Sophos Cloud Optix
We don’t tend to lump Twitter in the same privacy bracket as, say, Facebook.
(Or Snapchat. Or Google. Or Instagram)
Why? Well, quite simply, Twitter has largely avoided the sort of self-inflicted wounds that have plagued Facebook and it has generally been quick to respond to privacy and security concerns.
While Facebook has chopped and changed its settings over the years, angering users with furtive and commercially minded privacy and security opt-outs, Twitter has stayed, so far, on the right side of the angry mob.
It was much quicker to offer HTTPS than Facebook in the wake of the Firesheep scandal and while Facebook has completely ignored Do Not Track (DNT), Twitter has supported it for years.
But as with any social network, Twitter is vulnerable to oversharing, data leakage and unintended consequences.
Like Facebook and Google, Twitter is also driven by ad revenue so it’s very interested in what its users are up to when they’re using Twitter and when they aren’t (you did realise that Twitter tracks the websites you visit didn’t you?).
Last week, Twitter came as close as it ever has to a privacy banana skin when it started injecting users’ ‘favourites‘ into other people’s news feeds (never mind the fact that everyone’s favourited tweets have always been public for anyone who cared to look).
We thought it was a good time to take a look at Twitter’s security and privacy settings, find out what they really mean, and tell you how to tighten them up.
First things first. You’ll find the privacy settings at twitter.com under the gear icon, then Settings.
Then click Security and privacy over on the menu to the left of your screen.
Twitter’s security settings
The first section is about Security and how you access your Twitter account.
Login verification.
This is set by default to off. Make it harder for an unauthorised person to login to your account, by choosing to receive login verification requests via a text message on your phone or the Twitter mobile app.
Password reset.
Set by default to off, you only need to enter your Twitter username.
Check the Require personal information to reset my password so that two factorsare required and, most importantly, so you can avoid reset emails and get a code sent by SMS to your phone instead.
If you have checked the box you’ll be asked to enter your email address or phone number when you reset your password – enter your phone number.
Twitter’s privacy settings
The second section is about how private you choose to make your Twitter account.
Photo tagging.
Like Facebook, others can tag you in a photo, which is just like a ‘mention’ on Twitter – you get ‘mentioned’ in the uploaded photo.
This is set by default to on, meaning anyone can tag you in a photo. Use the radio buttons to restrict tagging to people you follow back, or disable photo tagging altogether.
Tweet privacy.
By default, Protect my Tweets is off, and anyone on Twitter, all your followers, and anyone searching Google can see your tweets. If you check the box to protect your Tweets, it locks down your visibility. A lot.
It’s not really in the spirit of the whole Twitter thing, but if you do find yourself in a position where you want to communicate through Twitter with just a select group of people, hide all your previous tweets – and future ones – from the rest of the world, and manually accept follow requests – this is the place to do it.
However, it’s all or nothing. So checking the box will also prevent people retweeting anything you say and you can’t share links to your Tweets.
If you choose to keep your tweets public, remember to be very careful about what you write. Anyone can see it, and that means you should never say anything you want to keep private.
Tweet location.
This is set as ‘off’ by default and you have to opt-in to use it. You can also specify before you tweet whether you want the location information on or off.
Why would you enable it? Well, sometimes its nice to show people where you are, especially if you’re at a poncy art gallery or at a show that anyone who is anyone wants to be at.
But if you’re at home, for example, you wouldn’t really want the world knowing where your house is. And if you’re not at home, well, you’re somewhere else and you wouldn’t want them knowing that either.
Keep locations off, there are too many unintended consequences, and delete all past location information to be on the safe side.
Discoverability.
Let others find me by my email address is on by default and enables people who may not know your Twitter handle, but do know your email address, to find you.
Apply the ‘principle of least privilege’ here. If you can think of a really good reason why you want to be discoverable by your email address (we can’t) then switch it on, otherwise turn it off.
Personalization.
Personalization is about tailoring suggestions of which accounts to follow, based on information that Twitter gathers about you around the internet.
Using the cookies sent to Twitter when you see a Tweet button Twitter can record which sites you’ve visited and use this information to provide a “Twitter experience that’s relevant to you”:
We determine the people you might enjoy following based on your recent visits to websites in the Twitter ecosystem (sites that have integrated Twitter buttons or widgets). Specifically, our feature works by suggesting people who are frequently followed by other Twitter users that visit the same websites.
If you’re based in Europe, this option is greyed out as the feature is not available yet, but if you are part of the Personalization experiment, this setting is on by default.
You can turn it off by unchecking the box next to Tailor Twitter based on my recent website visits.
Promoted content.
Ah ha! Here we go – Twitter’s foray into the data collection arena already ruled by the likes of Google and Facebook.
Twitter has ads. These are in the form of paid-for sponsored tweets, Twitter Cards, and promoted accounts. If you want Twitter to “bring you more useful and interesting advertising content”, you won’t uncheck this box.
Twitter has partnered with third party ‘behavioural advertising’ companies (behavioural ads are the ones that follow you around from website to website). If you visit a website that’s in of those advertisers’ networks then their ads can now follow you on to Twitter too.
The setting Tailor ads based on information shared by ad partners is on by default. Switch it off by unchecking the box.
You can also disable personalization and promoted content by switching on Do Not Track in your browser. As we mentioned, Twitter has been honouring Do Not Track for a long time, and it says in a support article, “When you have DNT enabled in your browser, Twitter would not receive browser-related information from our ads partners for tailoring ads.”
You can also throw a spanner in Twitter’s personalisation and promoted content works using anti-tracking browser plugins like Ghostery or Lightbeam.
Hopefully this article helps you to understand what the Twitter privacy and security settings mean, and know what’s on and what’s off by default.
Don’t rely on social networks to have your privacy tuned to your benefit – check them regularly.
If you’re also a Facebook user you should take a look at our 5 Tips to Make Facebook Safer.
Image of padlock courtesy of Shutterstock.
Twitter’s !@#$! 2-factor auth is exactly backwards in its application. Changing passwords is more important to protect account security than using 2FA than login. And besides, if someone is far enough into my account that they can change my password, then they almost certainly also know my email and phone number.
I think you missed something. Anyone who knows your user name (e.g. “blackjackshellac”) could reset your password, without being “into” your account or knowing your email address or phone number.
Actually, they can just ‘request’ a reset of your password. Unless they have access to your email they will never be able to use the link to change the password. Twitter, as all sites, will advise that a reset password email has been set to the email address registered to the account. So technically, they can’t just access it. But you will see a strange email about your password being reset when you never requested it.
I’ve made the article clearer.
What happens if you tick the box is that you’re offered a choice of having your password reset sent to you by email or phone, when you ask for the reset.
You can sit in a coffee shop with a packet sniffer and often just pluck emails out of the air, including password reset emails from Twitter, so sending the reset via SMS gives you a bit more protection.
Unfortunately emails from Twitter contain enough information – a username and email – to reset your account. If you can hoover up emails from Twitter that aren’t password reset emails you probably still have enough information to trigger a reset via email and then take control of the account.
If your email is through https like gmail, yahoo, or hotmail then it can’t be sniffed in a coffee shop.
Thanks for the security and privacy information
I wish the so called ‘social’ sites were recognized for what they are, as easy ‘ user’ friendly communication and contact tools between friends. They are not , and the idea that they tell you that they are free is not true. I tried earlier playing several ‘game’ apps, and lost interest early , due to constant demands or pressure to upgrade or purchase points to play. At least words with Friends, seemed only to help me with focus, and some some interactive skills with friends, but you had to use the free version , with commercials. To stop the disruptive and often loud commercials you had to pay to play. I won’t even pay for that . Scrabble with friends was a favorite, while growing up with others, because it focused on vocabulary. Other games, board games, no tech or specialized tutoring for Core STEM curricula would be nice too , but not on social media.