When you link a Twitter account to Friend or Follow you are requested to grant Friend or Follow certain permissions. Specifically the Twitter authorization screen says:
This application will be able to:
- Read Tweets from your timeline.
- See who you follow, and follow new people.
- Update your profile.
- Post Tweets for you.
Of particular concern are the bottom two permissions granting Friend or Follow the ability to “Update your profile” and “Post Tweets for you.” Friend or Follow is a contact management application so it stands to reason that we shouldn’t need the ability to update your profile or post tweets for you. In fact we do neither of these things. However, Twitter only provides 3 API permission levels:
- Read, Write
- Read, Write, and Direct Messages
Friend or Follow requires the “Read, Write” permission level in order to provide “Follow” and “Unfollow” buttons, as following and unfollowing are consider “Write” operations. Unfortunately the “Read, Write” permission level includes all other “Write” operations, including updating your profile and tweeting. Fortunately it excludes access to “Direct Messages.”
Some Twitter services make automatic posts to your timeline. We think that sucks, and we have never, and never will post or update your profile on your behalf.
Please consider this our official promise to you: We Never Tweet On Your Behalf.
Some folks have asked, “why do you need these permissions now? Your old site didn’t need these permissions.”
Our old site used the Twitter 1.0 API (which is now retired). The 1.0 API did not require that user’s authenticate to view follower and following data. This is why you could simply type in your username and get results. With the new 1.1 API we have to authenticate with Twitter before we can pull any data.
The “Follow” and “Unfollow” buttons on the old site used a service called Twitter @Anywhere, which Twitter has also retired. That service required “Read, Write” access like our current site. If you used the “Sign in with Twitter” feature to follow and unfollow on our old site, at some point, you granted Friend or Follow “Read, Write” access during the authentication process.
So, what’s changed? Everyone must authenticate with Twitter to use Friend or Follow. We need “Read, Write” permissions to provide a “Follow” and “Unfollow” button. We feel the ability to follow and unfollow directly from Friend or Follow is a central piece of our functionality. So, we request “Read, Write” permissions.