As much as social media oversharing has become a regular feature of our online identities, there are still a few cranky holdouts who prefer to keep their missives “private.” According to a study put out last year by social media analytics firm Beevolve, some 11.8% of Twitter users have protected profiles, which means that in order to see their tweets, the user needs to grant you special access.
All of this seems uniquely wise and prudent, except for the fact that privacy on social media is easily undone. Just last week, a Palestinian researcher who uncovered a security loophole on Facebook hacked into Mark Zuckerberg’s account and posted on the site founder’s wall to prove a point. “First sorry for breaking your privacy and post [sic] to your wall,” Khalil Shreateh wrote in desperation. “I has [sic] no other choice to make after all the reports I sent to Facebook team.”
Similarly, this week, veteran social commentator/programmer Tom Scott has also shown us just how easy it would be to create a tool to hack into private Twitter accounts. Though Scott didn’t actually make the tool (arguing that it would be “profoundly immoral”), he did lay out how one could–and inevitably, he says, how someone will.
“When you sign into a Twitter app, whether it’s a big professional one like HootSuite or a small toy made by an independent developer, that app can see the same tweets you can–including tweets from private accounts,” Scott wrote Co.Exist in an email. “So if you wanted to be evil, you could get a lot of people to sign into an app, and then start offering other people access to the ‘secret’ things they can see.”
In a cheeky post entitled “The Thing I Didn’t Build,” Scott argues how an evil-minded developer could easily make an app to read protected tweets and provide voyeurs access. “I had the horrible realization that it was possible, and… well, the alternative was not writing about it!” Scott says by way of explaining why he’d even publicize this concept to begin with.
This isn’t the first time that Scott has poked a hole in the veneer of social media privacy. After Facebook launched its Graph Search function earlier this year, Scott created a parallel site highlighting embarrassing “likes” in user profiles. Earlier, in 2009, Scott also created Tweleted, a tool to recover deleted tweets, after he discovered a security flaw in the microblogging platform. Twitter eventually fixed the problem, and so Tweleted became irrelevant–which pleased Scott. “That’s great–and it’s what should always have happened,” Scott wrote on Tweleted’s page after the bug was fixed. “It turned out to be quite a useful tool–and may possibly have helped in a divorce case!–but it also meant that every amateur detective wanted a go,” Scott told Co.Exist. “When it stopped working, I got a lot of emails, some pleading, some angry, asking when I’d get it working again.”
Still, as entertaining as it is to point out how perceptions of our online privacy clash with a far more transparent reality, Scott says he’s not looking to elicit broad-based alarm.
“Putting stuff online is a calculated (or not-so-calculated) risk, and the vast majority of Twitter users won’t have any trouble,” Scott said. “The risk is generally from people who know you and are interested in you, not big, monolithic privacy-revealing sites.”