2009-05-17
Twitter, Flickr, APIs and Permissions
benw:
From working on Fire Eagle, I’m an advocate for granular control. Pick sensible defaults, and allow users disable optional parts if they desire. It seems even more important in the case of Twitter, where the impact of abuse is higher.
Take Flickr: If an application asks for read/write access to my photos, that includes private photos and deletion rights. I can’t disable that. I can’t just say ‘this app only accesses public content’.
That’s because Flickr’s API allows access to any public photo without authentication, so that level is implicit in posting your photos. To me, this makes sense: it’s on the web anyway, so if you didn’t allow API access, one could just scrape the data. (It is possible to opt out of API searches, but if I know your photo ID or user ID I can still use API calls.)
From what I understand of Twitter’s API, it’s actually similar: you can fetch any public user’s updates (or the bio of any user) without authentication. It’s only updating, and reading the updates of a private user, that require authentication.
It’s probably a fair point to suggest that Twitter should split these, though. Perhaps Flickr and Twitter should also both offer full-blown API optouts (for as much as it pains me as a developer, it’s probably right ethically.)
