What a mess. No sooner had Twitter unveiled its new Tip Jar feature — which allows anyone using the app in English (at least, during the rollout) to send cash to a small handful of Twitter users whose work they’d like to support — than major privacy flaws were found in what should otherwise be a innocent way to toss people a few bucks.
While I’d normally take this time to complain about how slow feature rollouts are annoying, I’m actually grateful Twitter isn’t letting everyone set up their own tip jars right now. There are a handful of problems with the feature connected with using PayPal to fund these tips — one of the many payment options available — and they’re worth knowing about before you accidentally, say, send your home address to some random person on the internet.
This potentially disastrous risk to your personal privacy was first uncovered by security researcher Rachel Tobac, who shared her findings in a tweet:
Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him. https://t.co/R4NvaXRdlZ pic.twitter.com/r8UyJpNCxu
— Rachel Tobac (@RachelTobac) May 6, 2021
While Twitter plans to take additional actions to let users know that their personal data might be shared as part of the tipping process, this entire problem is really more PayPal’s issue to solve. On that, I haven’t heard a peep.
We’re updating our tipping prompt and Help Center to make it clearer that other apps may share info between people sending/receiving tips, per their terms.
— Twitter Support (@TwitterSupport) May 6, 2021
As more people started to dig into PayPal-based tips, a few more privacy peculiarities emerged. For example, if you set up a tip jar and link it to PayPal, but don’t have a PayPal nickname, everyone initiating a tip will be able to see the email address you’ve linked to PayPal. (They don’t even have to complete the transaction.) If that’s your personal email address that you’d prefer to not have out in the wild, well, tough luck. Better get that nickname set up ASAP.
Warning all: @Twitter‘s new “Tip Jar” feature reveals the recipient’s email address that’s linked to their account, even when you don’t send them any actual money
(I got permission from @jason_kint to show his email in this video)
Thread here: https://t.co/Z6WFuXSlgO https://t.co/e8f9J58db7 pic.twitter.com/6u4Vjwkinf
— ashkan soltani (@ashk4n) May 7, 2021
We’re not done yet. If you take a closer look at Rachel’s tweet from above, you’ll notice that PayPal is taking a fee as part of the tip transaction:
That shouldn’t be a surprise to anyone who has used PayPal to send money, well, ever. But there’s a curious interplay between fees and privacy that you need to know about, too, if you’re planning to tip someone for their Twitter work.
If you are new to PayPal, yes, sending money to someone you don’t know can be a privacy issue.
If sending $ thru Twitter tip, you get two options. The first is sending as friends & family. This one takes no fee from the person you’re tipping and it doesn’t expose your address. pic.twitter.com/8r7gH5QAlp— Shannon Morse says GO GET VACCINATED (@Snubs) May 7, 2021
The second option is goods & services. This option takes a fee and exposes your shipping address. Mine is a box that I use for PR & online use but if that’s your home address you may want to know that this is a thing. pic.twitter.com/Mf51SoZjdK
— Shannon Morse says GO GET VACCINATED (@Snubs) May 7, 2021
My advice? Don’t use PayPal for these transactions at all. If you must tip someone on Twitter — a practice I wholeheartedly encourage if you find value in their work or witticisms — fund it via another service entirely. You can currently pick from Bandcamp, Cash App, Patreon, and Venmo, which should be more than sufficient for the occasional random donation. Keep PayPal for when information like your address actually matters (eBay). Don’t give random Twitter users access to that information, not at any cost.
Leave a Reply
You must be logged in to post a comment.