Twitter has taken to redesigning the OAuth screen – the screen you see whenever you decide to login to an application using your Twitter account – in an attempt to better show what you are agreeing to when you hit the “Allow,” err, “Authorize app” button.
Twitter developer advocate Matt Harris announced on the developer Google group this afternoon that they were working on refreshing the screen to offer “better clarity about what an application can see and do with an account.” Though it might be better than before, it’s still missing one key thing – the fact that the app can access your DMs.
If you’ve ever wondered what you’re signing up for when you click that button – whatever it will be called in the end – it’s now made a bit more explicit. As you can see from the image, giving an application access to your Twitter account allows that app to read tweets from your timeline, see who you follow, follow accounts, update your profile and post tweets.
Twitter developer Orian Marx points out, however, that a few key permissions are omitted from this screen: the ability to unfollow users and, more importantly, access their private DMs.
“Obviously it’s been to everyone’s benefit who has built apps that rely on OAuth up to this point that there has been specific mentioning of access to DMs as this would likely turn off a lot of people from granting access to experimental apps,” writes Marx. “The reality is that the OAuth system needs finer-grained controls.”
While Facebook allows developers to select what content to request authorization for, with Twitter it’s all or none. By giving a Twitter app access to your account, that includes everything mentioned above – including those DMs that you might have thought were totally private. This isn’t the first we’ve heard of this – GigaOm’s Mathew Ingram pointed out last October that DMs aren’t exactly private, but it seems notable that this fact might not show up on the new login screen. Or maybe they will.
Harris responds to Marx on the developer list, writing “This is a first release of these pages to get a feel for if they are going in the right direction. We tried to select a number of phrases that explain the access that’s being granted to an application but that are also easy to understand. I think there will always be some that don’t make it, but there are others, like the ones you raise, which would help aid transparency more.”
Here’s hoping that either users are made explicitly aware that their DMs are not exactly private or that developers are given the granular security permissions necessary to say “No, we don’t want access to that.” Or both.
Image via @abraham’s Picassa.