Thoughts on third-party sites that require Facebook login
Semil Shah stashed this in Facebook!
I want to contrast two "application" experiences I deal with as a consumer:
1) When I download an app from the App Store on my iPhone or iPad, I always trust that whatever I'm downloading will not totally suck. Sure, there will be some apps that just don't excite me, or are a bit buggy, but none that will cripple my flow and/or my experience. This is because Apple is so vigorous about vetting applications before they enter the App Store, so much so that I trust any download is going to not cause massive headaches.
2) When I signup for a new web service that requires Facebook login, I don't feel that same level of trust. For really good, thoughtful developers, such as those building apps like Votizen, or Highlight, Foursquare, etc., they work with the hand that has been dealt to them. The signup flow won't be perfect, but they don't contaminate a user's experience on the web.
Despite these edge cases, the majority of sites that require Facebook permissions completely mess up the experience for me. I hate them. They ask for information that's way beyond the scope of what's reasonable. and even after grabbing it, run users through an obstacle course of pop-ups, gates, and other shitstorms in order to grab more information and/or arm-twist the user into sharing or broadcasting more crap about their site.
My point is simply: This will not work forever. I recently went through one third-party app, signed up via Facebook, and dealt with so many pop-up dialogue boxes that it reminded of the days of dialup AOL. If I were running Facebook (a hilarious thought), this wouldn't bother me right now because the company has crazy momentum, but I would be concerned about my brand -- whether users begin to distrust Facebook permissions and sites that use credentials for signup. If I were running Facebook, I'd want my users to have the same level of trust that I have when browsing through the App Store.
Do you think that Facebook could actually clean up the interaction design so that it is that easy?
Or do you think that the nature of mobile resists such simple, clean permissions unless you control the platform (as App Store does)?
A good web app should be able to "login" with the minimum set of privileges. As the user uses and needs/wants to expose activity to their Facebook stream, more privileges can be granted. It's more work for the web app, but it's a more explicit, natural curve.
Apps that asks for all the permissions up front just make me think they are going to spam my social graph for the sake of their own virality.
That's because in the past Facebook apps have gotten away with spamming and scamming.
What's fascinating to me is that neither Facebook nor Zynga seem to have created any long term ill will against themselves for allowing such abuses.
I agree that a good app asks for permissions as it needs them.
Is your experience an indication of the quality/usefulness of the app?
I'm not sure there are any useful Facebook apps.
Great point about the "level of trust".
I never, ever sign up with a Facebook login. I'm much more likely to use Twitter for some reason. Maybe because in case some web app abuses the twitter privileges, it's just easier to undo the damage and revoke privs.
- App Store, large trust level
- Twiiter, medium trust, but small penalty in case of abuse of trust
- Facebook, no trust at all
Where are LinkedIn and Google OAuth on your trust scale?
Google Oauth actually has a low level of trust. I'm not always willing to give away my email address to some random web app. I don't know why but using a google oauth or openID feels like doing that, even though the permissions don't always work that way. Email is just too important to risk.
LinkedIn... not so much trust due to the high levels of recruiter spam.
So Twitter really is special.
My biggest problem with Twitter is that its OAuth server is unreliable -- it hangs or fails too much for an app to depend on only Twitter.
If a decent alternative to Twitter came along that didn't bind OAuth with email (as Google and Yahoo do), we'd gladly implement it.
While I see benefits of using FB login, I do think that the amount of information asked by some apps and the way they invade your privacy is just unacceptable.
Me too. I often hit the "login with Facebook" button out of habit then I see the "hitting this button grants app your first born child" clause and run away screaming to the "login with Twitter" button.
We tried to strike a balance with PandaWhale and only ask for permissions we need for a great user experience.
Now, to work on that great user experience.
The thing that was most disappointing as a Facebook app developer was that most Facebook users didn't seem to care.
We bent over backwards to respect users and then watched as Zynga, Slide, RockYou, Rapleaf, etc., won market share by stealing as much user data as they could get their hands on. It was disappointing that Facebook let them do it. It's as if Facebook were approving of that style of development.