How do you market your blog?
I talked about one potential privacy issue relating to 3rd party Twitter apps last week in my post: Do we need to worry about ‘Tweet Jacking’, today further information has surfaced about the dangers of unintended consequences from 3rd party apps that access the Twitter API.
TechCrunch has reported that Twitter user Orli Yakuel has had all of her direct messages (personal messages to individual Twitter users) exposed in her public timeline, she has had 650 followers. After initial attempts to delete the private messages (and from some accounts many of these were very private), she eventually deleted her Twitter account. Similar reports from other users have also surfaced.
While no official word has been released by Twitter, it appears likely that a 3rd Party App, GroupTweet may be the cause of these problems. To be fair, if it is GroupTweet, it’s not a bug - that’s the way GroupTweet works, you create a group and through piggybacking on the Twitter API uses direct messages to send updates to the entire group. The master group account is not meant to be a regular Twitter account, its sole purpose is to direct the messages around the group, and it is likely a misunderstanding of this effect that is causing the problem.
There are a few issues that need to be discussed here.
There is no question that Twitter is a powerful networking tool, but you need to use a little caution - especially with those applications that ask for your password… there are so many things that could (and it seems, can) go wrong.
UPDATE: Some of the comments over at TechCrunch suggest that Twitter shouldn’t take any responsibility for this, that it is a good thing that their API is 100% open and they can’t be held responsible for users who give their passwords to 3rd party apps without reading the instructions carefully… while I definitely think users should be careful who they give their passwords to, and should definitely follow instructions for new apps they plan on using, I disagree that Twitter aren’t partly at fault here… why not? Ultimately this is an issue that directly affects their credibility.
Direct Message’s are inherintly private timeline events and should never be able to enter the public timeline - surely that needs to be locked in as a business rule somewhere?
It’s one thing to make the entire functionality available by the API and another to ignore business rules that need to be in place… and for those who think it is already 100% open, don’t kid yourself - the API doesn’t let you edit tweets that are already in the database, it doesn’t let you post to someone elses account (unless the proper user/pass authentication is received)… and why would it? These are examples of rules the API has in place to keep sanity (and the business interests of Twitter) in check.
Even though it would probably spell the end for GroupTweet - why would it be such a bad idea for twitter only allow sending of Direct Message’s through the API and not receiving them? - that wouldn’t stop twitter posting dm’s to your twitter account (in the correct private timeline), and they could still forward that DM to you via email, or to your phone (as it’s still transmitted via Twitter itself and not a 3rd party app) and even a notification ‘You have a new DM’ through the API so services such as Twhirl etc. would still send you a heads up… would protect stuff like this from happening, would it seriously hurt usability?
If you would like to make a comment, please fill out the form below.
Follow me on Twitter
...or on Friend Feed
Here are my latest updates:
Great points.
I would never use twitter DM for sensitive messages.
I usually DM to avoid spamming my followers with irrelevant nonsense ;)
What do you think of Twibble and do you have other suggestions for safe 3rd party twitter apps?
Hi Edwin,
I must admit I haven’t really looked at Twibble before… it would take a fair bit to make me switch from Twhirl, however, just looking at the feature list of Twibble, it appears to have some nice little extras, the tabbed view for multiple accounts is certainly better than Twhirl’s multiple windows.
If I used my mobile for twitter, I think I’d definitely give the mobile version a go - the GPS tracking feature looks awesome, imagine playing a round of golf ant tweeting your shot locations in, you’d get a timeline map of your round on google maps to check out later - can see some pretty cool uses for that (if that’s how it works, could be reading it wrong, but I think that would be achievable).
So by your logic, Google should disable receiving email over POP3 & IMAP? How is that really any different? POP3 & IMAP are standard APIs, a user could install a mail client that sent all their incoming mail to a group. Would you make the same argument in that case and place blame on Google for letting people access their mail from a 3rd party app?
Hi Ben,
No, not at all - as you say, POP and IMAP are standard API’s (have got nothing to do with Google) and email is all in the one stream (no separation between public or private). Could a user make a dumb mistake and as you say install a mail client that publishes all their email to a public group? Yeah, I guess so, but that’s a direct error on the users part (nothing to do with google, or their API’s, or a 3rd party app).
The big difference here is that there are heaps of small developers developing apps with the Twitter API (literally new ones coming out every day). The possibility of misinformation, bad programming or even malicious intent, pushing private messages directly back into the Twitter public timeline using their own API is significant, and most certainly negative from Twitters perspective.
You could also look at this from a cost/benefit perspective - the chances of someone mangling their own POP or IMAP feeds and making them publicly available is quite low and the negative impacts on any company providing those mail services low (unless it was some group sharing mail app or something maybe?), but in Twitters case, with the number of small developers developing applications and the negative aspects that result from a stuff up, the risk is quite a lot higher (as we have just witnessed)… I think Twitter will recover from this ok, but there has certainly been damage done.
> Yeah, I guess so, but that’s a direct error on the users part (nothing to do with google, or their API’s, or a 3rd party app).
But that’s exactly what happened here. It seems like your argument is that because Twitter is popular, and has a relatively simple API to code against, it should have reduced functionality to limit what 3rd party apps can do and by extension protect users from misunderstanding 3rd party applications?
To take this further, what if there were an app that asks for gmail account credentials & twitter account credentials. It would then take any incoming email to that gmail account and post it as a message on twitter? A user doesn’t understand and enters their primary gmail account and suddenly their email is showing up in their twitter stream. Google’s fault?
Now, don’t get me wrong, there are definitely unresolved issues when it comes to web-based, social platforms and the apportionment of users’ trust. But these are problems not solved at the API level. They must be addressed at the user level. For example, twitter needs to do a better job of educating users of just what rights they are granting a 3rd party app when they log into it (think facebook apps). They possibly should force applications to be approved (but that likely wouldn’t have changed anything in this case. I had reviewed GroupTweet quite thoroughly weeks ago and the thought of a user not following the instructions like this never crossed my mind–nor did it the developer, obviously.. I doubt the folks at Twitter would have raised a red flag either.)