Twitter’s Tip Jar Privacy Fiasco was completely avoided
[ad_1]
On Thursday, Twitter It maintained the great tradition of adopting features that were officially pioneered by users (see also: @ -reply, retweet, hashtag) by creating a Tip Jar. Enjoy someone’s tweet? Send some money directly from the app, through the online payment processor they want. Easy enough. And yet, predictably, it’s not that easy, especially for those who value their anonymity online.
A few hours after Twitter’s Tip Jar was announced, security researcher Rachel Tobac found unfortunate wrinkle: sending someone money through PayPal revealed their home address. Soon after, former chief of the Federal Trade Commission, technologist Ashkan Soltani find Using PayPal for Tip Jar may reveal a user’s email address, even if no transaction has occurred.
You may want to choose PayPal here as your regular thread. Clearly, there are ways to send and receive money through this service, including through the Twitter Tip Jar, which doesn’t provide your home or email address. But that makes it even more frustrating that no one on Twitter thought anyone was correcting those issues that were in the passage.
“Twitter users have learned that Twitter can be anonymous; it’s a platform that doesn’t need your real name and encourages potentially anonymous interactions more than other social networking sites,” says Tobac, founder of SocialProof Security. “Because of this, the population is much more vulnerable to those who use Twitter to communicate anonymously with others than with other platforms.”
But because Tip Jar bounces you to a third-party payment platform — in addition to PayPal, which supports Venmo, Cash App, Patreon, and Bandcamp — you’re suddenly playing by different rules. Twitter informs users that transactions take place elsewhere, but without implying the full implication of what that would mean and all the implications of what you can reveal about yourself along the way.
In the case of PayPal, payments are made by default by what the company calls the “Goods and Services” workflow, which is designed for items that go by mail and therefore have a home address attached. It is not at all intuitive to go for the option of more appropriate privacy in PayPal. You need to click a small arrow next to the place that says “Pay for an item or service” and select “Send to a friend” instead.
Are your friends micro-celebrities on Twitter? Are good tweets a service? Fine philosophical consultation! But it’s also an easy source of confusion if you’re trying to send a few dollars to someone you follow online without knowing where you live. The email problem found by Soltan, on the other hand, is for people who are trying to pay for it: If you don’t have a PayPal username, the service shows your email address by default.
A Twitter spokesperson said the company will update the app’s notification to clarify that the payment platforms used for Tip Jar can “share information about people sending tips to each other”. Twitter product head Kayvan Beykpour he tweeted “It’s a good catch, thank you” in response to calling Tobac home address concerns. “We can’t control the appearance of Paypal’s address, but we’ll add a warning to people who give advice via Paypal so they know about it.”
While Tip Jar can be chunky, Twitter users shouldn’t have to make those catches. It’s something that Twitter should catch on to, especially considering how many users prioritize anonymity.
“I don’t think this is a problem of proper outreach, but rather of poor design and testing,” says Soltani. “Many people prefer to have a‘ real world ’private identity for a variety of reasons (security, responsibility, harassment), especially when they may be harassed for their Twitter opinion,” as can happen in authoritarian regimes. “You would think for a company like Twitter that is mandated by the FTC for data security-related failures, they would consider these types of privacy and security risks when they post new features.” Twitter approved a 20-year authorization decree with the FTC 2011n “prohibits consumers from misleading” the extent to which consumers protect the security, privacy, and confidentiality of non-public information.
[ad_2]
Source link