The Thing I Didn't Build

The Thing I Didn't Build would have looked something like this:

Unprotector: Read private Twitter accounts. 129,482 protected accounts available. Sign in with Twitter.

Why didn't I build it?

First and foremost, The Thing I Didn't Build is evil, in the sense of being ‘profoundly immoral’. I've made ambiguous tools before — like Tweleted, which let you recover deleted tweets — but this isn't anywhere near ‘ambiguous’. There are very few positive use cases for cracking open protected accounts.

Secondly, it's certainly against Twitter's developer terms. It's probably in violation of the UK's Data Protection Act, if not the Computer Misuse Act. It would make me persona non grata with a company whose service I enjoy using.

And finally, it'd be the greatest generator of internet drama I've ever made. I hate internet drama. You should've seen the emails I got when Tweleted shut down.

How would it have worked?

After you'd signed in, The Thing I Didn't Build would have let you access the contents of every protected Twitter account it already knew about. Meanwhile, it would use the credentials you just provided to suck in all the protected accounts that you can see.

In other words, you'd unwittingly sell out your friends in exchange for voyeurism.

If you think no-one would sign in to something like that, you have far too much faith in humanity: try trying ‘see p’ into Google autocomplete sometime.

The second result: see protected tweets. The fourth: see private instagram

How could Twitter defend against it?

Rather than use an API key that Twitter could shut down, The Thing I Didn't Build would have used the official Twitter app's leaked keys. The ‘scraper’ part would have been hosted on Amazon EC2. Good luck blocking those.

There are other routes that Twitter could use; realistically, it'd be shut down by legal or technical means eventually. I doubt it'd be quick, though.

Why put the idea out there?

Someone's going to build this, sooner or later. Maybe it'll look like an innocent web toy that lets you share some entertaining stats about your Twitter account, while its owner has a look through your friends' protected accounts for anything sensitive.

Or maybe not. Maybe there are better ways of going phishing.

My point is this: A protected Twitter account is not a top-secret Twitter account. Every time you grant access to a friend, you're not only trusting them — you're trusting the security of all the applications they've used, and all the employees of all the applications they've used.

If you wouldn't want it broadcast on a screen in Times Square — or, more realistically, e-mailed to your friends — think carefully before you put it on the web, even on a ‘protected’ account. More people could see it than you might think.


A production of Pad 26 LimitedPrivacy