Twitter’s Tip Jar Privacy Fiasco Was Entirely Avoidable
On Thursday, Twitter continued its grand tradition of embracing features users had unofficially pioneered (see also: the @-reply, the retweet, the hashtag) by instituting a Tip Jar. Enjoy someone’s tweet? Send them some money straight from the app, via the online payment processor of their choice. Simple enough. And yet, predictably, not so simple, especially for those who value their anonymity online.
Within a few hours of Twitter’s Tip Jar announcement, security researcher Rachel Tobac found an unfortunate wrinkle: Sending someone money via PayPal revealed to them her home address. Not long after, former Federal Trade Commission chief technologist Ashkan Soltani discovered that using PayPal for the Tip Jar could reveal a user’s email address, even if no transaction took place.
You’ve likely picked up on PayPal as the common thread here. To be clear, there are ways to send and receive money through that service, including through the Twitter Tip Jar, that do not give away your home or email address. But that makes it all the more disappointing that no one at Twitter thought to head those obvious issues off at the pass.
“Twitter users have come to learn that they can be anonymous on Twitter—it’s a platform that doesn’t require your real name and encourages more potentially anonymous interactions than other social media sites,” says Tobac, cofounder of SocialProof Security. “For that reason, there are many more vulnerable populations that use Twitter to anonymously communicate with others, rather than other platforms.”
But because the Tip Jar simply bounces you to a third-party payment platform—in addition to PayPal, it supports Venmo, Cash App, Patreon, and Bandcamp—you’re suddenly playing by different rules. Twitter notifies users that the transactions happen elsewhere, but without conveying the full implications of what that might mean, and what you might reveal about yourself along the way.
In the case of PayPal, payments are made by default through what the company calls the “Goods and Services” workflow, which is designed for items that go in the mail—and therefore have a home address attached to them. Navigating to a more privacy-accommodating choice in PayPal isn’t especially intuitive. You need to tap on a small arrow next to where it says “Paying for an item or service,” and select “Sending to a friend” instead.
Are Twitter micro-celebrities your friends? Are good tweets a service? Fine philosophical queries! But also an easy source of confusion if you’re just trying to send a few bucks to someone you follow online without letting them know where you live. The email issue discovered by Soltani, meanwhile, applies to people who are trying to get paid: If you don’t have a user name on PayPal, the service displays your email address by default.
A Twitter spokesperson said that the company would update its in-app notification to clarify that the payment platforms it looped in for the Tip Jar “may share information about people sending tips to one another.” Twitter product lead Kayvan Beykpour tweeted “this is a good catch, thank you” in a reply to Tobac calling out the home address concern. “We can’t control the revealing of the address on Paypal’s side but we will add a warning for people giving tips via Paypal so that they are aware of this.”
As well-intentioned as a Tip Jar may be, Twitter’s users shouldn’t be the ones making those catches. It’s the sort of thing that Twitter should have caught itself, especially given how many users prioritize anonymity.
“I don’t think this is simply an issue of adequate disclosure, but instead of poor design and testing,” says Soltani. “Lots of folks prefer to keep their ‘real world’ identities private for a variety of reasons—safety, liability, persecution—particularly when they can be persecuted for their views on Twitter,” as can happen in authoritarian regimes. “You would think for a company like Twitter, who is under order with the FTC for failures related to data security, they would be mindful of these types of privacy and security risks when they release new features.” Twitter accepted a 20-year consent decree with the FTC in 2011 that bars it from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information.”