
Twitter warns that private tweets were public for years - LinuxBender
https://www.bbc.com/news/technology-46918859
======
bilbo0s
Just my own opinion, but at this point I think it's prudent to assume that
pretty much anything you send out into the digital network world is public. If
it's not something you would want the world knowing you said, don't put it out
there. Security breaches happen. Bugs happen. Sometimes law enforcement just
comes by and says, "Give me everything that user X has ever done." In short,
sh!t happens.

"Everything I do on the net can be authoritatively attributed to me
personally."

That's the thought we should all have in our heads before we send any post, or
send any text, or send any email, or send any photo, or etc etc etc. We
shouldn't rely on some company, that's using us to make money, to protect our
privacy.

~~~
VikingCoder
Eric Schmidt: "If you have something that you don’t want anyone to know, maybe
you shouldn’t be doing it in the first place."

People have taken this different ways, but personally I think it's sage
advice. We've lost our ability to keep secrets. Information wants to be free.
We're terrible at digital security. Pretend everything you type into a
computer is on the front page of the New York Times.

~~~
Zarath
Better not be openly gay in Russia! Or openly gay 15 years ago and have them
scrape old data and find out.

~~~
tomcam
Or openly conservative in the USA

~~~
markholmes
I’m sorry, but what? Are you suggesting that being conservative in the United
States is somehow equivalent to being gay in Russia?

~~~
tomcam
Yep. Assuming you live in SV, would you like to disprove me by putting a TRUMP
2020 sign on your lawn?

~~~
markholmes
Sure, because that won’t have me thrown in jail or possibly even killed.

------
jtmarmon
This headline/article are pretty misleading. It makes the issue sound like if
you had "Protect My Tweets" enabled, your tweets were still public.

From reading the original notice [[https://help.twitter.com/en/protected-
tweets-android](https://help.twitter.com/en/protected-tweets-android)] it
sounds like the setting would just be disabled, which then made your tweets
public. But not that Twitter's app would continue to say they were protected.
That's a pretty significant difference (also by the fact that such a huge
thing was not noticed for 6 years I'm guessing not many people were actually
impacted)

Also just for fun, I'd wager how it happened is that the developer had some
"default request object" that had "true" as the default setting for this and
merged it with the updated property values ;) a classic

~~~
daveFNbuck
If you don't check your settings before each tweet, there's not much
difference for between your settings being changed and your settings not
working correctly.

~~~
pqz
Private tweets and profiles show a padlock next to the user's name... You
don't have to go to any obscure menu to find out whether your tweets are
public or not.

------
hcnews
Shouldn't this involve lots of penalties? This has the potential to
change/ruin lives drastically. A prudent consumer never trusts what the
companies say nowadays. However, that shouldn't absolve the company of falsely
claiming private product when it isn't so.

~~~
the_duke
A prudent consumer also doesn't send 'live-destroying' messages on a public,
hosted messaging platform, regardless of a private setting...

Note that this isn't even about DMs.

~~~
drngdds
If companies can't be trusted to act carefully and responsibly with users'
data, then I think that's a problem with the companies.

~~~
ProAm
It's not 'users' data anymore once its on their servers.

~~~
dogecoinbase
Of course it is. This is the essence of the GDPR.

~~~
ProAm
GDPR is nice on paper, I'd like to see it actually enforced as its been
written. Seems like strong words and weak teeth so far. However, most
companies are more concerned with hockey stick charts and are willing to ask
for forgiveness later in terms of all things privacy related. I wish it
weren't that way, but Ive yet to see that happen successfully.

~~~
WilliamEdward
Did you not see millions of emails sent out by companies about their new data
policy? How then is GDPR not being enforced?

------
the_duke
This is the actual source: [https://help.twitter.com/en/protected-tweets-
android](https://help.twitter.com/en/protected-tweets-android).

~~~
miracle2k
So basically, the issue was that the settings screen in the Android app would
toggle the "account is private" setting off when updating unrelated settings;
however, the setting itself, if turned on, worked fine.

------
jerf
I've noticed a hole in a lot of people's thinking where even if they thing to
write automated testing or QA testing to ensure that a given thing is
available to a certain user or role, there is often not a lot of thought given
to writing tests to enure that users or roles that should _not_ have access to
the data can't get it.

I'm not sure I've ever found a permission system without explicit testing that
the denials work that didn't turn out to have _gaping_ holes in what could
actually be done. Generally, the code that hides the UI for what you're not
supposed to be able to do works, since that's visible, but on something like
the Web where the user also has fairly direct access to the message bus the
application is using to communicate to the web server, that's not enough.

~~~
jakear
Testing a negative is much more difficult. Testing the positive is “can this
user access this private data using this procedure”. Testing the negative is
“can any use access any private data using any procedure”. That’s almost
impossible to verify.

------
sixothree
At this point it should probably be illegal to call something "private" when
there is no guarantee of protections.

~~~
woodrowbarlow
twitter uses the word "protected", only the article's author ever used the
word "private".

~~~
sixothree
Was it really a good faith effort to make them protected?

~~~
scarejunba
Yes, it was a bug that revealed them.

------
louishill
Great site and a great thort as well I really get amazed to read this. It’s
really fine.For USA Assignment Help visit our site Casestudyhelp.com.
[https://casestudyhelp.com/usa/](https://casestudyhelp.com/usa/)

------
braydenmarco
Great site and a great topic as well I really get amazed to read this. It’s
really good.For Assignment Help visit our site AllAssignmentHelp.
[https://www.allassignmenthelp.com/](https://www.allassignmenthelp.com/)

------
fixermark
Sometimes, I'm sad I quit using Twitter. There are some neat people sharing
content there.

But the more time goes by, the less sad I get. Their tech stack is and always
has been a bit of a garbage fire.

~~~
artursapek
Name one startup that grew quickly and organically into a massive company
which doesn't have a "garbage fire" tech stack.

~~~
mintplant
WhatsApp.

~~~
nichochar
erlang is amazing

------
throwaway5752
Specific to Twitter for Android (not web or iOS device clients)

------
Bud
Too much to ask for the headline to include the word "Android", since it was
_only Android tweets_ that were affected?

------
ddingus
The very first words I wrote online sometime around 91 were visible for over
15 years.

I pretty much don't put anything online I cannot live with.

~~~
WilliamEdward
This is a good principle in general but you didn't exactly put those words up
on a site that promised "privacy/protection" did you? That's the difference
here.

~~~
ddingus
Spot on. Let's just say I knew better. Seriously.

There was absolutely no way these companies were not going to exploit the crap
out of both their position and data.

None.

How were they all built? As fast as possible, growth first, etc... I expect
these kinds of things to boil down to risks and costs, ideally paid after the
enterprise is big enough to deal.

And a whole lot of us know it too. How else was it all going to go?

I am a realist. There is no real privacy online. One can get close, but doing
that is a lot of work, takes understanding, and is still a bit of a risk.

Long ago I realized it is better to just not put things I can't live with
online.

Frankly, I won't do that electronically, unless it is very worth it.

Edit: It is all still pretty new. We are leaving the honeymoon time. Bad
things will happen, so will more regulation, and that crank will get turned a
few times.

My expectations are super low right now. That could change, but not yet.

------
Thaxll
It most likely only take a bool in a DB to make something public.

------
omouse
This is why whenever you build software, you basically should encrypt any and
all data and you should be extremely careful when it comes to permission
checks. Especially if you are a company or startup, there's no excuse for not
burning through a few thousand dollars more here and there to build more
secure software that doesn't result in privacy blow-ups like this.

I wonder if GDPR affects Twitter in this case and what % of their revenue can
be taken as a penalty for treating users like shit.

------
thrillgore
We really need regulation here.

~~~
niij
Which government regulation would have prevented this, exactly?

~~~
falcor84
Perhaps a regulation that fined previous companies where this had happened
$1000 per affected user

~~~
ttoinou
10 000 USD seems better IMHO

~~~
niij
Why stop there. Why not $1,000,000,000 per user? ;)

------
beachie
I had the pleasure of interviewing the anonymous developer of the fastest
organically growing decentralized p2p app notabug.io I feel its relevant to
this conversation. Why are we not switching to decentralized content sharing
platforms? :S

[https://electronicsforu.com/resources/cool-stuff-
misc/future...](https://electronicsforu.com/resources/cool-stuff-misc/future-
decentralised-web-part-1) [https://electronicsforu.com/resources/cool-stuff-
misc/future...](https://electronicsforu.com/resources/cool-stuff-misc/future-
decentralised-web-part-2)

~~~
soared
> Why are we not switching to decentralized content sharing platforms?

Because that site looks like a phishing site for reddit accounts. How is 100%
cloning another site's design acceptable at all?

~~~
beachie
Geez! It's a design that all are familiar with, UX 101 and facebook does it
all the time! No one 'cloned a site' the whole backend infrastructure is
different. Did you read it at all?

~~~
soared
Facebook doesn't copy and paste the css of competitors. That site did. I
didn't read any of the interview, I just went to the site like most users
would.

