Developer Jeremy Keith has written on his website about the ongoing trend of sites asking for write permissions to social networks during sign-up processes and users giving it to them. He singles out Twitter, and notes that many services are asking for write permissions that they don't actually need, despite Twitter itself now making it relatively easy to separate out read and write permissions for Twitter authentication. He argued services aren't providing enough of a justification for their actions, but also that users need to be far more aware, in order to safeguard their accounts.
.net spoke to Keith about what developers and users alike can do to improve this aspect of authentication.
.net: Do you think users don't realise what they're really doing when using the likes of Twitter and Facebook to sign up to other sites?
Keith: There’s definitely a lack of awareness. Partly, it’s because it’s now the norm—you sign up for a service and it says to authenticate with Twitter. I get the impression people aren’t really reading the permissions dialog in much detail. Maybe Twitter permissions could look a bit more ‘scary’ when you’re about to give write permissions. Flickr has a better permissions-granting screen, with a warning if a service will be able to delete your photos. With Twitter, the difference between read access and read/write access is a few bullet points in a list.
.net: Have you come across occasions where people have subsequently been surprised with write access they've granted?
Keith: One was quite recently. I woke up to find all these tech-savvy people on my feed boasting about follower counts. They were all tweeting the same thing and it was so out of character. I could immediately see what had happened and I became interested to find out which third-party service was to blame. It was Twitter Counter, which most people couldn't even remember authenticating. The response was a mixture of sheepishness, embarrassment and anger, multiplied when people started getting sarcastic responses from friends laughing at them.
.net: So do you think developers should start being more responsible when it comes to sign-ups?
Keith: Very much so. It was understandable that a culture of asking for all permissions built up when Twitter had a very broad API in terms of permissions-giving. It used to be that you were stuck with however you got someone to authenticate. That's no longer the case.
.net: And are developers responding to this?
Keith: Some are. A stand-out example is Lanyrd. They used to require read/write access, and I granted it to them because I knew them. After a while, I felt bad giving them an exception because they were friends, and so I told them I was revoking permissions. They agreed it was a bit creepy asking for read and write access, but in the interim, Twitter had actually updated their API and so Lanyrd at their own expense updated the way you sign up to their site via Twitter. It's now read-only unless you later want to do something that requires write access, at which point you're asked for permission.
Other services don't do this, even if they're new. They'll ask for access to Twitter to find your friends, and will promise not to tweet on your behalf. But in that case, why ask for write permissions in the first place? It’s just a lack of respect—they want you to give everything straight away. You haven’t even started using the service and they want you to trust them so much you’d let them tweet in your voice. It’s a one-sided deal.
.net: You note a lack of respect can be a culprit, but is there also a lack of awareness from developers in terms of implementing such sign-ups?
Keith: I try not to ascribe malice, laziness or incompetence to devs, but I do think some sites are doing this as a way of growth hacking—you’re strongly encourage to hit the ‘tweet this’ button to tell your friends about a strange new service. But to be fair, there’s also a genuine concern on the part of developers. I was chatting with Josh Miller about Branch, who was saying one dialog is better than two. In the case of Lanyrd, it asks for permission when it requires the rights to do something. Miller said that’s a bump in the road, slowing down the flow of accomplishing a task, throwing up a second dialog at that point—which is a fair criticism. Still, I know I won't grant that permission—the benefit of reducing flow doesn't outweigh the con, which is the service having write access.
.net: But given that users often demand less friction, is there any viable alternative to these one-click sign-ups? How about reverting to email?
Keith: This is part of a much bigger question, in that generally passwords are not good. They're fine for a few sites, but beyond that people use the same passwords, and passwords must now be very long or they're too easy to crack. So I’m actually in favour of things like OAuth, Twitter’s implementation of that, Facebook’s… those things are all fine. It’s how they’re used that’s the problem.
I like it that I can just go into a site by using a social network, but I don’t like it if it’s the only option. Not everybody has a Facebook account. Not everybody has a Twitter account. No-one should be forced.
I get the idea and the point of avoiding usernames and passwords and the duplication of those things. It's implementation details and the culture that need to change, but we can’t just blame developers—users also need to become more aware of what they’re doing when they allow sites to have write access. It’s not the same as just giving someone an email address—it’s like giving them your email address and your email password.