When the right individual or organization Tweets, it can have the power to move global financial markets and major economies, as well as incite mass chaos – all with a single, well-placed, 140 character missive. We’ve seen as much recently when a single Carl Icahn tweet raised Apple’s market cap by $17 billion and another by a hacked Associated Press Twitter account that caused an estimated $135 billion to evaporate from the S&P 500 Index.
One often overlooked consequence of this power is the liability assumed by companies and developers that ask users for the ability to tweet on their behalf (aka, “write access”). It’s all too easy to assume that a strongly worded Terms of Service agreement would absolve companies of such liability in the event of a breach and subsequent catastrophic Tweet. But when the fallout is large enough, this is a pretty flimsy leg to stand on.
So, should developers assume the risk associated with holding write access to their users’ Twitter accounts?
Copyin co-founder and former Clickpass co-founder Peter Nixey sparked an interesting HackerNews discussion around this subject with a blog post titled “Our very real liability as Twitter app developers.”
As Nixey rightfully points out, it’s not the risk that an individual user will sue following a security breach that companies should worry about. The big risk is that a hacker gets access to one or more high value accounts through such a breach and then uses it to create chaos. In these cases, it’s likely the government that will do the suing.
The law isn’t entirely clear on who’s liable under such a scenario, but given the broad latitude that we’ve seen government agencies take in prosecuting individual computer-centric bad actors like Aaron Swartz, Bradley Manning, and (seemingly soon enough) NSA-leaker, Edward Snowden, its not a stretch to imagine that a company could be held similarly liable in the case of a security breach resulting from negligence.
Cyber-attacks are a fact of life in today’s Web-dominated age. The more sensitive user information that a company asks for and holds, the greater its value to hackers and accordingly its potential liability in the event of a breach. Twitter account credentials are not exactly credit card account information, but in some cases they may be even more powerful.
In an era when everyone from disgruntled teens to war-minded nations are looking for ways to inflict pain, Twitter is an increasingly attractive target. As Nixey alludes to, it stands to reason that Twitter.com is unlikely to be the primary target of such attacks, but rather the ecosystem of far smaller, and thus far less well-secured third-party apps will face the bulk of the breach attempts.
At present, I have 74 third-party apps authorized to access my Twitter account – and unlike many users, I go in and revoke access from time to time. But despite this regular maintenance, as Sarah Lacy posited when warning consumers about the risk of granting such access late last year, “[I] couldn’t name 15 of them without looking, and…no more than a handful are really relevant anymore.” Most of the authorizations were issued as a login credential for this app or that – often because I didn’t want to use my seemingly far more personal Facebook identity.
But my personal vulnerability is besides the point. I’m not Carl Icahn, Ben Bernanke, Alan Greenspan, Jeff Bezos, Tim Cook, the AP, or any other account holder with the power to move markets in an instant. But without a doubt, each of those users has granted write access to at least one third-party platform. And behind those platforms, are founders and developer who have assumed liability for securing access to these high-value accounts, and in turn, the damage that could be caused through a breach.
For developers, the primary question must be, what is to be gained by asking for Twitter write access? For makers of Twitter clients and social media platforms like Hootsuite, SproutSocial, Tweetbot, Klout, and others, it’s simply a necessary risk in accordance with their business model. But for every other unrelated app that elects to assume this responsibility for the benefit of a little viral promotion – for example, sending Tweets that say, “I just got a high score of 9,847,125 in SpaceZebras” – the cost-benefit analysis is less clear.
One developer in the HackerNews thread points out that Twitter bears some responsibility in this situation. Unlike Facebook, which gives developers more granular options around the permission requested from users, Twitter demands that developers ask for full write permissions in order to provide “follow” buttons.
Simon Willson writes:
“It was infuriating: we only wanted to be able to follow/unfollow for people (since our site used Twitter’s social graph rather than rolling our own), but in order to do so we had to ask for full write permissions, which caused people to freak out and assume we wanted to tweet on their behalf or make changes to their profile.”
A HackerNews commenter named Pat McGuire adds:
“Seems weird they [Twitter] don’t expire tokens on password change. I know that Facebook does.”
There’s a lot to digest here, but the main takeaway for developers appears to be: Don’t disregard the liability inherent in accepting write access from your users. Further, if you do take that access, consider this information as sensitive as credit card data.
We have yet to see a company held liable for leaking a user’s social media login information. But it seems like a when, not an if scenario. It should be the goal of every company and developer not to be the first.
[Image courtesy acidpix]
- Instant updates from your friends and the world
Twitter is a real-time information network that connects you to the latest stories, ideas, opinions and news about what you find interesting. Simply find the accounts you find most compelling and follow the conversations.