[oskarth]

This is a cool idea, but can someone explain why this requires the following Twitter permissions?

- Update your profile.

- Post Tweets for you.

- Access your direct messages.

In general I'm at loss why so many apps require so many permissions. They must lose a ton of customers from this. Anyone care to explain? Is it just a spam app meant to create a botnet or what?

[maintopbiz]

Hi, I am a co-founder of RiteTag. Don't worry we are not any spam bot. But unfurtunately, Twitter has only 3 types of permissions:

1) Read 2) Write 3) Direct messages

We cannot go only for Read because we need to allow users to sent and schedule tweets via RiteTag. But we do not send anything that user hasn't manually approved.

Write permission goes automatically with Update your profile even though we don't use it at all. As developers, we cannot select only Posting tweets. That's Twitter's policy. It doesn't make sense for us either.

Lastly, we were playing with direct messages a year ago. We don't need them now and we could turn them off. But in the meantime we got more than 7000 users and if we change the permissions RiteTag would stop working for them until they re-authorize it. This means all the tweets they have scheduled would not be sent.

Here is more info from Twitter, if you are interested: https://dev.twitter.com/docs/application-permission-model

[oskarth]

Thank you for your detailed response. I understand that there are technical limitations when it comes to permission, but it still makes me uneasy when I have to give that many permissions to a new app. Maybe it's the granularity at Twitter that is wrong and should be changed, but if there's any way you can ease down on the permissions I think that would be appreciated by many users.

[d0ugie]

Regarding not wanting to turn off the DM permission in order to avoid a disruption to 7000 users, as the DM permission is a disquieting thing that will prompt complaints as this gains popularity and 7000 isn't that high a number, you might want to just rip the band aid off and get it over with now..

[ritetag]

Founder of RiteTag here, and always available @osakasaul in Twitter (Saul Fleischman). FWIW, in regards to 7K users not being a high number, it took us 25 months to get to 7K users. Many signed up well over a year ago. Asking them all to remove permission in Twitter settings and then auth in again, we'd lose so many people who are not used to going into Twitter settings, and would simply go away. But thank you very much for the feedback - and also, a worthwhile opinion on the problem with Twitter permissions.

[JacobAldridge]

My thought (as a non techie) is that it's just easier to ask for everything.

Need to use an open source library in building your codebase? No need to analyse everything to see which permissions it does or doesn't impinge upon. Want to add a new feature down the track? No need to consider whether it changes the user permissions.

And I'd be surprised how many people are turned off by the number of permissions - I'll almost always back off if there are any, and if I really want to use the product I have to trust them to do no evil. My guess is an awful lot of people are always living in that trust space, especially if they don't understand the tech.

[martco]

My thought (as a developer) is that it's just lazier (and worse for the product) to ask for everything. The more permissions you ask for, the less users you'll get.

For example, Facebook blatantly recommends that app developers ask for only the bare minimum of permissions on the initial app engagement. They cite numbers showing that click-through rate falls off precipitously once users see more than a few permissions required. They say that you should only ask for more permissions as the user explicitly tries to do something that requires them, for instance, ask for sharing rights only when they click 'Share', not before.

Lots of people are turned off by the number of permissions. Be surprised.

[ritetag]

Sure, it's a turn-off. However, people are learning that APIs and social network auth policies confine devs; it's a neccasary evil. We're blessed by a plethora of press that evidences people overlooking the Twitter auth thing and signing up nevertheless.

[ballard]

Yup. I think OAuth calls it scope, and it's a list of requested permissions.

[Jakehp]

After I saw "Access your direct messages." I cancelled my signup & uninstalled the browser extension. That permission is a bit too steep for me.

[ritetag]

FWIW, founder here, and let me offer you a personal tour. I'd be happy to screen-share, show you my own RiteTag account, my stats, what I do with RiteTag and hashtags in general. I'm sure our team would benefit from your thoughts. Thanks, in advance.

[maintopbiz]

Sorry to hear that. We don't really use this permission at all. See my explanation above.