The context
Early this month, the Twply sale made the news in tech-related blogs. Jeremy warns users about the password anti-pattern. Fred writes about it and Messina replies to Al3x.
Of course I rather have OAuth so users could revoke access to my app, without affecting all their 101 twitter apps and mashups that also need their user and password.
This matter was forgotten until I received an email from someone interested in buying TwitterNotes.
TwitterNotes was Sérgio’s idea which he implemented in Rails, and I helped with the design and marketing. It was a fun project that was mentioned in some big blogs like LifeHacker and we got over 3000 accounts. It’s not such a large number, but 3000 people thrust us with their password1.
Although we decided I am entitled to some part (to cover for hosting expenses) as well as our sponsor, it was Sérgio’s call, and he made a price without the database.
Well, what if I was the one to make the decisition?
I’m not sure if I would have made that decision so easily. And this is not about money at all. Right now we don’t have any idea about who our buyer is, nor we know their intentions. This could be about the domain and traffic, about the app itself, or just about the database for evil marketing purposes. Let’s suppose they just want to keep the service running and monetize with ads, since it’s legit.
By selling the system without the database, all accounts along with the data stored (TwitterNotes allow users to store and manage notes from our website) would be deleted. Although it’s possible to recover some part, it is not possible to recover all of it. Since we were tied to this anti-pattern, we didn’t had any register step, but if we need, all the users would have to re-register.
And in general terms, applications populated with data worths much more those yet to launch. And I’m not counting on passwords here. The transition would make the website lose some users, and this would reflect in the buyer’s revenue from ads.
I believe selling a service without the database may be prejudicial to both users, buyer and seller. As a user, my wish is that any service that is sold keeps the same for me (or eventually be improved, like Flickr, Feedburner, etc…). This was the case, since TN development stopped a few weeks after launching.
And if Microsoft bought Yahoo? (or any of the examples above) Will the buyer get the service without the database? Will you have to register to flickr again, and lose all your photos there? It makes no sense!
But we store their passwords to third-party services, you’d say. Well, it’s not our fault! Twitter doesn’t provide any other option for accessing their APIs! We even encrypted the passwords, but since we need them in the clear, the code includes the decryption code. And if you think twice, when Yahoo bought Flickr, it also bought all of your private photos. You trusted flickr, but they sold your photos to yahoo. Isn’t the same thing? Selling private data?
Final thoughts
I’m not saying Sérgio made the wrong move. It was in fact the safest solution for our users, since we don’t have any idea who the buyer is or how the passwords would be used. I’m just not sure it’s always the best solution.
Extra: If by any chance you are also interested in buying TwitterNotes, just mail me
1 I bet 99% of them didn’t even thought of that.