There has been quite a buzz today about twitterank.com. ZDnet's Oliver Marks has a quick article called "Gullible Twitter users hand over their usernames and passwords - did you get your Twitterank yet?!" @ryanirelan had two timely posts (one simply "suckers" with this link), with the most interesting one being a link to this article: The password anti-pattern, by blogger Jeremy Keith.
The gist of the article is that the common social network "feature" of letting users import contact lists from other services may be a useful feature for rapidly expanding the network, but asking users to input their email address and password from a third-party site like GMail or Yahoo Mail teaches people how to be phished.
Enter change.gov. A key feature of "sharing your vision" on change.gov is that you can, you guessed it, enter your email address and password for your mail account, and change.gov will suck-up all of your contacts (they do say "Don't worry, we won't store your login or password"). Earlier, I questioned whether a government (or quasi-government) website should have all my contacts (quick decision: no), but I think I missed the more important question: should a government website have, or even ask me for my e-mail log-in credentials? I think not.
So, what's the solution? Jeremy recommends OAuth, "an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications." But there is a principle here: social networks related to the government shouldn't ask citizens to hand-over their secret credentials. They need to find another way.
