Christian Heilmann

Twitter privacy, protected updates and TweetEffect

Thursday, January 29th, 2009 at 7:06 pm

I just got a very concerned email (60 pixel font) telling me off for displaying protected updates in TweetEffect. The person was to say the least, very ticked off at seeing their protected updates in my application and threatened to do “something” about it.

TWEETEFFECT.COM MAKES MY PROTECTED UPDATES PUBLICLY ACCESSIBLE.
THIS IS ABSOLUTELY UNACCEPTABLE TO ME AND OTHER TWITTER USERS!
HOW WOULD YOU LIKE FOR ME TO MAKE YOUR LAST 200 E-MAILS PUBLICLY AVAILABLE?
YOU WOULDN’T I ASSUME.
STOP IT, STOP IT NOW!
I WILL TALK TO BIZ STONE ABOUT THIS TOO, SINCE THE TWITTER API SHOULDN’T LET YOU DO THIS IN FIRST PLACE.
THOUGHT THE DAYS OF WARRANT-LESS WIRE TAPPING WERE OVER.
DO NOT ANSWER THIS WITH ANY KIND OF MARKETING/PR FLUFF, SPARE ME.
IRATELY YOURS {censored}
p.s.: your answer might get published in one form or the other, fair warning.

I was pretty confused as to me there was no way to reach the updates and I wondered what all the hoohah was about. Then it came to me: when either you yourself or any of your friends (followers that are allowed to see your protected updates) are logged in to twitter, the protected updates are visible in the API. This is perfectly logical but it is also rather flaky in terms of privacy.

The security of the updates is dubious to say the least. In order to get to protected updates all I’d need to do is either lure you or any of your followers into following a link listing your updates from the user_timeline, populate a DOM element or hidden form field with it and send it to my server via Ajax or even with a dynamic script (in case of JSON output). There is simply no way to deny that as that would break every twitter client that supports protected updates – even the more secure Adobe Air ones. I can get the list of your followers even if you protect your updates – changing this would make the intrusion harder.

Personally I don’t get protecting your updates. If you want to keep things out of the public, use a direct message. Twitter is there to tell the world what you do and this is what it does damn well. I like the simplicity of Twitter and its various channels in and out – it is a tool to spread information – however mundane. The protected updates feature is a bit of a glass shield, better would be to offer a new Twitter feature and API that allows you to group contacts – much like any IM client does.

Now the question is: shall I stop supporting update analysis for users with protected updates in TweetEffect? Technically there is nothing that I do that you don’t allow Twitter themselves to do and if you allow your followers to see your updates why not the analysis of your updates. The only problematic part is that your followers can be phished to give people access to your updates, otherwise this wouldn’t be much more scary than the old “display C drive in IFRAME” trick.

Tags: , , , , ,

Share on Mastodon (needs instance)

Share on Twitter

My other work: