Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Why do HN commenters have so much Facebook Connect angst?
24 points by bretpiatt on Sept 27, 2011 | hide | past | favorite | 23 comments
Every article that mentions a company tying their authentication to Facebook Connect unleashes a horde of people saying "I'm going to cancel my account", or "this is the worst idea for their business ever" ..

Why is having a central authentication system a bad idea? How many times have we seen articles where companies are storing information (password included) in plain text or a weak cipher? How much developer time is wasted rebuilding authentication systems? How much user productivity is lost trying to remember passwords if they use different ones (or lost managing things through a tool like 1password)? How many security breaches are caused because people use the same password across many sites?

Facebook Connect is a good thing. I understand that the data mining and privacy concerns. These concerns aren't real, not because Facebook isn't collecting information but because everyone is collecting information so any privacy you have left is an illusion of privacy, not actual privacy.



These concerns aren't real...any privacy you have left is an illusion of privacy, not actual privacy.

This is Wrong. Our privacy is only actually gone when we consciously decide to give it away, or throw our hands up and say "oh well, there's nothing we can do".

Facebook Connect isn't bad in and of itself, and neither is central authentication. But a lot of people understandably don't trust Facebook to manage their identity for them and would prefer to manage it themselves.

It's still perfectly possible to maintain reasonable privacy on the web, and any site or product that doesn't at least give me the option of doing so isn't a site or product I'm interested in using.


What do you consider reasonable privacy? This doesn't just apply to the web.

Do you use a credit card to pay for things or do you always use cash? Your purchasing behavior is being collected and tracked. Do you have a loan for anything? Your income, address, and your ability to pay on time is tracked. If you always pay cash and avoid having loans or anything you need to manage your credit history for, you are part of a small paranoid minority.

On the web.. do you log on from an Internet access account that is yours or are you always using public wi-fi? If you log on from your own account your ISP is tracking where you visit. Do you use Google or Bing for search or DDG? Your behavior is being tracked there already. If you never search with Google or Bing you're part of a small paranoid minority.

Even if you choose to not participate in information sharing with any of the products you use it is being gathered anyways by the semi-static data you share just by being online. This includes if you browse with cookies turned off -- if they're on forget about it, any privacy you have is a complete illusion.

Do you carry a cellphone? Do you run around with GPS turned on? Your carrier is already collecting this information. If you avoid this behavior you're part of a small paranoid minority.

Privacy is an illusion. This isn't a bad thing. It is good as it allows services to tailor their interactions with you to improve your experience. Time to welcome the benefits of sharing .. what do you have to hide?


"What do you have to hide" is the most naive and/or disingenuous rebuttal ever seen in a privacy discussion.

"What do you have to fear" is a more honest one. As it turns out, there are plenty of malicious actors you have to fear. Private investigators or fraudsters blagging private records. Identity theft. Embarrassing details coming out you'd rather your family didn't see.

But since you have nothing to hide, why not tell me your contact details, your bank details? If you refuse then I think we have established that some things should be kept under control rather than wantonly shared.


The "what do you have to hide" question isn't disingenuous it is in the context of the discussion.. Facebook Connect isn't giving your bank account details to anyone. That is much more disingenuous of a comment trying to equate the two.

An example of the type of sharing it will do and where sharing information is good. I use Spotify and that tracks the music I listen to. If a concert ticket sales site was integrated and had access to the same information when I visit it they'll be able to show me relevant content -- this is a good thing.

If you have behaviors on the Internet or in public you're trying to hide from people maybe you shouldn't be doing them. Time for some personal reflection here. Eric Schmidt was pretty direct on this and caught a lot of flack for it because people don't like being held accountable.


As seabee said, "'What do you have to hide' is the most naive and/or disingenuous rebuttal ever seen in a privacy discussion."

But to respond to your first point, I consider reasonable privacy to mean, very simply, that I understand the consequences of whatever action I take (because they are made up front and clear) and that I have choices in controlling the flow of my personal information (because options are available).

Whether I choose to be in the "small paranoid minority" is my own decision and I should have the freedom to make it.


My credit card company can not legally sell my purchasing history to the highest bidder.[1]

Google can not tracking my searching if I am connected via a public proxy (very common, in fact)

Most people don't have smartphones, and most don't leave the GPS on.

I'm willing to guess that taking the union of all of your "small paranoid minorities" gives a pretty large minority, in fact.

---

[1] - http://www.federalreserve.gov/bankinforeg/regpcg.htm


The carriers can still locate you without GPS using triangulation. But that kind of data requires a court order to access, so not a serious issue.

Anecdotally there are lots of people who care about a specific privacy issue based on a personal experience they have had. One shreds everything they have, another uses an unregistered prepaid phone, another refuses to Facebook. But no one person does all of these things. I can't possibly say anything more than human perception of risk is shaped hugely by experience :)


"These concerns aren't real, not because Facebook isn't collecting information but because everyone is collecting information"

So Facebook isn't acting counter to your interests because everyone is acting counter to your interests?


This is mostly a concern for me because I choose not to use Facebook, so I won't be using any business relying on Facebook Connect. Most of my reasons for not using Facebook (aggressive data collection and being pretty open about milking it for their own ends) are even more worrying when applied to an auth system.


You've got a good point about the false sense of security. But the main problem is that Faceobook makes it too easy to make information public and too hard to manage my view into that information. If I could see and edit the info Facebook makes available to other people, I would be much more comfortable.

Also, I feel like Facebook isn't just storing my info, but is actively trying to get me to add more info. I feel like I'm being milked for personal information.


Why is having a central authentication system a bad idea?

Because you give central control to a central authority.

How many security breaches are caused because people use the same password across many sites?

Note that a single login to all sites is the same problem as a single password to all the sites. If the password is compromised, all the sites are compromised.

Facebook Connect is a good thing.

That conclusion doesn't follow from your remarks.

You choose to focus on two objections that are both false objections: that we have a choice between only a central auth system or many weak auth systems, and that we've lost all privacy anyway.

I believe the cost of central control over all online activity is higher than the cost of developers learning and implementing strong personally controlled authentication and the cost of educating users what history shows us about ceding too much privacy and autonomy.

I worry that Facebook Connect is an actively "bad" thing. I think a good thing would be for OS X Keychain or 1Password style tools to be built into browsers or operating systems to give master key + random auth key functionality to every user with users controlling their own online credentials.

It bears repeating:

Why is having a central authentication system a bad idea?

Because you give central control to a central authority.


It's because that certain subset of HN commenters are exactly the wrong audience for Facebook Connect. They value privacy over convenience, while Facebook Connect values convenience over privacy.

Not every product is for everybody.

The angst is probably magnified a bit by the awareness that they're the minority view. When dominant values are different from your own, it makes you uncomfy.


put very well indeed


This has to be a trolling attempt.

"...any privacy you have is a complete illusion" "what do you have to hide?"

Please people, don't feed the trolls.


Try to see this from a developer's perspective. If Facebook becomes the de facto standard for internet authentication and the de facto standard platform for every service, developers' freedom will be much diminished. And there are many developers (and entrepreneurs) here.


Do you have some examples of how companies have differentiated on authentication that led to their success? For each of those how many have failed due to lost time trying to build an authentication system or due to a breach caused by building one with a flaw in it?


Authentication might seem a trivial matter, but it isn't. If you use facebook connect, your users are actually facebook's users. Facebook knows how many times they used your service, when, and so on. And, most importantly of all, you are locked in into facebook's service.

What if one day FB starts to push more and more FB connect applications to become FB apps? How much leverage would they have?

As a counter example, I use google analytics on my websites. This means that google knows everything about my stats. But if I stop trusting them, for any reason, it would take just 5 minutes to change. This doesn't give any leverage on me. Contrast this to using FB connect - or the google equivalent, for that matter.

That's what makes many independent developers scared of this kind of news... that being assimilated by FB could one day become inevitable.


At least Google is an OpenID provider, so you can provide Google, Yahoo, etc. buttons that are actually OpenID buttons, and then have a general OpenID field, and let your users choose.


What about some examples where requiring authentication led to measurable market success at all?


No particular angst, but I do recognize a personal dichotomy. Like many others I react to Facebook changes with initial distrust and sometimes anger but---then I remember that there is nothing there that I did not put there or that my small circle of friends put there. So I back up and re-think my reaction and mostly conclude that it is mostly not 'what', but 'how' that bothers me. No one would ever accuse Facebook (or its leader) of being tactful but then so what? That in of itself is nothing to get wrapped around the axle about. It still bothers me just not the way that it seems to bother others...


I'll just leave this here. Just replace the name Google with Facebook.

http://www.securitytube.net/video/1084


For me, the problem is that Facebook constantly wants me to overshare, and I feel like I constantly need to pull back. It's never just "authenticate with Facebook", it's "Authenticate with Facebook, give the app 30 different ways to violate my privacy, then make a bee-line for the App Settings panel to turn off all the permissions I'd rather not use".


I just dont trust them anymore. FWIW, I'm ok with using Twitter as a central authentication system.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: