Update on Twifficiency

4 views
Skip to first unread message

Brian Sutorius

unread,
Aug 18, 2010, 4:45:54 PM8/18/10
to Twitter Development Talk
Hi all,

Over the past 24 hours, we've received some questions about the
Twifficiency app, so we thought we'd use this as an opportunity to
quickly share some information around our Developer Principles.

For background, the Twifficiency app computes a "Twifficiency score"
based on different aspects of your Twitter account and posts the score
as a Tweet. While the developer included a disclaimer that these
Tweets would be posted to Twitter, user feedback indicated that the
text was too far down on the page to be noticed before proceeding. As
a result, many users were surprised that their scores were being
tweeted automatically.

Which brings us to our Developer Principles, one of which is "Don't
surprise users." Specifically, we require developers to get users'
permission before sending Tweets or other messages on their behalf.
Allowing an application to access your account does not constitute
consent for actions to automatically be taken on your behalf.

Twifficiency violated this principle, so we suspended the app
yesterday afternoon while we worked with the developer to make sure
users were better informed about the application's actions and could
control whether or not a Tweet would be posted. With these changes
--which include a more prominent warning and a checkbox on the main
page-- the application has been re-enabled.

Our developer principles can be found in our API Terms of Service:
http://dev.twitter.com/pages/api_terms

Brian Sutorius
API Policy

Tom van der Woerdt

unread,
Aug 18, 2010, 5:17:20 PM8/18/10
to twitter-deve...@googlegroups.com
+1

On 8/18/10 10:55 PM, Eric Marden - API Hacker wrote:
> On behalf of the Internet. Thank you.
>
> ~e

Eric Marden - API Hacker

unread,
Aug 18, 2010, 4:55:58 PM8/18/10
to twitter-deve...@googlegroups.com
On behalf of the Internet. Thank you.

~e

M. Edward (Ed) Borasky

unread,
Aug 18, 2010, 6:04:09 PM8/18/10
to twitter-deve...@googlegroups.com, Brian Sutorius, Twitter Development Talk
There's another issue lurking here, and that's just how much "typical
Twitter end users" know about what an app can do once authenticated,
either using the soon-to-be-history basic authentication or
oAuth/xAuth. I think the page Twitter displays when asking
"Deny/Allow" is fine, but I'd be surprised if people really read that.
They just push the button. ;-)

What it all boils down to is that once you Allow for Read, the
application can do *anything* in your account that the API can do with
a GET, and if you Allow for Read/Write, which most applications do
even if they only read, the application can also POST and DELETE. It
can follow, unfollow, block, report spammers, read your DMs, post DMs,
edit your lists, and, of course, tweet. And I'd also venture a guess
that most "typical Twitter end users" don't know how to get to
Connections/Settings and revoke access.

So I think another "developer principle" needs to be to clearly state
which of the many available actions an app can take "on behalf of the
user", how to detect if the app has taken other actions, and how to
revoke access. Twiffiency semi-clearly stated that it was going to
tweet, but it most certainly did not state what other actions it was
going to take to compute the "score."

--
M. Edward (Ed) Borasky
http://borasky-research.net http://twitter.com/znmeb

"A mathematician is a device for turning coffee into theorems." - Paul Erdos


M. Edward (Ed) Borasky

unread,
Aug 18, 2010, 6:06:38 PM8/18/10
to twitter-deve...@googlegroups.com, Daniel Ribeiro, Twitter Development Talk
+1 ... see previous email ... although I don't think Twitter
necessarily needs to do that - it's really the app developer's
responsibility to document what it's supposed to do and how to tell
when it's misbehaving.

"A mathematician is a device for turning coffee into theorems." - Paul Erdos


Quoting Daniel Ribeiro <dan...@gmail.com>:

> It would be nice to have something that make things clearer to the
> user that the requesting app is requesting write rights. Like a big
> red warning on the Deny/allow page.


>
> On Aug 18, 6:17 pm, Tom van der Woerdt <i...@tvdw.eu> wrote:
>> +1
>>
>> On 8/18/10 10:55 PM, Eric Marden - API Hacker wrote:
>>
>> > On behalf of the Internet. Thank you.
>>
>> > ~e
>>

Daniel Ribeiro

unread,
Aug 18, 2010, 5:46:36 PM8/18/10
to Twitter Development Talk
It would be nice to have something that make things clearer to the
user that the requesting app is requesting write rights. Like a big
red warning on the Deny/allow page.

On Aug 18, 6:17 pm, Tom van der Woerdt <i...@tvdw.eu> wrote:
> +1
>
> On 8/18/10 10:55 PM, Eric Marden - API Hacker wrote:
>
> > On behalf of the Internet. Thank you.
>
> > ~e
>

Ben Metcalfe

unread,
Aug 18, 2010, 7:20:20 PM8/18/10
to Twitter Development Talk
What I'd actually like to see is some granularity in the oAuth
permissions that go beyond binary "has complete access: DENY|ALLOW",
and this would also solve this problem.

Surprising users when an app auto-tweets is one thing, but I'm more
concerned about a given app reading my DM's, for example (which I
wouldn't know about, thus no 'surprise' but still bad).

I would urge Twitter to look at Flickr's oAuth (well 'oAuth style')
auth which lets users dictate the level of access a given app is
allowed and even let developers appropriately request only the right
level they need.

Twifficiency technically only needed read-only access to my public
tweets (ok, it wouldn't have had the viral aspect). If when I oAuthed
for it the twitter landing page said:

Give app "Twifficiency" access to the following on your account? :
[x] public tweets
[ ] send tweets
[ ] read direct messages


This seems more appropriate but would also deal with the issue of
surprising auto-tweets when the app developer doesn't highlight it up
front. What do people think?

Thanks,
Ben Metcalfe

Peter Denton

unread,
Aug 18, 2010, 7:27:24 PM8/18/10
to twitter-deve...@googlegroups.com
My opinion is that twitter is trying to keep it intentionally simple for the benefit of apps.

for Joe Regular, more options than allow / deny is going to create confusion and apps will suffer.

Its pretty clear that if you tweet on behalf of users without consent there will be confusion/anger and you are at risk of blacklist and its at that point that Twitter should and does intervene, as an ISP would on spam. But before that, I think 2 choices are exactly what should be.
--
Peter Denton
Co-Founder, Product Marketing
www.mombo.com
cell: (206) 427-3866
twitter @Mombo_movies
twitter - personal: @petermdenton

Aman deep

unread,
Aug 19, 2010, 1:04:26 PM8/19/10
to twitter-deve...@googlegroups.com
its not my reply dear

i want the complete api and code to share my website images to my twitter account


thanking you
--
Amandeep Singh
Software Engineer
+919990834436
Reply all
Reply to author
Forward
0 new messages