Recently I had an heart-stopping experience with a good service that uses Twitter’s OAuth to authenticate users. I do not blame the service, which I’ll name in a bit, and fully accept responsibility for my actions. However, this is a cautionary tale that is a bit humorous at my expense; so it’s perfect for this venue!
The service I’m specifically referring to is twibbon.com – a web application that makes it easy to add a “ribbon” supporting a cause to one’s Twitter avatar. You may have seen the Twitter avatars sporting a “Live Strong” or “No IE6″ or other visual tag in support of a given cause. It’s a cool service that allows Twitter users to show support or affiliation with a cause they support or identify with. The service also provides statistics and other related services for campaigns. Twibbon also sends posts to Twitter in the OAuth’ed user’s name when a campaign is created.
Here’s where the funny/cautionary part starts.
One day I was playing around with twibbon as I was curious as to how the service works. There is a very helpful tutorial explaining how to create an overlay image (the “twibbon”). I decided to try my hand at creating a twibbon and followed the tutorial. Now, please know I have no design ability at all — I’m a former application developer, not a designer. So, I needed a small image as the twibbon and I grabbed an available image in my Mac’s Pictures folder.
Thank goodness it wasn’t THAT other image I used! (You know about “THAT” image — you surely have one in your Pictures folder. Wink wink, nudge, nudge, say no more, say no more [Happy 40th, Monty Python, btw!]).
As I scaled the logo of my company to fit in the lower right of the overlay I wanted to see what it looked like applied to my avatar.
Here is where I nearly had a heart attack.
When creating a “campaign” – which is what I was essentially doing – the default option is to publicly announce the campaign via one’s account on Twitter. Now, that’s the DEFAULT action, but this is clearly (well, maybe it could be more prominent) explained in text under the “Create Twibbon Now!” button and there is a (small) check box allowing one to opt-out of publicizing the twibbon at this step. However, I missed these nuances when I clicked the big, blue “Create Twibbon Now!” button.
Here’s a screen shot of the Twibbon creation page – I’ve marked it with Skitch to show some of the above features:
Screenshot of Create a New Twibbon page with my markups
So, using the above form I filled in some text around the company logo I selected, haphazardly, to test the service. I also failed to uncheck the “Enable Cause” checkbox. So, moments after I clicked “Create Twibbon Now” the following Tweet appeared in my timeline:
Eek! I didn't mean to do that!
I froze when I saw this had happened! I had no intention of making a public campaign in “support” of my company (after all, we’re about supporting others, so it’s a bit ironic). However, within a couple minutes of this unintended action several people with my company started joining the campaign and putting our company logo on their Twitter avatar.
Lesson: There is no undo on Twitter.
Had I used “THAT” image this would have been far worse. I got lucky. Still, I intended to contact the individuals within my company about my mistake but it was too late. Especially when this Twitter user added the logo to his own Twitter avatar:
Scobleizer
Lesson: When you grant a service permission to act on your behalf, it will and you will be responsible.
While my accident turned out to not be the end of the world (or my career at Rackspace!) it could have been worse had I had a bit more mischievous mindset when using Twibbon that day. Yikes.
Recommendation to Twitter OAuth applications: make the defaults more fool proof – that is, make me opt-in to do something like send DMs, follow, unfollow, favorite, change avatars, or, heaven forbid, TWEET. At least the first time.
One company that understands the need for this caution is Peoplebrowsr — after suggesting a “learning mode” when getting a demonstration of this useful service they implemented it. Now, one can learn to use the rich features of Peoplebrowsr and, with learning mode enabled, be assured that there will not be an accidental tweet sent to the unforgetting real-time web without at least a confirmation.
Finally: if you are a Racker and use the Rackspace or RackCloud Twibbons on your avatar, please remember you’re tying your tweets to a company’s brand. This may not necessarily work to everyone’s benefit – especially for those 2AM tweets common among young professionals. *Cough*
