrating all powers on one software. Surfing is one thing, email is another and so on. Big companies dream of being the user’s one and only reference That what worries me a bit about Google. You often have no choice except to use multiply services (especially as web publisher). And it all stacks on single account with single password. So I am especially sensitive about this one. :)

  • Transcontinental #

    There are alternatives to Google services! I mean, Google is nice, Microsoft, Apple and you name it are nice... in some things, less in others. I believe the point is to choose specifically, and not refuse or accept all. I like Google for GMail (though a simple medium when mail is called from Thunderbird), its search engine, the best IMO, and for Google Earth, but the company's appetite is becoming voracious and privacy concerns notorious. Microsoft makes good OS, but bad browsers and bad search engines... and so on. Look everywhere, so many applications, even Firefox extensions search for... our concerns! Cookies, which were intended to preserve settings, are now systematically on 99% of websites put up on the visitor's computer: just visit and you are referenced! There is something mad in this business so I dare say and join this belief: be neither cynical, nor paranoid, nor credulous! Long live the WWW :)