When a person signs into an app, that’s a transaction, and value is exchanged. Who comes out ahead on the deal?

This is part of the Federation Conversation; I’ll excerpt from Gary Royal in a comment on my Google+ post:

“Federated login has a clear benefit to the service provider (access to disaggregated user data, particularly that user’s social contacts), but only an ostensible benefit to end users (freedom from having to remember yet another password), so on that level it’s purely a swindle designed to obtain detailed information about a user in return for nothing.”

If that’s true, Federated sign-in in is a raw deal and nobody should ever want to do it. And all over the InterWebz, people who build apps are crying bitter tears at the prospect of never knowing much about the people who sign in.

What gets shared at sign-in? · I’m not talking about data flows in general, I’m talking about exactly what (to use Gary Royal’s phrase) “disaggregated user data” the app you’re signing into gets. It sorts neatly into baskets like so:

The bare minimum · Your “username” (which means email address everywhere but Twitter) and nothing else. Mozilla Persona wires in the assumption that this is all you’d ever share.

Friendly stuff · Mostly about your name and picture, really useful for apps that want to personalize: Work your name and face into their pages. For most of us, this is low-sensitivity stuff. And if your name and picture give away things you don’t want anyone knowing, faking them might be a better option than refusing them.

Marketing inputs · This is the kind of thing that is useful to people who are trying to sell stuff. Probably the key facts here are your age, gender, and neighborhood. At this point we’re getting into information with real hard-cold-cash value and my feeling is that anyone who gets it when you sign in better be offering something real solid value in return.

Social context · This is the most complicated one. The information clearly adds value to some apps — Facebook Connect (now called Facebook Login, by the way) is used by millions every day, and developers are comfy with it — but the decision as to whether it’s appropriate to share depends totally on what it’s going to get used for.

This is the source of the pervasive anxiety created over the past few years by Facebook; the wrong thing being shared with the wrong people, even once, can ruin a trust relationship forever.

Personally, I’m pretty hard-line about this one. I’m currently refusing to update the Android app from my bank, CIBC, because it wants access to my contacts. You know what the right amount of “social” content is in my relationship with my bank? Zero, that’s what.

Cui bono? · Given all that, what about Gary Royal’s claim that this is a one-way benefit that apps get from their users “in return for nothing”? I think it’s at least oversimplified. Because sometimes what you’re giving up isn’t worth that much, and sometimes what you’re getting is.

I’m not saying there aren’t sleazebag apps out there that will vacuum up everything they get and then spam your friends, because there are. But let’s put on our app-builder hats for a moment, assume we’re not sleazebags, and ask: What’s the right thing to do?

Plan A: Full transparency · This is the simplest to understand: At sign-in time, the app puts up a shopping list of all the information it’d like, and the person looking at it gets to sign off on none, some, or all. Then the app gets to decide whether it can operate with what the person offered, and away you go (or not).

I used to think this was the right answer. And a lot of people would like to see this sort of future. The trouble is, there’s a much larger number of people who don’t care, won’t look, and just want to find the “OK” button as fast as possible so they can click it and get on with using the app. It’s worse than that: Data shows that the longer and more complicated the approval dialog, the fewer people read it.

Ethical quandary · So what are you going to do? There are apps out there that ask for way more information than they need because they know that the number of people who just don’t care is higher than the number who’ll blow them off.

And — I’m sorry — full transparency is thus not an ethically satisfying position. Because people deserve protection even if they’re oblivious to the issues around it.

I hear people arguing that the right answer is to never ask for any information until the moment that you need it. Maybe — but I’m nervous about the interrupted user experience, and I’d need to see research data with outcomes.

I don’t know what the right answer is. But there are a few things I believe:

  • The Persona position — nobody ever needs to know more than your email — is overly restrictive. By a mile.

  • There are lots of apps which benefit from a social dimension. We’re going to have trouble having a clear-headed conversation about that until the world gets over the Facebook-Connect hangover. And I salute Facebook for turning off the social-by-default information sharing.

  • Don’t default to giving users detailed laundry lists of what you want. The longer it is, the less likely they are to read it.

  • Have intelligent, ethical defaults. For example, maybe the default “OK” button releases the Bare-minimum and Friendly-stuff baskets of information above; anything more than that defaults to “No”.

If you are the kind of app that scoops up valuable data “in return for nothing”, your future is limited. So don’t be.


Comment feed for ongoing:Comments feed

From: tom jones (Sep 24 2013, at 07:42)

"The Persona position" is not "nobody ever needs to know more than your email ", it's "nobody needs to know more than my email _for the purpose of me logging in_".

whoever needs to know more, can simply ask me, either during the "account creation" (aka after the first sign-in using Persona), or right before they need the info (better for some kind of data).

i think the big stink on "federated login" is *exactly* from Facebook's bundling of the "login action" with "information sharing". those are two separate things, and should be treated as such, as combining them can lead to all sorts of trouble.


From: Vinay (Sep 24 2013, at 13:35)

It sounds like Persona fulfills a lot of the requirements for a trust-worthy authentication provider. The only thing it doesn't do is provide more information than the application developer would want.

You're taking it as a given that malicious applications will die out in the face of non-malicious apps. Why is that the case? Isn't it better to build a limited feature set into the protocol?

I think it would be easier to build a limited feature set in (only e-mail is shared), and then add to it later as needed (you want name & picture? lets see if other unrelated solutions spring up first). Why start with more than we need to get the task at hand done?


From: John B (Sep 24 2013, at 15:27)

The problem is that it's out of the users control.

When the user has the option of either a) accept all (facebook timeline, contacts, name, birthdate) or b) not use it, this is hindering adoption no end.

This is the same problem that Android has and seems to be fixing (CyanogenMod has selective permissions, Android 4.3 appears to have the framework but not the UI).

Providers need to be able to offer all these but the user needs to be able to say yes or no on a case by case basis regardless of what the site / app is requesting.

There should be guidance from the provider as to what is sensitive and what is safe but the end choice should be the users.


From: Aaron B (Sep 26 2013, at 09:50)

The big picture part of this quandary, I think, epitomizes the perennial struggle between centralization and distribution. We're seeing this struggle play out as companies try to push people onto the cloud.

Cloud is great! Things are so easy! No downloads! Give us all your personal information! Trust us! No, really!

Remember when we used to own stuff, instead of just licensing it temporarily? We may be moving in the other direction now, but human nature has not changed. We still like owning stuff.

I expect to see the pendulum start swinging back towards distribution in the next couple decades.


author · Dad
colophon · rights
picture of the day
September 23, 2013
· Business (126 fragments)
· · Internet (112 more)
· Technology (90 fragments)
· · Identity (43 more)

By .

The opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.

I’m on Mastodon!