
Introducing Anonymous Login and an Updated Facebook Login - adidash
http://newsroom.fb.com/news/2014/04/f8-introducing-anonymous-login-and-an-updated-facebook-login/
======
numair
You're an idiot if you implement this. On iOS, use the device token and
implement truly anonymous login without having to deal with anyone else
brokering your users' data; I'm not sure what the Android equivalent is, but
it can't be much more difficult.

Remember, Facebook is the same company that cuts deals with shady data brokers
like the Datalogix (the company that buys your grocery store discount card
data and re-sells it, among other things) to build a comprehensive profile of
everything you do. Using them for this pseudo-anonymous "anonymous login"
helps them a lot more than it will ever help you, as a standalone developer.

I can't wait for Facebook to trademark the term "Anonymous Login," just to
complete the irony. Remember, if it was actually anonymous, you wouldn't need
Facebook's help to implement it.

~~~
j10t
"On iOS, use the device token and implement truly anonymous login"

* What about the web?

* What about cross-platform?

* What about when the device token changes? (for example, after restoring the phone from a backup image)

My take: Facebook Login solves a real problem well and this 'Anonymous' option
is a good improvement. The name is no worse than other industry uses of terms
"Incognito", "Private", and "Cloaked".

~~~
numair
On the web? There's this great new innovation called cookies that allow for
site-based identity!

As for cross-platform and token changes -- well, you can't deal with those
situations when you're implementing something that's actually anonymous.
You're going to have to implement some sort of persistent identity. At that
point, you might as well offer a multitude of options, of which Facebook would
be one.

This login creates an unnecessary point of friction for all anonymous
applications. Just use an existing token (cookie, device token, etc), allow
your user to immediately begin using your app (that's what they expect
anyhow), and "ease your user in" to a point of giving you identifying
information if you need it.

~~~
Reedx
How would cookies solve it considering that they are temporary?

Even if the cookie expiration was set for 100 years, it's going to disappear
the moment someone switches their browser, gets a new computer, clears their
cookies, etc.

~~~
placeybordeaux
Not to mention that this does nothing for having the same login for phone and
browser.

------
jawns
Over the years, Facebook has dabbled with a bunch of different ways of apps
requesting/handling user permissions and data.

This is not, actually, the first time Facebook has enabled this level of
granularity, as far as users being able to grant permissions piecemeal.

It used to be (not sure if it still is) that an app could request one
permission here, one permission there, at various points in its application
flow. But with each request (in which you could bundle a bunch of different
permissions) it was either an "all or none" decision for the user.

This new approach just makes things a little easier, because you can present
all of the permissions and data request up front and let the user pick and
choose what should be granted.

I think this Facebook thing is really going to take off one day.

~~~
smackfu
I really liked their last iteration, where posting to Facebook was walled off
from the rest of the permissions, and separately prompted.

------
danudey
I never use Facebook Login for sites/apps, not because I don't trust the
sites/apps with my FB data but because I don't trust FB with my app usage
data.

Now, if I could log into Facebook without giving them access to my data, that
would be a killer feature.

~~~
etler
If a website loads the javascript facebook API on their site, and you're
logged into facebook in general, they know who you are and what page you were
on when the script was loaded whether you give the site permission or not.

When the http request is made to facebook, they get their domain cookie back
which has your user info in it. On top of that, when their javascript runs
they get full access to all the data of the window that made the request
meaning they get the other site's cookie as well absolutely everything else.

If you don't want to be tracked by facebook online, you only have a few
options. Disable cookies, disable javascript, or only login to facebook in an
incognito window. Otherwise, they can track exactly who you are and where you
go on any site that makes any request to facebook. Even still, if any request
is made to facebook, they can still anonymously track you even if you aren't
logged in.

As for apps, I don't think the facebook api would be able to find out the
specific usage of the app unless the app purposefully gave it up, although
they would know when you login.

~~~
codesuela
There is also Disconnect.me and Ghostery if you want to block facebook and
other trackers without disabling JS

------
morgante
As a developer and user, I love this. For many small apps, it just doesn't
make sense to ask people to create a username/password, but I still want a way
of authenticating them. This move gives me a way to leverage Facebook for that
without users giving up any privacy. A total win/win.

~~~
aw3c2
Actually at least for me, the concerns are the opposite. I do not want
Facebook to know what I am doing. I do not mind you getting my name (though I
would consider it rude not not accept a pseudonym of my choice).

------
marojejian
The most important thing FB can do is win universal login. And the #1 thing it
can do to promote that is restore some faith in its privacy commitment. This
is a very smart move.

Of course let's see how they implement it. If the process is too complex, it
won't work for users. Given their reputation on privacy - it will be hard to
recover. But (almost) no other company has as good a shot at this opportunity.

~~~
EGreg
Why should one company control identity and authentication on the web?

What we really need is a decentralized identity platform.

~~~
deftnerd
I'm working on this problem right now at blockauth.com. Launch is still months
away but its an interesting mix of Blockchain publishing, ICANN style
franchising, and paranoid levels of verification. The end result will be a
federation of OpenID providers that all vouch for a user to confirm that they
are a real unique person all while not giving any personal details about them
unless they approve.

Basically its what Facebook is proposing but we do background checks on the
accounts to ensure they aren't bots. Our privacy policy will be a lot more
serious too. No marketing or targeted advertising.

~~~
EGreg
Why do you need all that? Just curious.

I am the author of [http://platform.qbix.com](http://platform.qbix.com), and
it includes decentralized identity. Each app can run on its own
machine/cluster, and communicate with other apps. Each app is itself a user in
Q.

When a person using a user-agent authenticates with an app, they can either do
it natively (providing, say, their email address) or they can select an
external app that they already logged into. The user-agent stores the domain
of that app, and it's a simple matter of doing oAuth with that app. Except, of
course, the user id isn't given out by the user's "home server" but instead a
different "xid" (stands of external id) is given to each consumer app.

In short, an app can start life as a consumer of identity and eventually offer
to provide identity. The identity provider doesn't just support oAuth, but
ideally would allow the user to publish streams that others can subscribe to
and view, import contacts and manage access control (privacy) based on those
contacts and labels. Finally, they should be able to connect endpoints (such
as their mobile phone, email, facebook account etc.) to receive notifications
sent to their account by some apps they've authenticated with.

Whenever an app would need to display personal information back to a user,
they could do it without ever knowing their personal info:
[http://www.faqs.org/patents/app/20120110469#b](http://www.faqs.org/patents/app/20120110469#b)

What do you think?

In the future we might also encrypt this stuff so governments and others can't
get it by simply breaking into the database. I don't have any expertise in
this last part, so if anyone does I'd be curious to learn.

------
gdeglin
I'm bouncing between thinking this is great and this is awful. Ultimately I'm
very curious how developers will use it.

The main risk seems to be what happens if Facebook decides to remove Anonymous
login. You may have many accounts on your site that had logged in anonymously
and participated, but now no longer have a way back in. This seems like an
awful scenario, and yet a very possible one -- Facebook is quick to change and
remove features on Platform.

~~~
randartie
You have to register your app with facebook, thus this feature could be
removed from all new apps while still preserving existing functionality for
apps registered before the feature gets removed (if it ever does get removed).

~~~
gdeglin
Fair point, and hopefully this qualifies under Facebook's pledge to maintain
backwards compatibility for 2 years.

But of course there's also the issue that this becomes something that
developers themselves can't easily remove once they add it to their app. Or
worse, if Facebook decides to block a developer's app from platform. At least
with regular Facebook login, most developers requested Email so users could
always request that a password be sent to them as an alternate login
mechanism.

Developers should be mindful that Facebook explicitly prohibits using Platform
to build "competing social networks" (An unfortunately broad category):
[http://techcrunch.com/2013/01/24/my-precious-social-
graph/](http://techcrunch.com/2013/01/24/my-precious-social-graph/) And they
have a history of enforcing this with the bans of Yandex, Wonder, Vine, and
Voxer.

------
loceng
Isn't the issue that we don't want to share information with Facebook?

~~~
kelnos
For you, perhaps, but not for most people. There have been several occasions
where I've wanted to try an app that use only FB login, but it asked for too
much information, so I decided not to. Anon login would give me the ability to
try these things out, and possibly give me the confidence to allow a real
login. (For the record, if an app supports traditional username/email+password
login, I'll prefer that, but some support only FB, and understandably so: user
account management is hard.)

I'm getting a little tired with how out of touch people on HN seem, especially
with regard to things like Facebook. Guess what: the majority of FB's user
base does not care about privacy as much as you do. Even people who do care to
an extent, and don't implicitly trust FB, are at least comfortable with some
level of interaction and sharing on the platform. Anon login is targeted at
people who are comfortable with what they share with FB, but are wary of
giving their personal info to some random app they want to try.

~~~
loceng
Not sure how few people we're talking about. Within a couple of minutes of
posting this comment it had 10+ upvotes.

I'd disagree too, I know many non-HN people who would be happy to switch to
something else but Facebook is the incumbent.

I don't disagree with the idea of a "Anon Login" whatsoever, that is a good
idea.

~~~
jamesaguilar
Comment hating on Facebook gets upvote? Stop the presses.

Maybe I'm misreading you, but it sounds like you believe that upvotes on HN
allow you to infer something meaningful about what real, normal people
believe. Don't make that mistake. You'll be in for a rude awakening if you do.

~~~
loceng
It's one of many signals.

------
ISL
A win for new sites that are starting up and can leverage the FB sign-in
framework.

An example: I've wanted to try out
[https://giveit100.com/](https://giveit100.com/) since launch, but have been
waiting for an alternative sign-in.

Thanks FB!

~~~
ElliotH
Corrective upvote applied. But maybe don't put a comment to your downvoter in
your comments? Downvotes get fixed, and anybody can check your profile to find
out whether you are associated.

~~~
ISL
Fair 'nuf! Will nuke the edit.

------
ganjianwei
This is likely to get traction because generally:

\- people have already signed up with Facebook

\- people don't trust app developers with their FB data, and don't trust app
devs not to post crap to their timelines

\- people hate signing up for another service again with email and password
(you have to give out your email, you have to create/reuse and remember a
password)

The more open question is if it will cannibalize FB logins or get incremental
people to sign up with FB (people want to do this anonymously but didn't have
the option and gave up).

~~~
rhizome
App developers have never been responsible for a leak. I literally cannot find
a reference in the Google to an app company leaking user data they were
authorized by FB to hold.

You know what I _can_ find? Facebook having leaky permissions for a year and a
half.

------
moot
HELL HAS FROZEN OVER

~~~
bigbento
When are we going to hear the news?

> In a move to bolster its new 'Anonymous' strategy, Facebook has acquired
> 4chan for $30 billion in an all-cash deal

> "It's been an incredible journey", said 4chan founder Christopher Poole at a
> press conference in Menlo Park, CA. "Our anonymous users have been the
> driving force behind 4chan, and we look forward to bringing that experience
> to Facebook"

~~~
moot
That may in fact be the harbinger of the Apocalypse.

------
afternooner
This is the exact opposite of the product I want. The group I least want in
control of my data is Facebook and their ever changing security/privacy
policies.

~~~
hackinthebochs
Then don't use facebook login? How is this an interesting point to make at all
on this topic?

------
outside1234
tl;dr: App gets no data and Facebook still gets the same data. Total win for
Facebook.

~~~
mcintyre1994
Total win for the user though. Short of using their javascript to spy on the
webpage you're on they don't really get any usage data anyway?

------
jtchang
This is what happens when users are screaming "I want my privacy back" and you
are stuck between corporate goals of monetizing users and user experience.

~~~
IBM
Which is a refreshing change compared to how Google has been in recent years.

------
Jemaclus
I suppose it still tells that service that I have a FB account. Better than
telling them everything about me, I guess?

~~~
minimaxir
Additionally, Facebook knows _which_ apps you are using anonymously, which
could have problematic implications when incorporated with Graph Search.

~~~
angryasian
this is exactly what it is. They can still target ads and understand your
preferences and behaviour.

~~~
pyronite
The horror!

------
ecocentrik
Facebook keeps framing thier role in providing OAUTH as one where they are
protecting their users from all the bad guys on the outside. I thought it was
clever marketing when I first saw them take this position but it seemed
obvious to me that anybody who implemented Facebook login was giving Facebook
the upper hand. One party gets free advertising and the other gets a scary
looking permissions page that makes them look like an identity thief. In the
process, the first party transmutes their bad press into the appreance of good
will in countering the second party's apparent bad intentions.

Everybody must have caught on to Facebook's bad will psych game by now so why
would anyone keep using Facebook Login?This latest change just moves the bad
will to your login page. Every time someone moves to log in they will be
reminded who Facebook thinks should be trusted and it's never going to be you.

------
asnyder
Wow, it seems like they finally got rid of the minimum e-mail, profile,
friends and all that jazz. Just finished reading the dev docs and it seems we
can finally limit the minimum scope. Facebook can now just be used as a
standard login.

Though they now need to educate users so that they don't still feel that their
privacy is being violated.

------
EGreg
The only benefit of anonymous facebook login over a native session is the
supposed "cost" of creating too many accounts, and enabling things like a
[http://en.wikipedia.org/wiki/Sybil_attack](http://en.wikipedia.org/wiki/Sybil_attack)

Actually I would like to ask if anyone here knows of more good solutions for
making creating accounts expensive. Captchas ain't it anymore.

The best one I know is Phone Verification.
[http://www.blackhatworld.com/blackhat-seo/making-
money/59699...](http://www.blackhatworld.com/blackhat-seo/making-
money/596992-way-bypass-craigslist-phone-verification.html)

Buying a cellphone in order to get an account is expensive enough. But is
there something better?

------
neil_s
Nice one. I've been using a Chrome extension called fPrivacy to do this
presently on the web, since very few websites actually check to see if they've
got all the extraneous information they requested. But it sometimes breaks the
login process, so it'll be nice to get rid of it.

Next top feature Facebook should introduce: Automatically generate a new
anonymous email address for each app. I can then go into Facebook settings
later and prevent any of those addresses from forwarding to my personal
address if that app starts spamming or gets hacked. They did have an anonymous
email feature at some point, but it wasn't fully ready yet.

------
programminggeek
This is a horrible idea for app developers. If someone wants to sign up for my
app, but doesn't want to create a real user account with an email address and
personally identifiable information, then I don't have a real customer
relationship or anything of value. So, why even make them log in?

I guess I just don't see the point of requiring a user account if it isn't
adding value to either the user or the app creator.

One more reason not to use Facebook as a login mechanism I guess.

~~~
xahrepap
Because, it's a lot easier to just sign up using your Facebook account rather
than trying to remember yet another password. But I don't want every little
site to know my personal information. It's none of their business. I just want
to log in quickly.

Logging in to a site provides more value than just sharing personal
information. For me, I rarely, if ever, want a site to know my personal
information. That's why I rarely use Facebook login service. Now I will.

~~~
gtremper
Agreed, however, there are a few pieces of information that I find useful for
Facebook to share. Namely my profile picture and sometimes my friends list.
Though gravitar somewhat solves the profile picture problem.

------
nollidge
If anybody else is wondering what the hell "f8" is:

[http://en.wikipedia.org/wiki/Facebook_f8](http://en.wikipedia.org/wiki/Facebook_f8)

~~~
smickie
It's like their annual conference for developers. Like Apple's WWDC. Or
Microsoft's... (not sure what it's called).

I love the name F8. It's a great play on words.

------
melindajb
another idea, but thinking the following:

1\. anyone who wants to use a site has to create an account with a fb
"anonymous" login. there would be no more "free" access" because then you can
start to tie free user behavior to actual conversion.

2\. Once the user wants to pay, this is tied to giving more information--at
least name and email address.

Will be interesting to see the details, because tying free behavior to
conversion is a holy grail for marketers.

------
yawgmoth
This seems like a fairly natural step for Facebook, as increasing app
dependency on Facebook for account authorization is a step towards building a
platform.

------
EGreg
So basically fb gives each app a unique uid for that user so they can't be
tracked across apps right? And returns no info for them?

Has anyone actually tried using this?

------
melindajb
Will developers be able to reject customers who insist on anonymity? If not,
I'm inclined to lean away from offering Facebook login.

------
primitivesuave
It's a great idea in theory, but a pile of shit in reality. What's the point
in using third-party authentication if you get zero data from it? Unlike
Facebook, my goal is not to sell user data to the highest bidder, it's to have
the user skip the steps where they enter their real name and confirm their
email address.

~~~
jawns
While it certainly seems like it does _you_ no good, I can definitely see a
legitimate use case for it.

Suppose you're creating a site -- let's call it Hacker News -- that requires a
user to log in, and _all you care about_ is the part where they enter their
username and password.

From there, you're able to assign the user a unique ID and persist their
preferences (e.g. header color) across sessions.

It's not exactly a difficult project to roll your own login system, but
Anonymous Login gives you the added advantage of being able to "upsell" users
into providing more information, if they feel comfortable sharing it.

------
Pxtl
This is one case where Facebook is really showing Google how it's done. I
mean, Google is failing to get Google Plus accepted as a social layer for
Google's _own_ pages, while Facebook is working on getting Facebook accepted
as a social layer for _every other site on the Internet_.

------
drdaeman
We seem to start to really fail making distinction between anonymity and
pseudonymity.

"Anonymous login" means you provide no identity information whatsoever. If
you're "person #123456789" or "f93f9211-9f49-4bad-ad34-e00f8c536b0f" or
whatever - you're not anonymous.

------
danielrakh
This is great. As an iOS developer this lowers the barrier of entry for people
to try out your app.

------
izzydata
What is the point of this? I don't want to have to login with facebook at all.
If some site has facebook login requirements I simply don't use that site
anymore.

If you use facebook login for your site then you are shooting yourself in the
foot if you care about users.

~~~
refrigerator
"If you use facebook login for your site then you are shooting yourself in the
foot if you care about users." The vast majority of Internet users would
disagree with you here. From the user's point of view, FB login lets you sign
up to things in 2 clicks instead of having to fill out forms, most users would
consider that a blessing.

~~~
izzydata
Then use one of the other implementations. The problem is it being facebook,
not the concept.

------
minimaxir
How long until Facebook releases a photo app with Anonymous Login as its
central feature?

------
geoffsanders
If you want truly anonymous login, might I recommend
[https://launchkey.com](https://launchkey.com)

Obviously there's nothing truly anonymous about this service if Facebook knows
everything about you...

------
cowchase
I'm surprised nobody has mentioned SQRL for truly anonymous identification and
authentication yet
[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

------
oliomel
I don't know if this is silly, but...

what happens when people blindly trust a button and someone decides to exploit
that by making a fake one open a phishing pop up requesting your Facebook
credentials? Has this been done?

------
grrowl
By the way, Facebook already knows you're using an app _before_ you log in,
when the app pings Facebook to check the login status. This only prevents
usage information leaking back to the app itself.

------
marincounty
I've used a sudonym for years. FB depresses me? I guess because I see my
friends ageing. I did reserve my real name; in case I ever really liked FB,
but I am still using a civil war veterans name.

------
jfernandez
Seems like an interesting choice for a demo video to showcase Flipboard (i.e.
regarding their own stake in this realm of products, Paper). Granted this
isn't about that, but that was fun to think about.

------
Touche
Wish this went farther and Facebook only did the "this guy exists" exchange,
otherwise not keeping a record that the request ever happened.

------
harmonicon
Does an ad-free, data-collection free and paid subscription based version of
Facebook has any chance in the market?

------
gradstudent
I'd like to know why "Anonymous Login" is not the default and single login
option.

------
bhartzer
So when are anonymous logins a part of Facebook's privacy plan?

------
mahyar
Anyone knows when the changes become effective?

------
peterbe
Too late. Users don't trust facebook no matter what scopes you [don't] ask for
and tell people "we never post on your wall".

------
jchysk
This isn't anonymous login. Facebook still knows what you're logging into.
LaunchKey is true anonymous authentication.

------
donniezazen
Anonymity on Internet is a myth.

------
cliveowen
"People tell us"

People don't tell you anything, they don't have a way to do it. Facebook just
does whatever it wants without caring about the users, lets cut the BS.

~~~
officemonkey
A supervisor is a person.

~~~
coherentpony
Companies are people too.

