Twitter: 4 Lessons to Learn about Marketing & Privacy

Last week (along with all other Twitter users) I received Twitter’s “Update: Twitter Apps and You” email. It announced:

“Over the coming weeks, we will be making two important updates that will impact how you interact with Twitter Applications”, namely 1) the anticipated mandatory use of OAuth for 3rd-party application user verification and 2) the expanded use of Twitter’s link shortener as a default standard for Twitter messages.

Most of what they announced was anticipated, but their email, while informative, raised an interesting point about user privacy and was a great example of how not to get out “the message”. Here are four thoughts and lessons that I think Twitter needs to understand, all important to me in judging their progress transitioning from a disruptive startup to a viable long-term business.

1. Twitter doesn’t know how to, or can’t, reach its audience efficiently.

I manage a number of different Twitter accounts and would have expected to receive all of the emailed updates within a relatively short period of time. Sure, they have over a hundred million users, but it took a surprisingly long time for all my accounts to be notified by email (through Sept. 4th) for an announcement that was effective August 31st and partially posted on their blog site on August 30th.

Lesson #1: Announce upcoming updates before, not after, they have occurred.

2. “There are over 250,000 applications built using the Twitter API.”

This statement in the email really got my attention – 250,000 apps is a huge number. But it begs the question “really?” I’ve searched around and can’t find any verification of the number, or a list of more than a couple thousand apps (, lists less than 2,000 leading apps and Twitter’s own “Top Ten Twitter Apps” shows at #1 with 78% user share and UberTwitter at #10 with only 2%, leading one to conclude that there might be just a few “dead” apps lying around there somewhere). Additionally, I’d be very interested in the selection process used when they listed the following examples (especially if I were a Twitter app developer with competing applications):

“applications like TweetDeck, Seesmic, or EchoFon, websites such as TweetMeme, fflick, or Topsy, or mobile applications such as Twitter for iPhone, Twitter for Blackberry, or Foursquare.”

Lesson #2: If you throw out a really big number, people will want to know more. Don’t keep them guessing.

3. Twitter doesn’t understand how contradictions lead to confusion.

From a pure “information” perspective, the email was a bit confusing with some odd contradictory statements.

Example A: Their opening statement “Over the coming weeks, we will be making two important updates that will impact how you interact with Twitter applications” is a bit confusing given that:

1) Their new OAuth policy had already been put into effect as of August 31st, as they stated in their August 30th blog post: Twitter Applications and OAuth (interestingly hosted by Google’s site), and

2) the expanded use of their link shortener directly involves their own website as well (interestingly, Twitter counts their own website as an application, something I doubt most users do, especially when you take into account the listing of applications in Item 2 above doesn’t include their website).

Example B: The first sentence of their explanation of OAuth (which is probably now, and forever, a meaningless word to 90% of their user base) states that it allows 3rd-party applications to access your Twitter account “without asking you directly for your password”. Humorously, the next sentence goes on to state that “applications may ask for your password”. Granted, they may ask only once, but they could have phrased it differently, such as (my wording):

“OAuth is an authentication technology that requires you to provide your Twitter password only once in order to authorize a 3rd-party application to access your Twitter account. You will not be required to enter your password again for that application. Further, the 3rd-party application cannot store your Twitter password, providing you with an added layer of security (you can even change your Twitter password if you like without having to provide it again to the application).”

Ironically, their August 30th blog post (listed above) does a much better job at explaining how OAuth will work than their email did – too bad they didn’t link to it in their email, or, better yet, use the same text.

Lesson #3: Consistency of message (especially across multiple sources) is critical to credibility.

4. Twitter tracks the links you click, in public or private messages, in any 3rd-party app.

This is probably the most significant point of the entire email update. For a while now, Twitter has been testing its own link shortener to shorten/wrap long URLs in private Direct Messages sent between users via their website (transparently to the user, btw – you can read more in their June 8th blog “Links and Twitter: Length Shouldn’t Matter“). In their email, they explain that the use of will be expanded to all messages, and that the length of the shortened URL may vary based on the application/device the receiving user is using, for example:

“A really long link such as might be wrapped as for display on SMS, but it could be displayed to web or application users as or as the whole URL or page title.”

While this might be a nice feature, it is the way that they use it that causes me concern as the link shortener also includes a “post-click, pre-connect” malware check to ensure that you are not connecting to a bad site and that “Twitter will log that click…to provide better and more relevant content to you over time.”

First off, I don’t need the malware check (a feature that many users already have in their browser or security software). Secondly, that last statement seems to directly imply that Twitter will now start keeping track of the links each individual user clicks, whether they are in public or private Direct Messages and regardless of the app (such as Twitter’s website or any 3rd-party app) – all in the name of providing relevant content, which could be interpreted to mean anything from suggested users to follow to targeted advertising to whatever.

Everybody understands that what you publicly post is public, but there is also an expectation of privacy with respect to Direct Messages. The thought of Twitter tracking what links people click (especially in Direct Messages – which have become an alternative to quick email exchanges for many people) leaves me with a Facebook-like “invasion of privacy” feeling, and that is the last issue that Twitter wants to deal with at this point in their business.

Lesson #4: If you use the phrase “log that click” you must explain exactly how that information is used.

So there you have it. Four points that jumped out at me after reading Twitter’s latest update email. From presentation to content, this email is a border-line #fail.