Thursday, Twitter continued its great tradition of embracing the features that users had unofficially launched (see also: the @ -reply, the retweet, the hashtag) by instituting a Tip Jar. Do you like someone’s tweet? Send them money directly from the app, through the online payment processor of their choice. Simple enough. And yet, predictably, not so easy, especially for those who value their anonymity online.
Hours after Tip Jar’s Twitter announcement, security researcher Rachel Tobac find an unfortunate wrinkle: Sending someone money through PayPal revealed their home address. Shortly thereafter, former Federal Trade Commission chief technologist Ashkan Soltani discovered that using PayPal for the Tip Jar could reveal a user’s email address, even though no transactions have taken place.
You’ve probably chosen PayPal as a common thread here. To be clear, there are ways to send and receive money through this service, including the Twitter Tip Jar, that doesn’t give out your home address or email address. But that makes it all the more disappointing that no one on Twitter has thought of avoiding these obvious problems at the pass.
“Twitter users have learned that they can be anonymous on Twitter – it’s a platform that doesn’t require your real name and encourages more potentially anonymous interactions than other social media sites,” says Tobac, co-founder of SocialProof Security. “For this reason, there are many more vulnerable populations using Twitter to communicate anonymously with others, rather than with other platforms.”
But since the Tip Jar simply sends you to a third-party payment platform – in addition to PayPal, it supports Venmo, Cash App, Patreon, and Bandcamp – you suddenly play by different rules. Twitter is informing users that the transactions are happening elsewhere, but without giving the full implications of what that might mean and what you might reveal about yourself along the way.
In the case of PayPal, payments are made by default through what the company calls the “Goods and Services” workflow, which is designed for mailed items and therefore associated with a personal address. Navigating to a more privacy-friendly choice in PayPal isn’t particularly intuitive. You should tap a small arrow next to where it says “Pay for an item or service”, then select “Send to a friend” instead.
Are Twitter micro-celebrities your friends? Are good tweets a service? Beautiful philosophical questions! But also easily confusing if you’re just trying to send a few bucks to someone you follow online without letting them know where you live. The email problem Soltani discovered, meanwhile, applies to people trying to get paid: if you don’t have a username on PayPal, the service displays your default email address.
A Twitter spokesperson said the company will update its in-app notification to clarify that the payment platforms it has closed for the Tip Jar “may share information about who sends each other.” tips”. Twitter Product Manager Kayvan Beykpour tweeted “That’s a good catch, thank you” in a response to Tobac, shouting the home address problem. “We cannot control the disclosure of the address on the Paypal side but we will add a warning for people who tip through Paypal so that they are aware of it.”
As well-intentioned as a Tip Jar may be, Twitter users shouldn’t be the ones making these captures. This is the sort of thing Twitter should have taken to itself, especially given the number of users who prioritize anonymity.
“I don’t think it’s just a problem of adequate disclosure, but rather bad design and poor testing,” Soltani says. “Many people prefer to keep their ‘real world’ identities private for various reasons – security, accountability, persecution – especially when they can be persecuted for their opinions on Twitter,” as can happen in authoritarian regimes. “You would think that for a company like Twitter, which is under order with the FTC for data security failures, it would be aware of these types of privacy and security risks when it releases new features. . ” Twitter agreed to a 20-year consent decree with the FTC in 2011 which prevents it from “misleading consumers about the extent to which it protects the security, privacy and confidentiality of consumers’ non-public information.”