Yesterday there was a little Twitter drama centred around a site created by a young web developer who goes by the name of @jamescun. He built a website that rates your efficiency on the social network Twitter. It’s one of those “Who’s the best at Twitter?” things that people want to be top of without really understanding, or caring, what that might actually mean. Twifficiency.com is a measure of ‘mechanical efficieny’, a ratio of how much you point in compared to how much you take out. This has the advantage that it’s not a simple measure of how much you tweet or how many followers you have, so, in theory at least, anyone can “win”. That’s great. It’s a good way to get people interested.

Following it’s wildfire-like spread across the UK side of Twitter many people came out in praise of it. As I understand it James has received web development job offers on the back of it. That’s pretty awesome. James clearly has some coding ability. What he did was admirable in many respects. Getting your website trending is the ambition of many Twitter API users.

However, that’s not to say what he did was right. The problem with the site, and the reason it spread so quickly, was that it tweeted from your account when you authorised it using Twitter’s OAuth API without telling you it was going to. That’s essentially spamming the user’s timeline. What’s more, it’s against the API terms and conditions (Part 2, “Principles”; Section 1 “Don’t surprise the user”; Point b “get the user’s permission before sending Tweets”). Had Twitter wanted to they could have revoked James’ API key on that point. James went on to correct that later in the day.

This highlights, for me, a basic problem with OAuth, and in particular the user’s understanding of what it means. Once you authorise a service using Twitter’s OAuth provider, the owner of that service has pretty much free reign over your Twitter account. The service can post tweets. The service can send Direct Messages. The service can add and remove followers. All this can be done relatively easily, and at any time after you authorise the service. Twitter’s OAuth tokens never expire. Did you sign up to a service a year ago, and forget about it? There is nothing stopping that service spamming your followers today except the owner’s morals.

To that end I tweeted that people who have used Twifficiency.com should pop into their Twitter.com account settings and revoke it’s access (my tweet). I think it hit a nerve. It was retweeted more than 600 times. It drew some attention from James’ admirers too. I’ve had lots of replies telling me that what James made wasn’t any danger, it wasn’t spamming, and that it’s perfectly safe. I know all that. I wasn’t accusing James of any nefarious intent. I was simply advocating good Twitter security – don’t give anyone access to your account without good reason, and if you do in order to give something a try, remember to revoke that access afterwards. Otherwise you might inadvertently hand your account over to someone who’s less upstanding than James.

As for my Twifficiency rating, it stands at 33%. To be honest, I would have thought it’d have been much, much lower.