

Our liability as Twitter app developers - robheaton
http://peternixey.com/post/58694128293/our-very-real-liability-as-twitter-app-developers

======
simonw
Our app used to ask for Twitter write permission in order to provide "follow"
buttons. It was infuriating: we only wanted to be able to follow/unfollow for
people (since our site used Twitter's social graph rather than rolling our
own) but in order to do so we had to ask for full write permissions, which
caused people to freak out and assume we wanted to tweet on their behalf or
make changes to their profile.

Contrast with Facebook which has a much better implementation of finely
grained permissions where you can opt to only ask for the permissions your
application needed.

In the end, we switched to asking for read-only permissions for most users and
let them upgrade to read-write the first time they wanted to perform a
Twitter-write operation. This was a hassle from an engineering point of view
but did completely eliminate complains about us asking for too much access:
[http://lanyrd.com/blog/2012/twitter-read-
only/](http://lanyrd.com/blog/2012/twitter-read-only/)

We eventually moved to our own social graph, which eliminated the need to
update Twitter's graph from our interface entirely.

~~~
ceejayoz
> Contrast with Facebook which has a much better implementation of finely
> grained permissions where you can opt to only ask for the permissions your
> application needed.

Facebook's minimum level of permissions is still infuriatingly broad. I hate
getting "why do you need my friends list and public profile?!" feedback on our
Facebook apps. If I could opt out of them, I would - often, I just want your
FB ID and e-mail!

~~~
NieyooG8
You could just ask for them.

~~~
ceejayoz
E-mail, sure. Facebook ID? No. Most people don't have that 10-20 digit number
memorized, and Facebook doesn't really show it anywhere other than the APIs
these days either.

------
unwind
I had to look up who Carl Icahn is
([http://en.wikipedia.org/wiki/Carl_Icahn);](http://en.wikipedia.org/wiki/Carl_Icahn\);)
he's a large-scale investor which is why the quoted tweet about plans to
invest further in Apple caused Apple's stock to become more valuable.

~~~
loceng
And he plays the market psychology to his advantage - it's quite obvious he
does this.

------
AznHisoka
It's a good thing I only ask for read access, not write. Write access is
getting pretty useless as people have started to ignore people's tweets since
there are so much noise.

~~~
mathattack
If twitter is ignored because it's all noise, what's the point?

~~~
AznHisoka
Tweets sent by apps(ie Foursquare checkins) are usually easily detected by
regular users. Those are the ones being ignored by users, sort of like banner
ad blindness.

~~~
mathattack
Ahh - thanks for the distinction. Makes good sense to me.

------
unreal37
I wonder when we will stop speaking in hyperbole about stock price changes.

"In April of this year crackers got hold of the Associated Press Twitter
account and wiped an estimated $135Bn off the S&P 500 Index by tweeting that
explosions at the White House had injured president Obama."

And the stock market rebounded and then some over the coming weeks, reaching
new recent highs in May and June... So the effect lasted... a couple of hours?

When people talk about stock market value being "wiped out", they neglect to
say that the market fully recovered later that afternoon, or that the market
is higher today than it was back then. If you can't acknowledge that stock
prices change every second, and that dips or rises are often temporary moments
that affect very few shareholders of that company, then the phrase "billions
of dollars was wiped out" is just meaningless hyperbole.

~~~
nitid_name
If you short the market during these dips, you can make the value that is
"wiped out."

What they are saying, in essence, is "this is how much money was on the table
to be stolen because of that tweet."

------
kmfrk
One of the biggest problems with Twitter security is the aspect of revocation
of app access in the event of, say, a compromised password.

In cases like that, you need some kind of panic button to eliminate all
threats, instead of having to go through every single app and delete their
access to be safe.

~~~
patmcguire
Seems weird they don't expire tokens on password change. I know that Facebook
does.

------
PanMan
While theoretically true, I think for most accounts the risk is fairly small:
I'm sure it's hard to come up with something to tweet from my account that
moves any stock exchange even a penny.

~~~
digitalengineer
Your account maybe, but what about all those traders, FDA, SEC or FED people?
Or NGO's? Majors?

I think if you really try _even your account_ could move a stock. Think about
it: A tweet with location (in front of a big company's CEO's house) early in
the morning when you know the 'target' is commuting, flying or otherwise
offline, followed by a tweet 'just killed the bastard' with a fake
photoshopped picture of a body'. If someone was to target a person with a love
of guns on their timeline... well things could get messy real quick.

~~~
rarw
I'm surprised Icahn is allowed to have a twitter. Regulators used to limit
access to certain information sharing outlets for those in positions of
influence, e.g. certain high level bank official could not have BBM (I know
right) active on their Blackberries because of the risk of insider trading.
When a tweet has the power to move the market it should probably be treated
the same.

~~~
smackfu
Information that moves the market is allowed, as long as all investors have
access to the information.

There was some contention about that last year with the NetFlix CEO releasing
subscriber numbers on Twitter that affected the stock, but the SEC issued
guidance earlier this year that said that disclosure on Twitter and Facebook
were ok, as long as the accounts were public.

------
lifeformed
I wonder: if you had access to any Twitter account, what's the most damaging
thing you could tweet? Are there any things that could put someone's life in
mortal danger?

~~~
dev1n
I think it was April when someone hacked the Associated Press account, tweeted
that the White House just exploded and the Dow dropped a ton in a short amount
of time. That's pretty scary.

source: [http://www.nbcnews.com/technology/ap-twitter-account-
hacked-...](http://www.nbcnews.com/technology/ap-twitter-account-hacked-posts-
false-white-house-scare-6C9560165)

~~~
pc86
And completely rebounded within 10 minutes.

------
digitalengineer
How about a IP- and/or MAC adress as an extra layer of security? On a
sidenote: If this makes App's that wishes to post on my behalf disappear I
wouldn't mind.

~~~
mhurron
You know your MAC address doesn't leave your local network and your IP will
change as you roam between say WIFi and cellular data so I don't see that
either would be all that useful.

------
danso
Not sure why this is something that is particularly the worry of developers.
Such havoc can be wreaked through simple phishing at the user-level. Even at
major organizations, two-factor or OAuth authentication may not be the
standard, meaning that a market-changing Tweet is just one well-crafted email
away. That seems like by far the easiest attack vector for a hacker.

