Twitter app snoops contacts data and messaging activity on my mobile phone

Recently Twitter started to send me notifications when someone that “I know” joins Twitter and makes their first Twitter post.

Today I received yet another notification on the Twitter client on my mobile phone saying Jussi K. has posted his first message on Twitter. I know only one person of that name and he is the dad of my friend called Samuli K. What puzzled me was that I don't actually know his dad very well. The last time I met him was bit over 20 years ago, well before social networking.

How does Twitter know that I may be interested in a tweet from Jussi K? Who I haven't had any dealings with for a very long time?

Figure 1 Today's events on Twitter

The only link that I can think of between Jussi K. and I is a relationship via a person called Samuli K. Samuli is the son of Jussi K. I am close friends with Samuli K. and vice versa (I like to think).

If Samuli and I had been in frequent contact with each other on Twitter and Samuli and his dad were the same, I wouldn't be too surprised about being notified about tweets from his contact.

What concerns me is the fact that Samuli hasn't got a Twitter account, when I checked recently. I checked the list of the people his dad is following, Samuli wasn't there. I know from the list of 400+ people I follow Samuli is not on my list. I searched Samuli K. and found 3 matches but these accounts belong to other people.

Figure 2 The real life connection I've with Samuli and Samuli has with his dad.

So how does Twitter know that I'm interested in Jussi K's tweet without us having direct link between us?

There must be a link that resides outside the network because Samuli doesn't have account on Twitter.

A clue is found in Twitter app settings on Android phone.

In app permissions section of Twitter app settings I can see that I've given permission for Twitter app to read your contacts. Jussi K. has done the same when he installed Twitter on his device.

As we both have given Twitter permission to read our contacts it looks like Twitter has joined 2 contact lists, compared them and found a contact that exists in both of our lists.

Figure 3 The link between Jussi K. and me

But wait.

If Twitter simply links 2 users based on the contacts they have in common then I'd expect to receive more frequent notifications for tweets from people that have no relevance to me. I assume Samuli's phone number exists in many other Twitter users' contacts list that I'm not directly linked with. But I've never before received notifications for tweet from a person that doesn't exist in contacts on my phone. Why did it happen this time?

I believe that Twitter is taking further advantage of the read your contacts permissions and analyse the frequency how often Jussi K and I are in contact with Samuli. As we both are in regular contact with him it makes it likely that we, Jussi K and myself, both know Samuli well and through Samuli we are likely to know each other.

The read your contacts permission enables detailed analysis as per description “Allows the app to read data about your contacts stored on your phone, including the frequency with which you've called, email or communicated in other ways with specific individual”

I've no problem with app analysing my contacts when I've given it the permission to do so. For example messaging app Viber asks for the access to read your contacts and it uses the permission to notify me when someone from my contacts installs Viber. Im OK with this.

But to use the data in the way that Twitter appears to be using it concerns me a lot. Samuli has never installed Twitter app nor accepted any Terms and Conditions of Twitter, but still he appears to be added into Twitter database and used as a link to relay notifications between registered Twitter users. Did Twitter ask his permission to do that? No. What if he would like to get his records removed from the database? There is no account for him to close, so then what?

I feel a little bit guilty about allowing this to happen to Samuli. I don't want the same thing to happen to any of my other non-Twitter contacts, so I've decided to get rid of the Twitter client on my phone and continue using Twitter on browser which hasn't got access to my contacts.

Twitter has to become more transparent on how our personal data is used and for what purpose. The Twitter client is now banned from my mobile and I won't install it again until this happens.

footnote

Big thanks to @Mackie_Jas for reviewing this post

About Neo4j Server image

Neo4j graph database server image is available in Amazon EC2. The purpose of the AMI is to offer instant and on-demand access to a Neo4j Server environment to help the rapidly growing Neo4j developer community to test and deploy Neo4j-enabled applications.

This Amazon Machine Image is produced and maintained by OpenCredo, UK consultancy delivery partner for Neo Technology.

The image is built on Elastic Block Storage (EBS) root device that enables data to be preserved when the machine is switched off and later restarted (terminating the instance will destroy all data). Other benefits of using EBS-backed instance in comparison to S3-backed instance are faster boot up time and the ability to resize the machine easily when extra processing capacity is needed.

Components

Components included in the image are the following

Amazon Machine Image
- Regions and AMI IDs
- Source: 720777788660/Neo4j Server (Ubuntu 10.04.2 LTS)
Ubuntu 10.04.2 LTS
Sun JDK 1.6.0_24
- Installed in /usr/lib/jvm/java-6-sun-1.6.0.24/
- Installed from Ubuntu partner repository (http://archive.canonical.com/ lucid partner)
Neo4j Server v.1.3 Community Edition
- Installed in /opt/neo4j/
- Listening on port 7474
- Server is configured to start-up automatically when instance is launced (runlevels 2-5)
- Stop/start script is located in /etc/init.d/neo4j-server
Jython v.2.5.2
- Installed in /opt/jython
- Binary found in the path through symbolic link in /usr/bin
Jruby v.1.6.1
- Installed in /opt/jruby
- Binary found in the path through symbolic link in /usr/bin
Python 2.6/3.1
- Python 2.6: /usr/bin/python
- Python 3.1: /usr/bin/python3.1
Ruby 1.8
- Ruby binary found in the path
Curl 7.19.7
- Curl binary found in the path
EC2 API and AMI tools
- EC2 API tools are located in /opt/ec2/ec2-api-tools/
- EC2 AMI tools are located in /opt/ec2/ec2-ami-tools/
- Both tools are updated automatically at instance start-up
- Update process is triggered in /etc/rc.local by calling a script /opt/ec2/updateEC2Tools.sh
- updateEC2Tools.sh is published under GPL license and available in https://github.com/jussiheinonen/scripts

Component Diagram

Get started with Neo4j Server instance in Amazon EC2

Locating Neo4j AMI

Login to AWS Management Console [http://aws.amazon.com]
Go to EC2 tab and click AMIs link
Search for 'neo4j'
Select the AMI and click Launch

Links to launch the Neo4j Server image

Instead of searching for AMI you can use the following shortcuts to launch the image on AWS Console

Press play to launch Neo4j in US East (Virginia)
Press play to launch Neo4j in US West (California)
Press play to launch Neo4j in EU West (Ireland)
Press play to launch Neo4j in AP South East (Tokyo)
Press play to launch Neo4j in AP North East (Singapore)

Configuring AMI start-up parameters and launching instance

Specify instance type, eg. Micro (t1.micro), and click Continue
Enter a description for your instance in User Data field
Optionally you may tick the box “Prevention against accidental termination”. This option disables theTerminate action in Instance Action -menu which is used to delete the instance and all user data stored on the EBS volume.
You can associate tags (Key-Value pairs) with the instance Eg. “Neo 4j Server instance A”. Tags may be useful for managing EC2 environment that consists of multiple nodes.
Associate a Key Pair with your instance. The private key of the Key Pair is used for accessing the instance over SSH. If no Key Pairs exist yet you can create a new Key Pair by selecting the option “Create a new Key Pair”
Associate instance with a Security Group. Security Group is an access list that can be used to allow and block access to services run on the instance.
In this example I'll associate instance with Security Group “Neo4j public access”. This Security Group is configured to allow connection from the internet to TCP ports 22 (SSH) and 7474 (Neo4j web administration interface)
The final step is to confirm instance configuration details. Once confirmed click Launch button and your instance will start up within next couple of minutes.

Accessing instance over HTTP and SSH

Neo4j Web Administration access

Neo4j Server is configured to start-up automatically when instance is launched. Assuming the Security Group is configured to allow access from the internet to TCP port 7474 you can then access Neo4j web administration interface by using the Public DNS name associated with your instance. Public DNS name can be found in instance description view.

For example Public DNS name of running Neo4j instance is ec2-12-34-567-89.eu-west-1.compute.amazonaws.com. I can connect to web administration interface by entering address http://ec2-12-34-567-89.eu-west-1.compute.amazonaws.com:7474 in web browser.

SSH access

For SSH access you'll need 2 things: Public DNS name and a copy of the private key from the Key Pair that was selected at the instance configuration phase.

As an example let's say the Public DNS name is ec2-12-34-567-89.eu-west-1.compute.amazonaws.com and name of the private key file is myprivates.pem.

I can connect on SSH from command line by issuing the following command:

ssh -i myprivates.pem ubuntu@ ec2-12-34-567-89.eu-west-1.compute.amazonaws.com

Last word

That's all for now folks. I hope I managed to cover all relevant points regarding environment configuration and how to get started with your own Neo4j Server instance in Amazon EC2.

Update 11.05.2011/15:13 BST

Image is now available in all 5 regions and AMI IDs can be found on the Components list above.

Jussi's Web Log

Wednesday, October 29, 2014