Flaw in Twitter’s Privacy Settings

I’ve just recently started experimenting with Twitter – that sexy new thing that lets users send 140-word messages of what they’re doing at any given moment to the world. Some users, of course, prefer to keep the mundane details of their lives among friends, and Twitter offers privacy settings so one’s stream is only available to her friends, not the entire universe.

But – not altogether surprisingly – a glitch has been discovered:

Twitter, the popular messaging site which has gained traction among the technorati, has come in for plenty of criticism for downtime, bugs and trouble keeping up with the volume of users signing up.

But its latest problem takes things beyond the merely irritating and into the realm of dangerous – by undermining user privacy.
… a glitch in the Twitter API – which is used to let third-party applications mash up Twitter data – has left “private” users looking very exposed indeed…. Private user information is visible on Twittervision’s many user pages, which are built from the information extracted from the API.

Right now this might seem like only a minor bug. But consider this: Twittervision’s pages are indexed by the search engines, meaning that messages that users may have sent privately between friends are now not only visible on the web – they are also potentially searchable forever.

While they can fix this going forward, what of those semi-private personal data streams that have already been indexed by Google? Well, perhaps the whole world will now always have access to the fact that a whole gang of women with dogs just walked past elbowdonkey’s window.

Seriously, though, there could be personal information within these streams that users do not want — let alone realized could be — indexed by search engines. I’m working on some new ideas about Twitter and this kind of personal data sharing & related surveillance. More to come soon.

[via Pogo Was Right]

UPDATE: Dissent points us to Twitter’s response to this issue, where they basically say, “hey, not our fault.” It appears this flaw is the result of Twitter users signing up for an outside service based on Twitter’s API – but the service wasn’t paying attention to whether users had flagged their content as “protected” – thus publishing everything.

But Twitter really can’t absolve themselves of all guilt here. They should re-design their service with user privacy in mind, and give users more control over how their data is used. Instead of just blaming the third party, Twitter should be proactive and either (a) not allow content flagged as “protected” to be shared with third parties via the API at all; or (b) add a setting for users to choose whether to allow “protected” content to be shared via the API.

1 comment

  1. There was more on this story today:

    “Some Twitter users willingly provided their usernames and passwords to a mash-up project called Twittervision (a service unaffiliated with Twitter except that it accesses our API). They did this so they could be part of the fun and access more Twittervision features. However, Twittervision was not checking to see if any of these folks had marked their updates as “protected.”

    More: Twitter

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s