Beware of invitations to “connect” Twitter and Facebook accounts to other web services

Published by in games, geocaching, socialnetworking, travel, web 2.0 on October 15th, 2009

If you’re a Twitter user, chances are fairly good you’ve seen at least one message in the past month (or maybe lots more) inviting you join someone’s “Mafia family.”

Twitter spam - thanks to Facebook?

What are these strange and unwanted messages? According to Kern Kelly, who I visited with this evening following the ACTEM 09 banquet, some messages like this begin when people authorize “an application” or other website / web service to have access to a Facebook or Twitter account. When you grant that access, in the case of Facebook, generally you provide the requesting website with access to not only ALL your personal information shared on Facebook but also the personal information of all your identified “friends.” In September 2007, I wrote the post “Beware of Quechup Spam Scam,” which focused on a similar issue when a website asked for access to webmail contacts via Yahoo Mail, GMail, etc.

BE VERY WARY of requests like these to grant access to your personal accounts, profile information, and friends’ information! Now that so many people are using sites like Facebook, and applications are proliferating with amazing speed (Farmville, as an example, has over 59 million “monthly active users”) this issue is becoming even more important. Just as family members, children, co-workers and others in our communities need to be saavy to the risks of phishing emails, we all need to be saavy to the danger of granting account access. We may be inviting our contacts and friends to receive spam messages, sent from us and our own accounts. No one needs more spam!

In addition to avoiding situations where you unknowingly send spam to friends and contacts, it’s also wise to be wary of sharing account information because you may not want your social media “lifestream” to by coopted or hijacked by a commercial web application or service.* Whether you have thousands of followers / friends or a few, a lot of companies would LOVE for you to help them advertise their product or service by granting them permission to USE and POST TO your Facebook or Twitter accounts. Don’t fall for this ploy.

This evening, thanks to a comment related to geocaching by John Weidner, I learned about the social geo-sharing website Gowalla. Similar in some ways to geocaching and geocaching.com, Gowalla is an online game powered by an iPhone application that encourages player participants to “go out,” discover and share.

Go out. Go discover. Go share. Gowalla.

Gowalla for iPhone

In addition to defining new places for other Gowalla users to visit and get “stamped” in their virtual passport, the program also lets users take and create “tours” of multiple stops related to a theme or location.

Trips available on Gowalla

This is a tour of the Texas capitol, with six different recommended stops. Gowalla’s developers are based in Austin, so that likely accounts for the larger number Austin-area entries and “trips” at this point.

Tour the Texas Capitol with Gowalla

The application looks fun and engaging, but here’s the personal information / potential lifestream cooptation danger: After signing up the website and iPhone application prompts users to grant its owners access to your Twitter and Facebook accounts. At this point, as information-saavy learners, we should all see a warning flag.

Allow Gowalla access to my Twitter? I don't think so...

Do I really want to connect Facebook to Gowalla? I don't think so...

I have not received any spam Twitter direct messages or email from the Gowalla site owners or from its users, but the potential exists WHENEVER we share our account access that site/application owners might use our information in undesirable ways. At a minimum, we should recognize and be wary of applications like these posting updates to our accounts, because each posted message is a free advertisement for that website or service. This method/technique is actually a very saavy use of social media technologies, and I’m not discouraging anyone from checking out Gowalla and giving it a try. I’m going to. I’m not, however, granting the site access to my Facebook and Twitter accounts, and I think its advisable that everyone be wary before granting “access permissions” like this.

* Lifestreamblog.com defines “lifestream” as:

…a chronological aggregated view of your life activities both online and offline. It is only limited by the content and sources that you use to define it.

Friendfeed is a lifestream service I use and like. A lifestream plugin for WordPress is available, which has the advantage of saving your lifestream data locally (on your webserver) so you can archive and utilize that information even if a service like Friendfeed goes away at some point.

Technorati Tags:
, , , , , , , , , , , , , ,

On this day..

2 Comments »
  • http://www.studystack.com John Weidner

    In my opinion there are two very different scenarios regarding entering your password for facebook (or twitter or google or any other site).

    In the first scenario, a site prompts you to enter your username and password for some other site and they promises to do something for you. Maybe they ask for your google mail username and password and they say that they will import all your email contacts. But if you give them your username and password, they could technically use it for whatever they want until you change your password (unless they change your password first). This is like giving someone your username and password. You might give your username and password to someone you completely trust, such as your spouse; but you wouldn’t give it out to someone you just met. Same thing should go with sites you’ve just discovered. If you have done this you should consider changing your password as soon as you’ve finished using that site so that the site can no longer access your account.

    In the second scenario, a site asks another site to authenticate who you are. Examples would be sites that use Facebook Connect or OpenID. When you use Facebook Connect, you are not giving the site your username and password, you are only giving it to Facebook. Facebook in turn gives the site a “pass” that the other site can use to access some of Facebook’s services. The difference here is that Facebook is still in control over what the site can do. Facebook allows you to set up permissions as to what you are going to allow the site to do with its “pass”. Facebook also only allows them to use that pass during your current Facebook session. Once you’ve logged out, the site can no longer access your Facebook information.

    So how do you tell the difference between these two scenarios? The answer is in the URL displayed by the browser for the window that you are entering your username and password. Is the URL for a site that you trust with your data? Since you trusted Facebook enough to enter details about your personal life, you should feel okay about telling Facebook your username and password – facebook already knows your username and password, your just letting them know who you are. But if the URL is for some site you just “met”, you might want to wait until you’ve developed a trust with them.

  • http://www.gowalla.com Jon Carroll

    Hey there! Thanks for giving Gowalla a look. We’d love to hear your thoughts about it, and you can share them with us at the email given for this comment.

    A note on integration of FB Connect and Twitter, as it relates to Gowalla. The explanation above in the second scenario is fairly good, particularly pointing out that, especially with Facebook, you are using Facebook’s standard for integrating their social media into our app. That pop-up you have picture is required by FB Connect, you can see it right there in the URL, and we’re using it in the way they recommend, that they are hoping for in fact: Allowing you from inside the app to connect and share with your existing Facebook friends. In Gowalla, there is an enormous social aspect to the app, finding your friends, sending them completely voluntary messages, seeing who’s where, sharing new places to go and things to do. It’s one of the biggest facets of the app, in fact, the social media part. We are not trying to build a new social network, though, and using the appropriate integration of FB Connect to allow you to quickly find your existing friends is a big plus, and it’s also why Facebook developed FB Connect, for companies like Alamofire to not have to recreate the wheel when you want to use our service (which relies on social networks but is not itself a social network) and then invite your friends and have them along for the fun.

    Clearly there are spamming services out there, services that auto-post or tweet often after you sync your Twitter information. We’ve all been bombarded by the mandatory friend requests that some games on the Facebook platform make you send before you can install the game. Gowalla is in no way like that, however, and the integration of Twitter and Facebook is for your benefit solely, to be able to quickly find your friends on existing social networks and share cool things with them. We never take over your Twitter status updates with spam, we don’t auto-push anything to your Facebook feed, and we don’t robo-harvest your friend information to privately spam them later. Every push to a Facebook feed or Twitter status that involves Gowalla is done when a user toggles a tab in the app and says, please push this to my existing social network. And it must be done every time. We hate spam as much as the next person, if not more. We’d love for you to tweet about Gowalla on Twitter, or share it with friends on Facebook, but we sure don’t want a million robo-tweets about Gowalla going out into the interwebs for friendly folks everywhere to be bombarded with spam that they not only don’t want, but more importantly, which the original user/sender did not intend to send.

    Hope that helps. If you’re on Facebook, I would highly recommend giving it a whirl on Gowalla. It’s a wonderful integration of FB Connect, and it’s totally up to you to figure out how it would benefit your overall app usage. We think it really adds to the service, but again, it’s all up to you, to install it, to decide what if anything to push, and you can rest assured, we’re not pushing spam out behind your back. Cos that blows.

    We can’t wait to see how you Gowalla!

© Creative Commons License