Post Toasties

Rojo now live

I’ve been looking forward to seeing Rojo since I started reading Steve Gillmor blogging about it. I’m trying to catch the attention-train (kind of like the cluetrain), but I guess I haven’t been running fast enough to get on board yet. I was hoping that Rojo would help me understand how this is all going to work a little better.
So Now that it’s “live” I hop on over to see what the deal is, only to be confounded by multiple errors. “An error has occurred” but at least they’re sorry for the inconvenience. No big deal. I try to register with 2 different logins, in case the error is that my username’s taken and they haven’t coded a specific error page yet. No joy. I try to recover a password with those usernames but an error occurs. I try to log in: nothing. I go back and try to recover a password with my email address, but that email address isn’t in the database. I try once more to register with one of those names and now those names are taken. Hmmm.
It’s only then that I notice the url that’s being sent to Rojo when I try to register:

http://www.rojo.com/register/?username=cori&email=kinrowan%40gmail.com &password1=*********&password2=*********&agreed=on

except that those asterisks are replaced with my actual password!
I’m OK with errors during the rollout of a new product. I know (or at least I think) that Rojo isn’t going to keep any important financial data about me. But one of the things about Attention is that I share what I want to share of my Attention meta-data and nothing else, right? How exactly can I be sure of that when my password is being broadcast over the internet in an HTTP GET in clear text? A quote from Rojo’s Privacy Policy

While Rojo does implement commercially reasonable measures to protect information, Rojo cannot guarantee that data transmission over the Internet or information storage technology will be 100% secure. [emphasis mine]

You can say that again.

Is this unreasonable? Am I being snarky here?