Earlier this week, a Google engineer was caught spying on users, and a few old emails from Facebook’s CEO Mark Zuckerberg revealed that he had easy access to user profiles in the early days of the service. As we move more and more of our personal information into the cloud and onto social networks, we really have to trust these companies’ developers that they won’t misuse our data. At the same time, though, we also have to be able to assume that companies like Twitter and Facebook will ensure that developers of third-party apps can’t easily snoop on us either. According to OneForty‘s Mike Champion, Twitter’s API currently makes it too easy for unscrupulous third-party developers to access private direct messages (DMs), for example.
Twitter Permissions
As Champion points out, Twitter developers are currently only given two choices for access permissions: “read-only access” or “read & write access.” Read-only access obviously restricts developers to doing nothing more than access a user’s timeline without being able to manipulate it or post anything in the user’s name. Read-write access, however, gives a developer total control over a user’s account. With this, a third-party app can tweet in your name or follow and unfollow other accounts.
Access to Direct Message
Most importantly, though, this setting also allows developers access to your direct messages – the one part of Twitter where users rightly expect the be able to talk over a secure private channel. Here is what Champion has to say about this:
Direct Message Privacy – Do you consider your DMs private? People increasingly use DMs like short emails or IMs and assume it is a private channel between two people. In reality any app you have granted access can read all of your DMs. As an example, if you can get Michael Arrington (@arrington) to try your site and use Twitter OAuth you can now read all of his DMs. That might be tempting to an unethical few. And the challenge to Mr Arrington would be to even know that they were read without his permission. Twitter would have the logs of the API calls, but how would he know it happened? Or which app to revoke if he suspected it?
As Ryan Paul noted earlier this month on Ars Technica, there are some inherent problems with both Twitter’s implementation of the OAuth authentication standard and OAuth itself. Leaving these questions aside, though, Twitter clearly needs a more fine-grained permissions structure (something that Facebook already offers). Why, for example, can’t you tell a third-party app that it’s ok to post to your stream, but not to access your direct messages or follow list?
Note: We asked Twitter for a statement and will update this post once we hear back from them.