[twitter-dev] Re: Privacy issues with the proposed annotations feature
Brian, not to ignore privacy issues but just to simplify the situation a bit ... What currently protects a user from a malicious (desktop) application stealing all kinds of user data via submitting tweets through it's proxy? And even by submitting such information directly to it's website? On Apr 19, 2:03 am, Raffi Krikorian ra...@twitter.com wrote: Right now the web UI exposes every piece of metadata in a tweet to end-users. That is, an end-user can use twitter.com to check the complete contents of tweet sent by an application. I didn’t see anything in the proposals regarding the annotation feature that says that users will be able to see all the annotations through the web UI. And, even if they could see them, chances are they couldn’t understand them. And, even if end-users could understand them, applications will be able to use encryption and other obfuscation to make them impossible to interpret. This reduces the amount of control users have over their tweets. this wasn't always true -- there was a period where the web client showed no geo information at all. geo was an API only feature. at current time, it is still a bit unknown how the twitter.com webclient will utilize annotations (just like its unknown how the ecosystem will utilize annotations). I think there must be some kind of control mechanism in place for annotations, or the web UI must present all the annotations of a user’s tweets to that user, or both, in order to prevent the annotations feature from becoming a side channel for applications to communicate users’ private information without users’ knowledge or consent. I would like to know more about how this is going to be done. at this point, we're not planning to have any elaborate control mechanisms over annotations, however, your point of being able to use twitter.com as a debugging interface is an interesting one. -- Raffi Krikorian Twitter Platform Teamhttp://twitter.com/raffi -- Subscription settings:http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
[twitter-dev] Re: Privacy issues with the proposed annotations feature
I think Brian brings up some interesting points. What this reminds me of is the machine identification codes secretly being including in every page printed by personal use printers ( EFF article here: http://www.eff.org/wp/investigating-machine-identification-code-technology-color-laser-printers ). Annotations could potentially be used to add a lot of tracking information users might not be happy with. What happens when a developer decides to attach the user's OAuth info to their tweets for whatever dumb reason? I think these are interesting questions, though I'm not sure Twitter can do too much about them in advance without severely restricting what annotations has the potential for. Twitter is taking a wait-and- see approach to what developers do with annotations and I think that it probably the right one for now. @orian On Apr 18, 8:23 pm, Brian Smith br...@briansmith.org wrote: Right now the web UI exposes every piece of metadata in a tweet to end-users. That is, an end-user can use twitter.com to check the complete contents of tweet sent by an application. I didn't see anything in the proposals regarding the annotation feature that says that users will be able to see all the annotations through the web UI. And, even if they could see them, chances are they couldn't understand them. And, even if end-users could understand them, applications will be able to use encryption and other obfuscation to make them impossible to interpret. This reduces the amount of control users have over their tweets. Right now an application cannot disclose the user's location in a tweet, except by putting the location information in the tweet text (which the user can see very clearly), or by putting the location information in the built-in geo feature. The ability for applications to expose the user's information is controlled by a preference that can be controlled only by the official web interface on twitter.com. However, with the annotations feature, applications will be able to expose the user's location-again, possibly encrypted or otherwise obfuscated-even when application access to the location feature is disabled. It doesn't make sense to disable an applications' access to the geo feature and then let it silently and undetectably disclose the user's location-perhaps in even more detail than the built-in geo feature allows. I think there must be some kind of control mechanism in place for annotations, or the web UI must present all the annotations of a user's tweets to that user, or both, in order to prevent the annotations feature from becoming a side channel for applications to communicate users' private information without users' knowledge or consent. I would like to know more about how this is going to be done. Thanks, Brian -- Subscription settings:http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
RE: [twitter-dev] Re: Privacy issues with the proposed annotations feature
Alexro wrote: not to ignore privacy issues but just to simplify the situation a bit ... What currently protects a user from a malicious (desktop) application stealing all kinds of user data via submitting tweets through it's proxy? And even by submitting such information directly to it's website? That is a very good point. It is an unsolved problem that affects nearly all installable software, and that is a problem that needs to be solved at the operating system level. iPhone OS and the upcoming Windows 7 Phone do have measures to protect against that kind of data theft and inadvertent information disclosure; in fact, basically all of the API limitations in Windows 7 Phone (no background apps, no access to the user's personal information, warnings about GPS usage) can be traced back to privacy protection. Similarly, even in desktop Windows, access to PIM information (email and contacts in particular) is severely restricted with the official APIs. Location is a different because Twitter has special privacy protections for its geo feature, including technical limitations that control whether applications may use it, and a way to remove the location information from tweets after the fact. I don't think it makes sense to have a lock for the built-in location feature and at the same time allow applications to use annotations to disclose the same (or even more precise) location information regardless of that lock. If you can trust applications not to disclose location information via annotations without the user's consent, why can't you trust those same applications to not use the built-in geo feature without the user's consent? If an application isn't trusted enough to be able to flip the geo switch, why should it be trusted to not disclose the user's location in a different way without the user's consent? At least with the built-in geo feature, there is a built-in mechanism for the user to remove the geo annotations, unlike other annotations. It is the same deal with Twitter XAuth and website-only functionality. A malicious Twitter XAuth application has full access to everything in the user's account because it has the user's password. Meanwhile, the API doesn't expose useful actions (sign up, approve followers, change password, read email address) in an effort to prevent malicious applications from using that functionality. But, of course, malicious applications don't *need* any official API at all to perform those actions. My conclusion is that the API restrictions punish well-behaved applications due to fear that they may be malicious, but they don't actually prevent any unwanted behavior by applications that actually are malicious. This is something that Raffi touched on when he blogged about how he thinks that every OAuth approval should be going through the Twitter website (i.e. no Twitter XAuth). The annotations feature would compound that problem in a way that can't be solved by disabling Twitter XAuth access to applications. (Note that Twitter XAuth is different from, xauth.org XAuth.) Regards, Brian -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
