The 'Sign In with Twitter' Button: How Does It Compare to Its Facebook Counterpart?
Last week, we talked about the 'Log In with Facebook' button. Today, we'd like to take a look at the convenience and potential consequences of signing in to websites and apps using accounts at another big social network – Twitter. We'll see how the two options stack up, we'll discuss a few technical details, and we'll also see what can and can't happen when you use the 'Sign In with Twitter' button.
OpenID and OAuth
The option of logging into third-party websites and apps with your social media accounts is made possible by an open source protocol called OpenID. With it, Facebook and Twitter check whether you have an account with them, and they "tell" the third-party app that you are who you say you are.
That's not all, though. As we established last week, some apps and websites aren't satisfied with knowing that you have a social media account. They also want access to more information about you, and in the case of Twitter, it could be quite a lot as we'll learn in a minute. Another protocol called OAuth asks you whether you'll allow this data to be handed over to the third-party app, and if you agree, it facilitates the transfer.
In other words, as the names of the protocols would suggest, OpenID is about identification, and OAuth is about authorization. Both Facebook and Twitter use a combination of the two protocols. What's the difference, then?
Signing in with Facebook vs. signing in with Twitter
With Facebook, third-party apps can ask for access to 40 different classes of information, including your name, email address, friends list, photos, posts, events, etc.
Twitter, it seems, is even more open-minded with the access third-party apps get to users' accounts. According to Twitter's own documentation, there are three permission models:
- Read only: With this, the app or website can read your tweets, retweets, and your profile information.
- Read and write: In addition to reading your home timeline, this set of permissions gives apps the ability to tweet on your behalf, follow other users, and even change elements of your profile information.
- Read, write and access Direct Messages: This one is perhaps the most shocking. In addition to reading your data and posting tweets on your behalf, apps with this set of permissions can also read and send direct messages on your behalf.
Additionally, some apps and websites may ask for your email address.
How do Facebook and Twitter monitor what different apps do?
In theory, Facebook has a strict policy. If you're an app developer and you want to collect more than the name and the email of a user through the "Login with Facebook" button, Mark Zuckerberg's people will first need to review your app before you're allowed to get the data. As the tens of millions of users whose information was harvested during Cambridge Analytica's data mining operation can testify, however, the reviewing process might not be as thorough as it should be.
Twitter's scrutiny is a bit of a gray area. There's not much information in their own documentation, though we have seen people saying that apps with over 1 million users are monitored closely. There's a Help article saying that you should be careful with the third-party apps connected to your account. In other words, Twitter is putting a lot of trust in the users' diligence.
What can you do to control the apps and their permissions?
Both Facebook and Twitter provide users with a relatively easy way of managing the apps and websites connected to their profiles. If you know where to look, that is.
Facebook users need to open their settings and go to the Apps and Websites tab. In there, they can see all the apps connected to their profiles, and they can also see what sort of information these apps can access. There is a certain level of control as well. If they no longer want to share their email with a certain website, for example, they can revoke access to this particular piece of information. They can, of course, remove the app altogether as well.
Twitter users can view and revoke the third-party products connected to their accounts through the Apps tab in the Settings and Privacy menu. Unlike Facebook, Twitter doesn't allow you to remove specific permissions. If you don't feel comfortable sharing information with a certain website or app, you can remove it. In fact, you must remove it, and the same goes for apps you no longer use.
What happens when things go wrong?
In March 2017, someone managed to hack an application called Twitter Counter which apparently had Read and Write permissions on a number of prominent accounts with thousands of followers. As a result, a wave of Nazi spam tweets came out of the Twitter feeds of BBC North America, Amnesty International, Forbes, The European Parliament, and many more.
And you know what the worst part is? This was Twitter Counter's second hack in the span of a few months.
There are other potential problems with sharing the information from your social media profile with a third-party app. Twitter and Facebook will hand over the said information, but the third-party website or app needs to store it in some way. The way it's stored and the level of access people have to it is unknown in most cases.
There's not much evidence to suggest that the "Sign In with Twitter" button is any better than its "Log in With Facebook" counterpart. The convenience factor still stands. It is easier to start using a service or a website without spending precious minutes filling out a registration form. As we noted last week, however, filling out this form could take seconds.