I love Twitter. An unabashed Twitter addict, friends and clients have figured out they can reach me faster there than by phone or email. I love Twitter so much, I have begun designing apps that utilize the api, which are not yet released. I preface this piece with this bit of info, because it pains me to have to bash the good people there in any way, but there is a big problem going on, that might hold lessons for other companies with web applications.
Some time back I wrote a post about how to launch a product. This one is about what to do when things go horribly wrong (and they will sometimes.) I’ve made up a new little term that I hope people will remember: CIA. When things go wrong, if you have even ONE user (and Twitter has hundreds-of-thousands active, millions registered), you are duty-bound to enact a policy of CIA to help the user base remain stable and calm.
CIA stands for “Communicate, Inform & Address” – I am borrowing it from the Central Intelligence Agency without permission because the sentiment is the same. But instead of keeping information private, in this case I am advocating sharing it with the people that matter most to your bottom line: your users.
This weekend, a totally stupid individual has decided to conduct phishing attacks on innocent Twitter users. The intent is to expose a Twitter vulnerability and publically humiliate people, from my vantage point. Other reasons could be to knock Twitter down, give it a bad name, or hurt its chances to earn revenue in early 2009, as they announced. The phishing attacks began last night and quickly escalated. Bloggers from news sites immediately began posting articles so that Twitter users could point others to them for information, which was helpful. But I wanted more information from Twitter about what they were doing, and what we could, as users, expect.
Here’s what they did last night:
A. They posted a “Warning” message in small text yesterday on the site, and linked to a short status update. Within a couple of hours they linked to this blog post which gave a bit more information. (It could have used an icon for attention & much larger text. This only appeared on the Twitter website itself, so those using clients did not see it.)
B. They sent 3 tweets from the @twitter account:
- ! be careful of DMs with a link to blogspot.com that seemingly redirects to Twitter.com and asks for your credentials (we’re on the case)
- Don’t Click That Link! http://tinyurl.com/9sste4
- Check out our blog post about “Phishing” http://tinyurl.com/88mas4
C. They did something to their app or the server, which seemed to make things better overnight at least.
Today, the phishing scam picked up steam again, with new and different messages and url’s. Some reported it on their blogs, but Twitter has done NOTHING visible to users. For the last several hours, I have been on Twitter communicating with concerned users and trying to track down information and piece together why this issue is still occuring.
A post went up today at a SANS security site that states: “It looks like the Twitter folks have it well under control” – I got this link from the list at yesterday’s blog post, which it points to, so they must have added it today. The problem is, yesterday’s news is no longer comforting when TODAY there is more stuff going on in your application. When this is extent of the security news coming out, how much can we trust that source for security information?
I am angry. Twitter has grown mighty fast, and they provide a great service for free, but the congratulations and revenue-generating plans are mighty premature when the site is notoriously buggy for basic functions, the free use of the api has created havoc, and users are largely ignored in times of crisis.
Why hasn’t anyone from Twitter responded to the Get Satisfaction question regarding this issue today? What is more important than this issue for the company? A football game? Frisbee in the California sunshine? Margarita’s on the patio? Shopping at the mall?
I could go on (and on), but Twitter’s problem and chaos surrounding it have sucked away too much of my life last night and today. Here is what I recommend for other web applications who face an issue of this type:
COMMUNICATE EARLY & OFTEN
When things are bad, your users NEED to hear from you, and if your brand does not contain the promise that you will be there for them, then you need to re-examine every single thing about your business. Don’t be a fairweather friend. The last communication from the @twitter account was 19 hours ago, and that is unacceptable. You better have your friendliest, most personable employee – I don’t care if it’s the receptionist or the CEO’s mother – out on the front lines, available and responsive, FOR THE DURATION OF THE CRISIS.
INFORM YOUR USERS – KEEP THEM IN THE LOOP
Having worked with numerous security companies, I know there are things you just don’t want to say. But you can keep your users informed with non-critical pieces of information that will provide the comfort they need to have some peace of mind. And their comfort levels affect your bottom line and brand reputation, so I don’t consider it optional.
ADDRESS USER’S CONCERNS
Even at the risk of repeating yourself and the tedium that goes with that, you have got to be willing to address user’s concerns if you operate a web application – free or not. This phishing incident is important to users… they are concerned about a number of things: the followers they have lost, the password they gave out, where the source of this problem is, what they can do about it next. If you don’t have all the answers, don’t be too damn proud and arrogant to admit it! In Twitter’s case, surely they could say who they are working with and what they are trying to do to STOP the messages from coming through on their system, as Matt Cutts did from his Twitter account regarding Google’s attempts to do what they can from their side.
Every single employee of Twitter, no matter what their role, EXCEPT those developers working round the clock to block the bad guys, should be visible and available today, on Twitter, making blog posts, sending an email out with info, and at the Get Satisfaction site responding to questions. This is what I would be rallying the troops to do if I worked for Twitter today, in any capacity.
I am horribly disappointed in them right now. I am EXTREMELY concerned about releasing a Twitter-related app that I have worked so hard to design because my company and my users may be on their own when it comes to big problems. I want the security of knowing Twitter is not too egotistical to learn from grave mistakes. Many users will give them a lot of license here, because they feel they get the service for free and they don’t deserve much else. I give them no room for error, because talking to users is relatively cheap and easy! I admire the product and community a great deal, so my standards are high for them now, because they have done a lot that is right. This weekend, my admiration is dropping by the hour, and it saddens me. I love the cottage industry that has sprung up around them… books, games, applications, niche information. I have great plans and ideas for my product, Twitterface. But I am worried about Twitter’s priorities and perception of themselves, if what I have been witnessing in the media and this weekend is the best they can do.
If you design, sell or develop web apps, is this how you want your users to feel?
Comments are welcome. I know everyone will not agree with me on this issue. I wish everyone a totally phish-free week. I just don’t know that we will get it.