Policies Review

Saw a very upsetting tweet tonight accusing the app of hijacking someone’s Twitter account. Obviously I’ve reached out to that person to try to find out what precipitated the misunderstanding. What’s most upsetting about it is that we employ the least invasive, most secure possible methods/practices to sign users in to Twitter, and still this appears!

Just a reminder that our new Policies page is here, and I’d like to call out the Authentication section of that document, here.

To review some of the technical details and policies which make us the very best from the consumer’s perspective:

  • We use OAuth to authenticate users, rather than asking users for their Twitter credentials. This means that Twitter verifies users’ identities for us, we never see a password (or even a screen name, ’til after you’ve signed in). More info about Twitter’s implementation of the OAuth standard is on their developers’ wiki.
  • Our Twitter application is read-only, rather than read/write. So we can’t change anything in your profile, and we can’t tweet on your behalf. We encourage all Twitter users to look for this before they blithely sign-in to 3rd part Twitter apps.
  • The OAuth process results in a special token we can use to retrieve information about your account. This token does not expire, but we do not store it. This is why you need to sign in to GraphEdge every time you visit (we get a new token for each session). This may change in the future to allow users to keep their computer signed-in to GraphEdge between sessions, but we would certainly not keep the token for any other reason.

I feel great about these policies. One of the nice things about starting a company is that you get to do things the right way. There’s short-term a cost to doing business by making the most consumer-friendly decisions, but I’m counting on there being a long-term advantage. Of course, it would SUCK to incur the costs of doing the right thing and still being accused of nefarious activity! Let’s hope we don’t have too many more repeats of this kind of thing.

Please please, GraphEdge users, current and prospective: if you have any problems, concerns or questions, reach out to us! support [at] graphedge.com, or my personal Twitter account: @WaldronFaulkner

Update – Nov. 7, 2009

Worked with the Twitterer in question to clear the matter up. We still don’t know which app it was that tweeted his stats without his knowledge, but at least he now knows it wasn’t GraphEdge. Watch out of the word “update” in the Twitter authentication form. “Access” is good… “access and update”: think twice.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: