Thursday, June 2, 2011

The Technical Ramifications of Weinergate


'Weinergate' is the nickname for an ongoing political tempest in a teapot, but let me start by saying that I'm going to try to skirt the politics and focus instead on a couple technical improvements that I think are needed as a result of this scandal. The coverage has been mired in partisanship, so if you're just learning about this story, I recommend that you read this timeline of tweets from the right leaning Director Blue and from the left leaning Cannon Fire, we have: Congressman Weiner was Framed! Whatever.

I take a lot of pictures. If I'm attending a newsworthy event, I'll often try to provide live photos from the event via TwitPic. My basic process is to take a picture and then email it to my secret TwitPic submission email address. TwitPic then sends out a tweet on my behalf. The tweet is whatever I put in the subject line of the email and a link to the picture now hosted on TwitPic. In the above political drama, YFrog was used instead of TwitPic. But, YFrog works pretty much the same way. What's surprising to me is that so few people seem to know that you can email pictures to YFrog and TwitPic. It's a great feature. I wonder if they know that you can email videos to YouTube and blog posts to Blogger/Blogspot...

The issue is that YFrog does not care what email address sends a picture on your behalf. It doesn't confirm that the originating email address is in anyway trusted or associated with your account. There are reasons for this: you might want other people to submit pictures on your behalf or you may have a lot of email addresses. That is to say: the submission email address that you send your pictures to will publish those pictures regardless of where they came from. Of course, the submission address can be compromised. If someone untrusted by the account owner gets the submission email address, they can use it for their own nefarious purposes. For that reason, TwitPic, YouTube, and others allow you to change the submission email address; however, there does not appear to be a way to change your submission address for YFrog.

The most important aspect of all this is that these third party tools can compromise Twitter's credibility. Rep Anthony Weiner's twitter account is "verified". Twitter describes verification like this:

Verification is currently used to establish authenticity of identities on Twitter. The goal of this program is to limit user confusion by making it easier to identify authentic accounts on Twitter.

If the submission email address for a verified Twitter user's YFrog account is compromised, then Twitter's imprimatur of authenticity is in doubt. Twitter may want to fix that, but it's dependent on its third party app developers like TwitPic and YFrog. They're the ones that will have to do the heavy lifting.

One way that this problem could be fixed is for YFrog and TwitPic to require that pictures sent to the submission email address originate from an authenticated address. Once that is in place for a given app (TwitPic, YFrog, etc.), Twitter would test the app. Twitter might have multiple badging options based on the features and security specifications that the app meets. My thinking here is that if a verified Twitter user is using an app that doesn't meet certain standards, then Twitter should revoke (or mark) their account (or tweets) to indicate that.

Maybe we'll find out the real story behind Rep Weiner's late night tweet. Maybe we wont. Regardless, finding the truth often depends on knowing who we can trust. If you've relied on Twitter's "Verified Account" badge in the past will you continue to in the future? For me, it's looking a little less trustworthy.

No comments: