Christian Heilmann

Twitter privacy, protected updates and TweetEffect

Thursday, January 29th, 2009 at 7:06 pm

I just got a very concerned email (60 pixel font) telling me off for displaying protected updates in TweetEffect. The person was to say the least, very ticked off at seeing their protected updates in my application and threatened to do “something” about it.

TWEETEFFECT.COM MAKES MY PROTECTED UPDATES PUBLICLY ACCESSIBLE.
THIS IS ABSOLUTELY UNACCEPTABLE TO ME AND OTHER TWITTER USERS!
HOW WOULD YOU LIKE FOR ME TO MAKE YOUR LAST 200 E-MAILS PUBLICLY AVAILABLE?
YOU WOULDN’T I ASSUME.
STOP IT, STOP IT NOW!
I WILL TALK TO BIZ STONE ABOUT THIS TOO, SINCE THE TWITTER API SHOULDN’T LET YOU DO THIS IN FIRST PLACE.
THOUGHT THE DAYS OF WARRANT-LESS WIRE TAPPING WERE OVER.
DO NOT ANSWER THIS WITH ANY KIND OF MARKETING/PR FLUFF, SPARE ME.
IRATELY YOURS {censored}
p.s.: your answer might get published in one form or the other, fair warning.

I was pretty confused as to me there was no way to reach the updates and I wondered what all the hoohah was about. Then it came to me: when either you yourself or any of your friends (followers that are allowed to see your protected updates) are logged in to twitter, the protected updates are visible in the API. This is perfectly logical but it is also rather flaky in terms of privacy.

The security of the updates is dubious to say the least. In order to get to protected updates all I’d need to do is either lure you or any of your followers into following a link listing your updates from the user_timeline, populate a DOM element or hidden form field with it and send it to my server via Ajax or even with a dynamic script (in case of JSON output). There is simply no way to deny that as that would break every twitter client that supports protected updates – even the more secure Adobe Air ones. I can get the list of your followers even if you protect your updates – changing this would make the intrusion harder.

Personally I don’t get protecting your updates. If you want to keep things out of the public, use a direct message. Twitter is there to tell the world what you do and this is what it does damn well. I like the simplicity of Twitter and its various channels in and out – it is a tool to spread information – however mundane. The protected updates feature is a bit of a glass shield, better would be to offer a new Twitter feature and API that allows you to group contacts – much like any IM client does.

Now the question is: shall I stop supporting update analysis for users with protected updates in TweetEffect? Technically there is nothing that I do that you don’t allow Twitter themselves to do and if you allow your followers to see your updates why not the analysis of your updates. The only problematic part is that your followers can be phished to give people access to your updates, otherwise this wouldn’t be much more scary than the old “display C drive in IFRAME” trick.

Tags: , , , , ,

Share on Mastodon (needs instance)

Share on Twitter

Newsletter

Check out the Dev Digest Newsletter I write every week for WeAreDevelopers. Latest issues:

Dev Digest 146: 🥱 React fatigue 📊 Query anything with SQL 🧠 AI News

Why it may not be needed to learn React, why Deepfake masks will be a big problem and your spirit animal in body fat! 

Dev Digest 147: Free Copilot! Panel: AI and devs! RTO is bad! Pi plays!

Free Copilot! Experts discuss what AI means for devs. Don't trust containers. Mandated RTO means brain drain. And Pi plays Pokemon!

Dev Digest 148: Behind the scenes of Dev Digest & end of the year reports.

In 50 editions of Dev Digest we gave you 2081 resources. Join us in looking back and learn about all the trends this year.

Dev Digest 149: Wordpress break, VW tracking leak, ChatGPT vs Google.

Slowly starting 2025 we look at ChatGPT vs Google, Copilot vs. Cursor and the state of AI crawlers to replace web search…

Dev Digest 150: Shifting manually to AI.

Manual coding is becoming less of a skill. How can we ensure the quality of generated code? Also, unpacking an APK can get you an AI model.

My other work: