How to make #hackgate even easier. Make it a policy.

Several people on Twitter pointed to the new and shiny BBC Social Media Guidelines this week. It is something we have all seen grow up as social media sites have exploded in recent years and general the policies are well written and sensible, formulated around the key message – don’t do anything dumb. I agree with that completely. As with many of the guidelines produced by companies the BBC guidance seems purpose written for Twitter – showing its increasing power and place as the foremost way of sharing in the ‘crossover’ space of social / professional.

Reading through the guidelines though I was amazed to find this:

f. Make a note of any login names and passwords, and also any other service that you set up to automate the activity (eg: forwards it from Twitter to Facebook). Share those details with members of your team, making sure they are stored safely: if you move to do a different job or are off sick, someone else will have to take over.

Excuse me BBC? In the very mist of the #hackgate issues are you making it a policy for BBC staff to share their usernames and passwords with other people? Are you actually mad??

There is obviously a reason behind this, and it is a reason that can be uniquely assigned to Twitter. Facebook does not allow non-sentient beings to have a Facebook identity and tries hard to police this (to differing levels of success). Non-sentient things are generally pushed on to pages, which us humanoids can then follow and comment on…i.e. they don’t have to log-in.

Twitter is different. My coffee cup can have a twitter account and tweet to the world if it so choses. However, although this is allowed, Twitter makes it incredibly difficult for non-sentient things to tweet by confusing identity, persona, authentication and authorisation in to one process – which is why the BBC choses to make a policy of password sharing. Interestingly, although it allows non-sentient things to tweet, essentially that non-sentient thing has to be able to enter in to a binding contract with Twitter – so it does always assume 1 real person behind each object.

Twitter forces us to authentication with authorisation information. It confuses the persona I have, @nicoleharris, with my identity as a user logging in and with the permissions associated with that – i.e. the right to tweet. Obviously that makes perfect sense for me and @nicoleharris – but what about @JISCAdvance – a clear company account? It would be so much better if I could log in to twitter as a platform and then be associated with multiple twitter accounts and also have the rights to tweet as @JISCAdvance….but I can’t. It’s made even more confusing by Twitter’s policy that only one twitter account can be associated with one e-mail address…so I have three Twitter accounts linked to three different e-mails. Administration of these is insane, I have to remember three different sets of passwords and I can’t let anyone else tweet to them unless I share my password which is always a uniquely silly thing to do 🙂 So uniquely silly that Twitter’s terms remind you of the importance of safeguarding your password.

Obviously tools like TweetDeck have tried to get around this by providing a more coherent way of managing mutliple accounts but it still does not take away the need to have these accounts or the need to share privacy information around them. Does it matter? Well, yes it does as it creates confusion of ownership where in reality personnel do not ‘handover’ their twitter account as per the BBC recommendations but change it to a different personally controlled account – like this story about Laura Kuenssberg’s move from the BBC to ITV.

So why doesn’t Twitter do it differently? After all, it is hardly difficult to associate one set of credentials with multiple authorisation events in different places. Well I’ve already mentioned 1 reason – they want to have a binding contract that puts the responsibility for each tweet on an inidividual – makes life so much easier than getting in to an argument about ‘who sent that tweet?’. Of course with the number of hacks and shared passwords the waters are already muddy but essentially, whoever registered the account is responsible. I’m not sure if this explains the weird 1 email – 1 twitter account policy, but there you are.

Secondly, it’s an OAuth thing. Whilst OAuth offers some really great ways of allowing applications to do fun and interesting things by granting them limited access to an account, it is a binding between the authentication process and an authorisation permission (I won’t get in to the fact that this is often badly implemented so inapproprite read and write authorisations are forced on the user when not necessary, that’s another story). Having multiple accounts assigned to one authentication process would make it difficult to differentiate OAuth authorisation permissions with 1 of these accounts but not the other. So whilst OAuth allows us a good and secure way authorising Apps access to write to our account in the current model, it means we don’t have a useful and secure way to allow other people simple and secure authorisation access to our accounts.

Oh well, can someone pass me some post-it notes?

1 thought on “How to make #hackgate even easier. Make it a policy.

  1. dkernohan

    Just regarding multiple twitter accounts and one email address, there is a way around this using gmail.

    Emails of the form youruserid+somethingelse@gmail.com are delivered to your regular GMail inbox, but twitter reads it as a different address to youruserid@gmail.com

    Couple that with multiple log-ins via something like tweetdeck (on desktop and mobile) and you can have merry twitter conversations with yourself to your hearts content.

Comments are closed.