Facebook Connect and Twitter oAuth Allow Abuse of Users' Online Identity

Let’s face it – we all hate registration forms.  Baring the sick narcissist out there, normal Internet users hate to type in their name, email address, country, postal code etc, every time we want to gain deeper access into a website/portal/web-service.

Programmers and community managers of Internet Portals, e-Commerce Sites and Blogs couldn’t have missed the newest authentication schemes offered by mega-communities like Google, Facebook and Twitter.  Given the millions of users these communities have logged into their authentication databases, the idea is to offer this registration data as authentication-information for 3rd-party sites (like “Mom & Pop’s Screws Online-Shop”).  In effect a user having an account with the major site such as Google, Facebook or Twitter would not need to register again to a 3rd-party site.  They can just tie into the above mega-sites and perform the authentication over their servers.

To mention the most major:

However some of these authentication-systems reveal more of your identity related data than is absolutely necessary to perform the authentication.

As a frequent reader of the Mashable Blog, I recently was offered to sign up into the site for commenting on some blog-posts.  The choice was of Facebook Connect and Twitter oAuth.

Feeling Naked on Facebook

The Facebook Connect screen looked as seen below:

Facebook Connect Permission Screen

Facebook Connect Permission Screen

On a single click on “Allow” Facebook will authenticate the user on behalf of Mashable.  However, notice the remarkable amount of information Facebook wants to provide to the 3rd-party site!   In summary they want to provide the following:

  1. You “basic” information, which beats the definition if they are letting out a list of all my friends, so that the 3rd-party site can use the Facebook Graph and extract personal data about all my friends.   Gee, I don’t feel that much like a friend anymore, and who knows which friend of mine reveal my data to CRM/Marketing companies around the Net.
  2. Send me email anytime for anything.  That’s not so terrible, but do I want more Email in my life?  No thank you!
  3. Post on my Wall.  If I think of my Facebook Wall as space where I can keep my friends updated about whatever is happening at my end, I really wouldn’t want 3rd-party sites to pollute it with all their marketing-info.
  4. Did you see the bomb on that screen-shot?  “Access my data any time”?  And in small greyed out fonts it says “Mashable may access my data when I’m not using the application”, which translated into clear-text means, Mashable can store my data and use it for their marketing (and other) purposes forever, even long after I quit using their site.

The appauling part is that this is not what we sign up into when starting to use Facebook.  Neither is it made clear when Facebook explains the feature to it’s users.  Instead it is hidden away in the nitty-gritty of legal-text.  Compare also the screenshots they have used in their explaination with a real screen we have captured above!

Twitter is no Less Notorious

Below is how a Twitter Permisison page for authentication looks like.

Twitter oAuth Permission Screen

Twitter oAuth Permission Screen

  1. Read tweets from my timeline: That’s OK, doesn’t hurt and I’m cool about sharing stuff – so be it!
  2. See who I follow and follow them?  Wait, snoop on people I follow and start following them, without their permission?  Again, for all the talk about Social Media, I can’t see what’s social about abusing my profile to be a multiplier for extracting information about my friends/followers!
  3. Update my Profile??  Did I read that correctly – this 3rd party service can update my profile-information?  I thought I was the only one who could update my profile! [shaking my head right now]
  4. And finally, post tweets on my behalf?  Oh my God!!  What if this 3rd party service was run (or taken over, or infiltrated) by lunatics, and they post on my Twitter feed: “I love OBL-Osama and long-live Jihad?”, or if this service got hacked and messages get spewed onto my feed?  Won’t I be answerable and liable to these posts, even legally?  So why would I allow people to post on my page which bears my pic and name as its owner on it?

As you see, both Twitter and Facebook’s authentication methods allow abuse of your online identity.  It is hence our recommendation to users of Internet services to avoid authentication via Facebook Connect or Twitter oAuth, or at the least, read very very carefully on Permission Screens before clicking the innocent-looking “Allow”!

Have you got into the habit of using Facebook or Twitter for authentication purposes?  Then we’d love to hear from you.  Share your experience by leaving a comment

We hope to soon post a similar review for Google’s oAuth system, so please stay tuned!

Leave a Reply