On May 6, Twitter added a new feature, the Tip Jar. The intent behind this innovation, as Twitter says, “is to support voices of creators, journalists, experts, and nonprofits.” However, within hours of the launch, security experts raised concerns over the privacy of people sending the tips, which according to Twitter’s policies seemed like a violation.
What is Twitter’s Tip Jar
Tip Jar allows the Twitterati to generate an additional income source directly via the social media platform. It is a new way of sending and receiving tips so that people can support each other not only in terms of Follows, Retweets, and Likes but even monetarily.
How to enable Twitter’s Tip Jar?
Setting up the Tip Jar feature is just a matter of few clicks. Follow these simple steps:
- Go to the Edit Profile
- Switch On the “Tip Jar” setting.
- Toggle and activate Allow Tips. This will display a list of all payment services and platforms available for setting up your tip receiving account.
- Select one or multiple services and add a $Cashtag.
- Once done, the Tip Jar account for your profile is successfully set up and a small button appears on the profile next to the “Follow” button.
How to send a tip using Tip Jar?
Users can send or donate a tip using Tip Jar by:
- Click on the Tip Jar
- Select the payment service which you want to send money from (eg. Bandcamp, Cash App, Patreon, PayPal, and Venmo. Additionally, on Android, tips can also be sent using Spaces).
- Once selected, a Tip Jar prompt appears indicating that the tipper will be redirected to a third-party service outside the platform. Click Continue.
- Go to the platform and complete your payment.
Twitter’s Tip Jar Privacy Issue
Though Twitter seems to have nailed this function, some privacy advocates stated that it was exposing the tipper’s identity under certain scenarios.
Problem 1: Security researcher Rachel Tobac found out that while sending someone money via PayPal, it revealed the receiver her home address.
Huge heads up on PayPal Twitter Tip Jar. If you send a person a tip using PayPal, when the receiver opens up the receipt from the tip you sent, they get your *address*. Just tested to confirm by tipping @yashar on Twitter w/ PayPal and he did in fact get my address I tipped him. https://t.co/R4NvaXRdlZ pic.twitter.com/r8UyJpNCxu
— Rachel Tobac (@RachelTobac) May 6, 2021
Problem 2: Former Federal Trade Commission chief technologist, Ashkan Soltani, also dug deeper and found that using PayPal for the Tip Jar not just revealed users’ addresses but even their email addresses, although no transaction took place.
Warning all: @Twitter‘s new “Tip Jar” feature reveals the recipient’s email address that’s linked to their account, even when you don’t send them any actual money
(I got permission from @jason_kint to show his email in this video)
— ashkan soltani (@ashk4n) May 7, 2021
Following these discoveries, Twitter quickly worked around the problem and noticed that the privacy issue was not at their end but the third party i.e. at PayPal’s end. After working out the permutations, they decided that they cannot change PayPal’s functionality but update its notification process. Twitter’s support handle backed this by tweeting,
“We’re updating our tipping prompt and Help Center to make it clearer that other apps may share info between people sending/receiving tips, per their terms.”
The Real Problem
On the other hand, PayPal, in its terms and conditions, has already mentioned under which scenarios will the receiver get the address in the receipt. When people are receiving payments through the platform, they need to either select a “goods and services” or “friends and family” payment. In the case of the former, their address is shared, and in the other case, it is not.
At this point, these Tip Jar privacy issues are still limited to a smaller subset of Twitter’s worldwide users because it has only been made available to “Twitter in English.” Thus, expect Twitter to work overtime before its wider roll-out.