In the last few weeks, friends of mine — savvy friends of mine — have been hit by sites that ask for your gmail, yahoo, or hotmail password just so they can “check to see if your friends are using the site!” Quechup, the so-called “social network that’s sweeping the globe” is accomplishing that grand goal by spamming your friends without your permission. So is Shelfari. And so are many others I don’t know of, I’m sure.
Of course, this is fraud. But do we really expect the FTC or any branch of law enforcement to be able to pursue all the ethically challenged small companies and off-shore sites that will engage in this kind of deception? I don’t think that’s practical.
At first I was upset at sites like LinkedIn that ask for gmail/yahoo/hotmail passwords, or platforms like Facebook’s. Even though they are not apparently abusing the credentials, they’re still getting users accustomed to the concept of entering one site’s password on a different site. But if you look at it from the LinkedIn point of view, what choice do they have? How can they properly integrate with your address book when the big three haven’t developed (or at least haven’t publicized) an API for other apps to integrate with your address book?
I think I know why: the user’s address book is the crown jewel. Let it be accessed by others, and users might get their services elsewhere. But frankly, I have no sympathy for the big providers who achieve lock-in via this method. It’s my data, I’m storing it with gmail, I should be able to let any application I want get access to it if I choose. And, more importantly, gmail should provide a convenient and secure approach for me to do this. Someone wants to spam my address book? There should be an API for doing that, with a nice friendly Google warning that says “you’re about to spam 150 of your friends, is that okay?”
If Google doesn’t provide the API, then LinkedIn has to ask for passwords and log in to Google as if it were me, so it can do the things that Google only lets me do. The good sites, like LinkedIn, and the bad sites, like Quechup, become indistinguishable. Reasonable security advice, like “don’t give your password to anyone” becomes moot. In other words, by failing to provide an API, Google is encouraging poor security practices because everyone wants an API, so they’re finding the quickest fix, and the quickest fix is to ask for your password and take total, unmitigated control.
So Google, Yahoo, and Microsoft: please protect my data. Protect my data by providing a door with a good and flexible set of locks so I can let people in when and how I want. Otherwise, I’ll have to let people break in through the window, and once that window’s broken, I have no control left. And that’s bad for everyone.
update: I put Shelfari in the same category as Quechup based on a friend’s experience. Going through the site myself, I have to apologize to Shelfari, because they’re not deceiving the user the same way Quechup is: they do tell you they’re about to “invite friends.” The message could be clearer, and having a default of spamming everyone is not the right approach. But it’s not user deception, and I apologize to them.