Monday, April 24, 2017

faith in small print

If you’ve ever granted permission for a service to use your Twitter, Facebook, or Google account, you’ve used OAuth.
This was a radical improvement. It’s easier for users, taking a couple of clicks to authorize accounts, and passwords are never sent insecurely or stored by services who shouldn’t have them. And developers never have to worry about storing or transmitting private passwords.
But this convenience creates a new risk. It’s training people not to care.
It’s so simple and pervasive that even savvy users have no issue letting dozens of new services access their various accounts.



This is from a piece by Andy Baid on Wired from way back in 2012, which I have come across, late in the day, thanks to a tweet by Jeff Atwood of Coding Horror.  (All right, not just of Coding Horror; Atwood is probably, actually, more famous for teaming up with Joel Spolsky to launch Stack Overflow.  The blog did come first, and his Twitter handle is @CodingHorror, Moving right along...)

I'm completely baffled by this.  "Even savvy users?' 

Baid goes (went?) on to talk about the large number of apps to which he has granted access to, among others, his gmail account, and to mention other savvy users (including Anil Dash, now CEO of Foggbugz) who have done the same.

And, um--

Look, every once in a while I start to sign up for something and the entity who wants to enroll me wants to do this via Twitter or Facebook or Google.  Sometimes they also allow separate registration via an email address, so I use the email address designated for registrations and the like.  Sometimes they don't, and I think: You can't be serious.  And I leave the page.

I don't really think of this as savvy. I think: Just how stupid would you have to be to give someone access to an account and its contacts?  Just how stupid would you actually have to be? 

Of course there's always going to be some kind of document setting out the terms and conditions, including privacy rules.  And you think the fact that they posted this comforting text offers protection why, again, exactly?

I'm rather taken aback to find that this merited a piece on Wired, but the whole thing is here.


Ted Lemon said...

I think that the assurance you get is actually coming from the OAuth provider, not from the site you're authorizing. That's why e.g. Twitter tells you "this app can post on your timeline and read your contacts." So you get full disclosure. Sometimes the sites don't demand anything horrible, and then I think it's okay to authorize them. But it's funny, or perhaps not funny, how many sites that ask for your OAuth just so that you can log in then wind up requesting much more access than that from the OAuth provider, which is of course revealed to you if you feel like reading it.

Helen DeWitt said...

My understanding from the piece was that there were some amazing apps that, for instance, would help you manage your emails (which perhaps wouldn't work unless they had access to your gmail account). I can't imagine any level of amazingness of app that would compensate for giving that kind of access.

But then it also seems that there are all kinds of other services that want access to contacts as prerequisite to registration. For me that's a dealbreaker.

I don't think any of my online accounts are impregnable - I don't doubt for a minute that they can all be hacked. But the idea of facilitating this strikes me as totally bonkers. Not just bonkers, but a betrayal of everyone I deal with through the service for which I am asked to approve access.

Ted Lemon said...

Yes, indeed, I have to say that I found the idea that someone would use an app that needed to actually download all their email, facebook posts and so on quite shocking. I haven't seen a new one of those turn up recently—is it possible that people have gotten wise?

Ted Lemon said...

(a cloud app, of course)

R. said...

Apropos of this : "We’re ‘heartbroken’ we got caught selling your email records to Uber, says boss”