At $2, the Fun Pass is an awesome deal. At $1.50? Unbeatable.

I guess Caine should’ve worked out a harder-to-crack checksum.

Gina and Anil both announced this already, but I was so busy wrapping up loose ends, I didn’t get around to my announcement.

Short version: Expert Labs — the non-profit I’ve worked on for the last 18 months — is over. Gina and Anil are rebooting ThinkUp into a commercial entity, but I’ve decided to move on. I’ll continue to act as a ThinkUp advisor, and have already started work on two brand new, soon-to-be-announced projects.

A Quick Review

I worked on a whole bunch of stuff while at Expert Labs, but it took on two themes: bringing ThinkUp to a new audience, and analysis of the data we collected. Since most of this work wasn’t high-visibility outside of the existing ThinkUp community, here’s a quick roundup.

Outreach. It’s the first time in my career I’ve ever worked with self-hosted software, and I spent quite a bit of energy trying to help people understand why they’d want to use ThinkUp and make it as easy as possible to get it installed. It’s hard enough to get people to sign up with a new web service, but one that requires you to install it on your own web server? Damn hard.

Part of this was marketing: I produced two promo videos, showing off the capabilities of the app at different stages. The first video was overly long, too detailed, and a bit cheezy. With the second, I cut out all the crap and asked Clay to narrate a tight, 74-second elevator pitch for why ThinkUp is an essential utility. If you’ve never seen it, take a minute to watch.

Unfortunately, offering a hosted version ourselves was never an option. As a nonprofit, it would have been irresponsible for us to archive people’s social media activity and then disappear when funding dried up. Instead, we tried to make installation as simple as possible.

My first attempt was just getting it up and running on EC2, and making that process as easy as possible with a step-by-step tutorial. Later, I replaced that with the ThinkUp Launcher, a one-click installer that booted a custom EC2 instance with ThinkUp preinstalled. I released the code on Github, so any open-source project could easily make their own launcher.

Finally, in December, a commercial service appeared that offered drop-dead simple ThinkUp hosting. We worked with PHP Fog, a Portland-based cloud hosting company, to support a one-click ThinkUp jumpstart. Here’s the screencast I made, showing off how to get up-and-running in seconds.

To help expand the reach of the app, I worked with Mule Design to figure out what ThinkUp does well, what it could do better, and incorporate those learnings to redesign the next version of ThinkUp. Elements of the redesign have already made their way into ThinkUp 1.0, and will guide later versions of the app.

Analysis. Whether it was making charts, building mashups, or crunching data, I spent quite a bit of effort trying to make sense out of the incredible amount of data being collected by ThinkUp.

I showed off the ThinkUp API with ThinkBack, an open-source mashup that extracted entities from your historical Twitter history to make a time machine of the people, places, and things in your past.

I analyzed Twitter reactions to 2011 and 2012 State of the Union speeches, as well as the White House’s Twitter Town Hall, releasing datasets for each. I even made my first, and only, linkbait infographic summing up the White House’s Year in Review on Twitter.

One of the biggest projects I created was the Federal Social Media Index, which used ThinkUp to gather activity from 125 federal agencies on Twitter, and try to measure their engagement for the questions they ask using some simple metrics. The response was great, showing how much interest there is for additional tools in that world.

Over the last few weeks, I’ve adapted it to use the ThinkUp API and will be open-sourcing the results soon to use on your own projects.

Overall, working with Expert Labs was fascinating for me. I’d never worked with government before, and was able to work with motivated and passionate teams from the White House down to local city government. It was an eye-opening experience, and I learned a ton about cultivating an open-source community, the challenges facing state and federal government agencies, and distributing hosted software. Best of all, I was able to do it all while working with three friends I deeply respect: Gina Trapani, Anil Dash, and Clay Johnson.

The Future

Expert Labs may be ending, but ThinkUp is just getting started. It’ll continue to be free and open-source, and Gina and Anil are spinning ThinkUp off into a commercial entity, using the open-source base to create a new media property. You can read more about their plans on their Knight News Challenge application on Tumblr, which you should totally like and reblog. (The number of votes factors into the Knight Challenge judging!)

And me? I’ll be doing new stuff, like always. I’m still writing my weekly Wired column, working on Playfic, and thinking about big future projects.

I’ve started working on two unannounced projects simultaneously that I’m crazy excited about. Both have to do with this problem: how do you use technology to connect people together in new ways, and help people make a living doing what they love? It’s a running theme through everything I’ve ever worked on, and I’ll be writing much more about them soon.

For the first time in a very long time, I’m also open to hearing about new opportunities. If you’re working on anything along these lines and want help, get in touch!

On Wednesday, a Russian antivirus firm announced that over 600,000 Macs were infected with the Flashback trojan, exploiting a Java vulnerability to create the first significant malware infection in OS X history.

If you’re running a botnet, the goal is to avoid detection for as long as possible. Flashback took an interesting approach to hiding itself — if one of several popular antivirus or monitoring tools is detected, it immediately deletes itself. Merely installing a utility like Avast, Clam Antivirus, Little Snitch or HTTP Scoop was enough to protect you, even if you didn’t keep them running.

Funny enough, major commercial antivirus utilities like Norton Antivirus, McAfee VirusScan, and F-Secure weren’t included in the blacklist. It seems the Flashback authors aren’t afraid of the effectiveness of those utilities or, maybe, the technical expertise of their customers.

From the threat description:

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch

/Developer/Applications/Xcode.app/Contents/MacOS/Xcode

/Applications/VirusBarrier X6.app

/Applications/iAntiVirus/iAntiVirus.app

/Applications/avast!.app

/Applications/ClamXav.app

/Applications/HTTPScoop.app

/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

Note the presence of Xcode, Apple’s IDE for Mac and iOS development. To a virus author, the presence of development tools like Xcode is a perfect indicator of a tech-savvy user… the kind of person most likely to detect your work.

If you want to stay safe, or see if you were infected, Macworld has the best roundup.

I love when I’m crate-digging through the weird part of YouTube and stumble on something truly amazing, seen only by a handful of other people. Just now, I was looking for the redneck bar scene from 48 Hrs. and found this:

It’s the opening titles for 48 Hours of Hallucinatory Sex (originally “48 Horas de Sexo Alucinante“), a 1987 trash/sexploitation film from Brazil. (Don’t worry, the clip’s safe for work.)

Everything about this video is amazing, from the face-melting porno synth to the Amstrad-like scrolling fonts. (You can see the blinking cursor!) With the VHS warble, it sounds like an unreleased track straight off of DJ Shadow’s Endtroducing… I couldn’t find any information about the soundtrack online, but would love to hear more.

The sequel to a 1985 movie called 24 Hours of Explicit Sex, the plot of 48 Hours is totally meta: a sex psychologist sees the original film and hires the original cast and crew to make her own. It’s like the ’80s porno version of The Human Centipede 2: Full Sequence, where a psychopath is inspired to recreate the events of The Human Centipede using the real-life actors from the film.

The last time I stumbled on anything this funky, it was this scene from low-budget indie comedy Apple Pie from 1976, that ends with this insane 15-minute-long choreographed dance sequence set on the streets of 1970s NYC. And the music? An improvised funk jam by Hall & Oates.

This happens to me every time I go to NYC.

Over April Fool’s Day weekend, hundreds of independent game developers came together for What Would Molydeux?, a 48-hour gamejam celebrating the tweets of Peter Molydeux – the anonymous doppelgänger of Peter Molyneux, the legendary British game designer known for his grandiose visions for games as art.

For the last three years, @PeterMolydeux’s written hundreds of surreal game ideas on Twitter, satirizing the game industry and the high-minded aspirations of his real-world namesake. For example:

• Your loved one has turned into a snowman. Yet your body needs to be as hot as a oven on high heat to survive. What would you do?
• What if everyone in the world had an explosive telephone in their body? If you could find out their number you can detonate their phone?
• You are a small girl flying a talking kite. The kite seems to know about a upcoming major terrorist attack and floats towards clues.

Double Fine lead programmer Anna Kipnis was first to suggest a gamejam, in which each developer would build a game inspired by one of Molydeux’s tweets — in two days, start to finish. The idea spread quickly and, within days, local events were planned in more than 30 cities worldwide.

The end result: nearly 300 insane games of wildly varying quality from 900 participants, with more trickling in daily.

I’ve spent the last three days obsessively playing through dozens of these. So far, I’ve been an innocent man with psychopathic arms, a pigeon trying to save suicidal businessmen, a road manipulating emotional cars, and a bear that needs hugs to survive.

I’ve played games with unreliable narrators, games that hide the rules from you, games with emotional title screens, and games that use the pause button as a weapon.

It won’t be for everyone, and that’s totally okay. Indie games often won’t appeal to the Call of Duty crowd, just like most Taylor Swift fans won’t listen to Hüsker Dü. Good things happen when you stop worrying about what’s marketable, and just make something you believe in.Not every game works — they were made in 48 hours, after all — but it’s surprising how many do.

So much of what I love about the indie gaming scene is embodied in the MolyJam event. It’s daring, creative, silly, and not afraid to fail. More and more, I find myself drawn to this world, even though I’ve never made a game, and I think it all comes back to what I love about the web.

Rise of the Indie

Indie games are in the middle of a renaissance right now, a Cambrian explosion of creativity enabled by the internet. Digital distribution platforms including Steam and the App Store have lowered the barrier to entry for indies, while crowdfunding sites like Kickstarter have reduced the importance of traditional publishers for funding projects.

Combined with a litany of complaints about the mainstream gaming industry, from exploitative working hours to the lack of creative and financial control, talented game developers are increasingly choosing to strike out on their own.

It’s resulted in a cultural movement, with commercial blockbusters like Minecraft, Braid and Super Meat Boy coming from small teams of one or two people, with even smaller budgets.

In some ways, this is a return to form for the gaming industry. Many games from the 8-bit era were created by a single developer who handled all the code, art and sound.

As graphics and audio capabilities grew, so did the budgets and team size. Larger budgets meant more risk, which directly hampered experimentation. Like the film industry, the gaming industry’s seen its own shift towards sequels and licensed brands instead of innovative, original works. (All ten of last year’s best-selling games were sequels.)

The indie gaming movement is a direct challenge to the old way of doing things.

Finding the Niche

It seems like the web’s going through a similar cycle of growth, stagnation, and disintermediation.

Fortunately, web developers have never faced the same publishing and distribution middlemen that games, television, and film were forced to deal with. The only major gatekeepers now are the entrenched social networks.

It seems like the web’s losing some of its original experimental glow. There’s no shortage of people making awesome stuff online, but I can’t shake the feeling that much of the interesting creative coding is now happening elsewhere — mobile, gaming, physical computing. For new entrepreneurs, the landscape couldn’t be better. Lean startups composed of very small teams are bootstrapping or joining incubators like Y Combinator in lieu of traditional funding, allowing them more creative control while retaining greater ownership of their work.

But the ultimate goal of a startup is making money, not art. For me, the most exciting part of the indie gaming movement is that commerce still feels secondary to making something innovative, fun, and creatively interesting.

In the last few years, it seems like the web’s losing some of its original experimental glow as it’s matured. There’s no shortage of people making awesome stuff online, but I can’t shake the feeling that much of the interesting creative coding is now happening elsewhere — mobile, gaming, physical computing.

Part of this could be market forces; there could be less experimentation when lots of money is getting thrown around. Or maybe the web is just losing its appeal in a universe increasingly ruled by native apps.

Maybe, like the desktop metaphor, the web has served its purpose and it’s slowly being replaced by platforms that solve these problems more effectively. Bookmarks, location bars, URLs, extensions, and even the browser itself will be abstracted away, hidden from view for a better user experience, as most people flock to walled gardens on simplified tablets and mobile devices.

All of that may be true. But it feels like it’s set the stage for a new indie movement, focused on using the web as an expressive creative medium over a commercial one. The tools at our fingertips are incredible: WebGL, WebSockets, Node.js, browser geolocation, standardized audio and video, among many others. And it’s easier than ever to get your work in front of an audience who cares: the people who still love the quirky indie web and everything it stands for.

It won’t be for everyone, and that’s totally okay. Indie games often won’t appeal to the Call of Duty crowd, just like most Taylor Swift fans won’t listen to Hüsker Dü. Good things happen when you stop worrying about what’s marketable, and just make something you believe in.

We already have the tools, the distribution, and the audience. We even have our own gamejams; the tech world pioneered hack days for this kind of experimentation years ago.

Now we just need our own Peter Molydeux — someone with audacious, ridiculous ideas to inspire new vectors of awesomeness from the rest of us.

(Note: This was originally published in column on Wired.)

Spent the morning sightseeing in Google Maps 8-Bit, taking snapshots with my handy 1-Bit Camera.

(Click for larger size.)

I originally wrote this column over at Wired back on March 13 about my experience with patents at Yahoo, but forgot to republish it here on Waxy.org in my permanent archive.

This article received a bigger response, hands-down, than anything I’ve written for Wired so far, resting at the top of Techmeme for a full day, with widespread coverage from The Telegraph, The Verge, Fox News, and Business Insider. (That’s a good signal you’ve written something notable: when competing tech magazines start linking to your work.)

Almost two weeks later, I’m still angry but happy that the column ignited such a powerful discussion about the patent issue. I’m especially pleased that “weaponizing patents” is entering the lexicon; articles like these use the phrase without mentioning me at all. Awesome.

For two other perspectives on this issue, I enjoyed Mark Cuban’s linkbait take and Fred Wilson’s short, furious rant.

Anyway, if you hadn’t seen it, I hope you enjoy it.

While most of the tech world was partying at South by Southwest in Austin yesterday, Yahoo announced it was filing a lawsuit against Facebook for allegedly infringing on 10 patents from their 1,000+ patent warehouse.

I’m no fan of Facebook, but this is a deplorable move. It’s nothing less than extortion, expertly timed during the SEC-mandated quiet period before Facebook’s IPO. It’s an attack on invention and the hacker ethic.

In the interest of full disclosure, I have a small supporting role in this story. None of the patents I co-invented are cited in the Yahoo complaint, but a handful of applications I worked on with Yahoo were granted patents, weaponized now to use against people like me.

Here’s how the process worked, in my case:

In 2005, Yahoo acquired Upcoming.org, the collaborative events calendar I’d launched two years before.

Back then, the Web 1.0 behemoth seemed on the verge of turning things around. A series of smart moves — high-profile hires, the Oddpost and Flickr acquisitions, the launch of the Yahoo! Developer Network, and their Research Lab — was breathing new life into things. Two months after we were acquired, Del.icio.us and Webjay joined us in the Yahoo fold.

After we moved in, we were asked to file patents for anything and everything we’d invented while working on Upcoming.org. Every Yahoo employee was encouraged to participate in their “Patent Incentive Program,” with sizable bonuses issued to everyone who took the time to apply.

Now, I’ve always hated the idea of software patents. But Yahoo assured us that their patent portfolio was a precautionary measure, to defend against patent trolls and others who might try to attack Yahoo with their own holdings. It was a cold war, stockpiling patents instead of nuclear arms, and every company in the valley had a bunker full of them.

Against my better judgement, I sat in a conference room with my co-founders and a couple of patent attorneys and told them what we’d created. They took notes and created nonsensical documents that I still can’t make sense of. In all, I helped Yahoo file eight patent applications.

Years after I left I discovered to my dismay that four of them were granted by the U.S. Patent and Trade Office.

I thought I was giving them a shield, but turns out I gave them a missile with my name permanently engraved on it.

I was naive. Even if the original intention was truly defensive, a patent portfolio can easily change hands, and a company can even more easily change its mind. Since I left in 2007, Yahoo has had three CEOs and a board overhaul.

The scary part is that even the most innocuous patent can be used to crush another’s creativity. One of the patents I co-invented is so abstract, it could not only cover Facebook’s News Feed, but virtually any activity feed. It puts into very sharp focus the trouble with software patents: Purposefully vague wording invites broad interpretation.

In their complaint, Yahoo alleges that Facebook’s News Feed violates “Dynamic page generator,” a patent filed in 1997 by their former CTO related to the launch of My Yahoo, one of the first personalized websites. Every web application, from Twitter to Pinterest, could be said to violate this patent. This is chaos.

Software patents should be abolished, plain and simple. Software is already covered by copyright, making patent protection unnecessary.

Ask any programmer — developing software is as creative and unique as writing poetry.

Yahoo’s lawsuit against Facebook is an insult to the talented engineers who filed patents with the understanding they wouldn’t be used for evil. Betraying that trust won’t be forgotten, but I doubt it matters anymore. Nobody I know wants to work for a company like that.

I’m embarrassed by the patents I filed, but I’ve learned from my mistake. I’ll never file a software patent again, and I urge you to do the same.

For years, Yahoo was mostly harmless. Management foibles and executive shuffles only hurt shareholders and employee morale. But in the last few years, the company’s incompetence has begun to hurt the rest of us. First, with the wholesale destruction of internet history, and now by attacking younger, smarter companies.

Yahoo tried and failed, over and over again, to build a social network that people would love and use. Unable to innovate, Yahoo is falling back to the last resort of a desperate, dying company: litigation as a business model.

That it’s Yahoo makes it even sadder. The complaint isn’t really wrong when it asserts that: “For much of the technology upon which Facebook is based, Yahoo! got there first.”

But being first with something generic that would have been invented by someone (like the wheel) — as opposed to something few could have imagined (like the Segway) — is a big difference.

Ask any start-up CEO — execution is everything.

As the fictionalized Mark Zuckerberg says in The Social Network, “If you guys were the inventors of Facebook, you’d have invented Facebook.”

Last Friday, a YouTube user named eeplox posted a question to the support forums, regarding a copyright complaint on one of his videos. YouTube’s automated Content ID system flagged a video of him foraging a salad in a field, claiming the background music matched a composition licensed by Rumblefish, a music licensing firm in Portland, Oregon.

The only problem? There is no music in the video; only bird calls and other sounds of nature.

Naturally, he filed a dispute, explaining that the audio couldn’t possibly be copyrighted.

The next day, amazingly, his claim was rejected. Not by YouTube itself — it’s unlikely that a Google employee ever saw the claim — but from a representative at Rumblefish, who reviewed the dispute and reported back to YouTube that their impossible copyright for nonexistent music was indeed violated.

Back at YouTube, eeplox found himself at a dead end. YouTube now stated, “All content owners have reviewed your video and confirmed their claims to some or all of its content.” No further disputes were possible, the case was closed.

Whether caused by a mistake or malice, Rumblefish was granted full control over eeplox’s video. They could choose to run ads on the video, mute the audio, or remove it entirely from the web.

A History of Screw-Ups

On Sunday night, Reddit took notice. Within hours, the thread was on the homepage, commenters were freaking out and, to his credit, Rumblefish CEO Paul Anthony was fielding questions in an IAmA interview until 2:30am.

His argument: One of Rumblefish’s Content ID reps made a mistake by denying the dispute, and they released the claim on Sunday night. “We review a substantial amount of claims every day and the number is increasing significantly,” said Anthony. “We have millions of videos now using our songs as soundtracks and keeping up is getting harder and harder.”

This is the latest in a long series of foibles or outright abuses of YouTube’s Content ID system. Content ID was intended to help copyright holders manage the chaos of YouTube. They’d provide copies of their audio and video for analysis, which would then algorithmically match newly-uploaded videos. If a match was found, rightsholders could automatically block the video or, increasingly, claim money from video advertising.

Content ID’s monetization was a huge boon for copyright holders. Uploaders could keep their videos online, while copyright holders profited from the creative reuse of their work.

But the last couple years have seen a dramatic rise in Content ID abuse, using it for purposes that it was never intended. Scammers are using Content ID to steal ad revenue from YouTube video creators en masse, with some companies claiming content they don’t own, deliberately or not. The inability to understand context and parody regularly leads to “fair use” videos getting blocked, muted or monetized.

Bypassing the DMCA

The problem is that media companies and scammers are using Content ID as an end run around the DMCA.

With the DMCA, the process works like this. A rightsholder could file a claim against a video with YouTube, and YouTube would immediately take the video offline. If there was a mistake, the uploader could file a counter-notice. The video would then be restored by YouTube within 10-14 business days of the counter-notice, unless it went to court.

It wasn’t perfect, by any means, but it was fair. Disputes could always be appealed, and both parties were given equal power. And if a claimant lied about owning the copyright to the material in question, they could face perjury charges.

The current system, led by Content ID, tips the balance far in favor of the claimant.

Rumblefish never needed to prove they were the copyright holder, but were still given ultimate control over the video’s fate. Uploaders can dispute claims, but the only people reviewing claims are the Content ID partners that filed the claim in the first place, who are free to deny them wholesale.

A Simple Fix

The solution is simple: if a copyright holder wants to pursue a disputed Content ID match, they should file a DMCA claim. That’s the only way to guarantee their rights, and make the copyright holder legally responsible for telling the truth.

In fact, this is exactly how YouTube says that Content ID “fair use” claims should work. In practice, this doesn’t appear to be true any longer. Content ID partners, of course, can file a DMCA notice at any time, but why bother if they can reject the counter-claims themselves?

(Preferred partners like Universal Music Group can go a step further and block videos directly without filing a claim.)

This problem has been on YouTube’s radar for at least two years, but it’s only getting worse as unsavory companies discover this nascent business model. Claim copyright on media you may or may not own, and let Content ID do the rest.

By letting Content ID partners have the final word, and not trusting their own users, YouTube is violating its trust with its community and damaging fair use in the process.

Update

I originally published this article over at Wired, where a commenter pointed out that this process may actually violate YouTube’s “safe harbor” granted through the DMCA. If they choose to ignore disputes, they’re effectively giving content providers an end run around fair use and the DMCA.

Selfish Crab wrote:

It seems like by providing the Content ID system, Youtube was trying to pre-emptively identify copyrighted material, like a first-pass dispute system. Their lawyers probably concluded that so long as the content ID system falls back onto DMCA takedown procedure, they are still in compliance with the DMCA sufficiently to retain their safe harbor.

So if Content ID claim disputes do not fall back onto DMCA takedown, as Andy’s article suggests, there’s a case to be made that YouTube no longer has liability protection from users. It is a whole another can of worms to analyze what a legal claim against youtube would look like. You’d have to look at the YouTube Terms of Service (i.e., the contract) to see if maybe they contracted around this problem already, you’d have to figure out damages, etc etc. Or I guess you can just raise a shitstorm and that’s enough of a moral victory.

In a Google+ comment last December, senior copyright counsel for Google and former EFF staff attorney Fred von Lohmann acknowledged the problem.

Yes, we’re aware of that problem in the Content ID dispute process and are looking at what we can do to fix it. It’s the result of a complicated collision of how to handle geographically limited Content ID claims, disputes, and global DMCA removals. Turns out to be a hard problem to figure out. But we’re thinking on it.

Virginia law student Patrick McKay got in touch with Annie Baxter, a public relations manager at YouTube, about this issue.

This is one of those corner-case outcomes that emerges from several different rules, none of which was intended to yield the result you’ve encountered (i.e., DMCA takedowns are global, but Content ID ownership claims are territorial). Unfortunately, addressing it YouTube-wide is going to take some time, both for pondering and implementing.

So while we can promise you that we’re thinking about this, we can’t promise you a fix or time-table. And feel free to tell the OVC we’re looking at it and trying to come up with something.

In the meantime, anyone in the Content ID program is offered free rein to claim copyright on your videos and profit directly from them. I’m hoping this gets cleared up soon.

So, I made a weird new thing with my 15-year-old nephew, Cooper McHatton. It’s experimental and has lots of rough edges, but quite frankly, I’m tired of working on it, so here you go.

Playfic is a community for writing, sharing, and playing interactive fiction games (aka “text adventures”) entirely from your browser, using a “natural language”-inspired language called Inform 7.

Inform 7 is incredibly awesome and weird. For example, this is a fully functional game:

East of the Garden is the Gazebo. Above is the Treehouse. A billiards table is in the Gazebo. On it is a trophy cup. A starting pistol is in the cup. In the Treehouse is a container called a cardboard box.

Type that into Playfic, and you end up with this simple game, ready to send to the world.

The official documentation is extensive, with a great manual and recipe book. I’ve collected a list of resources to help you get started.

For now, there’s very little documentation on Playfic itself, but you can click the “View game source” link on every game to see how it was made, and Cooper’s adding sample games from the official Recipe Book.

My hope is that Playfic opens up the world of interactive fiction to a much wider audience — young writers, fanfic authors, and culture remixers of all ages.

While the language can be tricky, building simple games is surprisingly easy. Cooper had never coded anything or made a game before trying Playfic, and within 30 minutes of futzing around, he’d made his first game.

Some stuff is broken and missing, but I’d love to hear what you make of it. Open to any and all feedback. Go make some games!

The other day, I tried out Unroll.me, a clever new service that reads your inbox to let you unsubscribe from mailing lists and other unwanted e-mail flotsam with a single click.

As I was about to connect my Gmail account, my finger hovered over the “Grant access” button.

Wait a second. Who am I giving access to my Gmail account, anyway? There was no identifying information on their site — no company address, no team page listing the names of its team members, and broken links to their privacy policy or terms of service.

For all I knew, it could be run by unscrupulous spammers or an Anonymous troll looking for lulz. And I was about to give them unfettered access to eight years of my e-mail history and, with password resets, the ability to access any of my online accounts?

I had to dig around online to find out who’s behind it, and fortunately, Unroll.me is a totally legit NYC-based startup providing a useful service. I spoke to Perri Blake Gorman, Unroll.me’s cofounder and CMO, who assured me they’ll add all the company information as they roll out their public beta.

But since Gmail added OAuth support in March 2010, an increasing number of startups are asking for a perpetual, silent window into your inbox.

I’m concerned OAuth, while hugely convenient for both developers and users, may be paving the way for an inevitable privacy meltdown.

The Road to OAuth

For most of the last decade, alpha geeks railed against “the password anti-pattern,” the common practice for web apps to prompt for your password to a third-party, usually to scrape your e-mail address book to find friends on a social network. It was insecure and dangerous, effectively training users how to be phished.

The solution was OAuth, an open standard that lets you grant permission for one service to connect to another without ever exposing your username or password. Instead of passwords getting passed around, services are issued a token they can use to connect on your behalf.

If you’ve ever granted permission for a service to use your Twitter, Facebook, or Google account, you’ve used OAuth.

This was a radical improvement. It’s easier for users, taking a couple of clicks to authorize accounts, and passwords are never sent insecurely or stored by services who shouldn’t have them. And developers never have to worry about storing or transmitting private passwords.

But this convenience creates a new risk. It’s training people not to care.

It’s so simple and pervasive that even savvy users have no issue letting dozens of new services access their various accounts.

I’m as guilty as anyone, with 49 apps connected to my Google account, 80 to Twitter, and over 120 connected to Facebook. Others are more extreme. My friend Sam is a developer at Kickstarter, and he authorized 148 apps to use his Twitter account. Anil counted 88 apps using his Google account, with nine granted access to Gmail.

For Twitter, the consequences are unlikely to be serious since almost all activity is public. For Facebook, a mass leak of private Facebook photos could certainly be embarrassing.

But for Gmail, I’m very concerned that it opens a major security flaw that’s begging to be exploited.

The Privacy Danger

A long list of services, large and small, request indefinite access to your Gmail account.

I asked on Twitter and Google+ for people to check their Google app permissions to see who they’ve granted Gmail access to. The list includes a range of inbox organizers, backup services, email utilities, and productivity apps: TripIt, Greplin, Rapportive, Xobni, Gist, OtherInbox, Unsubscribe, Backupify, Blippy, Threadsy, Nuevasync, How’s My Email, ToutApp, ifttt, Email Game, Boomerang, Kwaga, Mozilla F1, 0boxer, Taskforce, and Cloudmagic.

Once granted, all of these services are issued a token that gives unlimited access to your complete Gmail history. And that’s where the danger lies.

You may trust Google to keep your email safe, but do you trust a three-month-old Y Combinator-funded startup created by three college kids? Or a side project from an engineer working in his 20 percent time? How about a disgruntled or curious employee of one of these third-party services?

Any of these services becomes the weakest link to access the e-mail for thousands of users. If one’s hacked or the list of tokens leaked, everyone who ever used that service risks exposing his complete Gmail archive.

The scariest thing? If the third-party service doesn’t discover the hack or chooses not to invalidate its tokens, you may never know you’re exposed.

In the past, Gmail’s issued security warnings to accounts being accessed from multiple IP addresses. I spoke to OtherInbox founder Joshua Baer, and he said that Google’s eased up on the warnings because of the prevalence of third-party services.

It’s entirely possible for someone with a stolen token to read, search, and download all your mail to their server for months, and you’d never find out unless they exposed themselves, or you were diligently auditing your “Last account activity” history.

Stay Safe

Clearly, we’re not going to stop using awesome new utilities just because there’s a privacy risk. But there are best practices you can follow to stay safe.

• Clean up your app permissions. The best thing you could do, right now, is to log into each service you care about and revoke access to the apps you no longer use or care about, especially those that have access to Gmail. Finding the permissions pages can be tricky, but the nice folks at MyPermissions.org made a handy dashboard linking to every one.
• Think before you authorize. Before authorizing an account, find out who you’re granting access to. Look for a staff page, contact address, and take a look at the privacy policy to make sure they’re not sharing or selling your info with third parties. Bonus points if they outline their security policies and offer a way to disconnect service from within the app. If anything seems off, don’t do it.
• When in doubt, change your password. Have a feeling that someone might be reading your mail, but not sure which app is to blame? Changing your password instantly invalidates all your Google and Facebook OAuth tokens, though Twitter tokens persist after password changes.

Google could improve, as well. Their permissions page is too hard to find, even for experienced users, and it’s impossible to see which apps have accessed your account recently.

Facebook does an excellent job with this, but Google only shows you the IP address and the protocol it used to connect. Surfacing this information, as a periodic e-mail or on-site notification, would go a long way to averting a potential disaster.

The Greatest Troll of All

So, I originally published everything above over on my Wired column yesterday, but I left off something else I’ve been thinking about.

While I think a compromised database is the most likely scenario, there’s another possibility that disturbs me more.

Imagine that a brand new service pops up, offering a simple, fun service that uses your Gmail account. Maybe a neat visualization like Tout’s Year in Review, or maybe something more practical like sending all your attachments to Dropbox.

But it’s all just a giant troll, where the app’s creators are silently running targeted searches, downloading your mail, and looking for compromising photos and sensitive documents behind-the-scenes. They could collect the documents for months or years, and then release it all online in an anonymous blast. Lulz!

You’d likely never find out where the data came from, and the perpetrators would never be caught. Hell, if you’ve Gmail-authed a questionable app, this could be happening to you right now and you’d never know. Whee!