Below is a mock-up of how I’d like to see Twitter implement fine-grained application permissions.
Take in its beauty, and then I’ll explain …
This image is a mock-up – it is not Twitter, or TweetDeck official. (just covering my back, ok?)
Note the icons on the left, particularly where it states you are granting permission for the developer to access your direct messages and tweet from your account. Does the app you’re accessing need to do perform these actions? If it needs to do one thing, should it be able to do all things? I caused a minor storm when I pointed out that any application you authorize can read your DMs. This is why Twitter (if they want to conquer the mainstream) need to follow in Facebook’s footsteps.
Facebook call this approach ‘extended permissions‘. Currently the Twitter API only supports two access levels: read-only, or read+write. For example: Read access would be required to access your direct messages. Write access would be required to send them from your account.
This access level decision is taken by the developer, not the consumer, and it’s currently very badly expressed to the connecting user via the UI. It’s worth noting that extended permissions are not a part of the OAuth spec itself, rather they are an extra layer on top that is specific to the vendor. Perhaps it should be a part of the spec.
Whether anyone questions an application’s need for write access is an issue in itself, but this is compounded by the fact that write access basically means maximum access. My site TwitBlock needs write access to report spam, but I don’t need (or want) to be able to tweet from your account any time I like.
Note the ‘report this application’ link in the mock-up – Remember Twifficiency? Not the first auto-tweeting app I’ve grumbled about. Regardless of the case specifics, application developers need to be responsible for what their application does.
OAuth means that Twitter can trace any API access back to the application owner, and revoke access. A good start, but it’s not easy [enough] to report a Twitter application. Facebook have a ‘report’ button on connect dialogues and application profile pages. Twitter require you write out a support ticket. How many people know how to get to that page?