
Facebook's Internet identity monopoly - colinprince
http://www.somebits.com/weblog/tech/bad/facebook-owning-single-signon.html
======
randomwalker
I highly recommend taking a look at Facebook's Yishan Wong giving his views on
"What's wrong with OpenID". <http://www.quora.com/OpenID/What-s-wrong-with-
OpenID>

Some quotes:

 _OpenID is the worst possible "solution" I have ever seen in my entire life
to a problem that most people don't really have._

 _A nerd will wrinkle up his nose at these [non-OpenID] solutions and grumble
about the "security vulnerabilities" (and they'll be right, technically) but
the truth is that these solutions get people into the site and doing what they
want and no one really cares about security anyways._

Let's think about that one for a second. I find this rather typical of
Facebook's attitude in general—a monomaniacal focus on increasing engagement
or whatever metrics, a complete disregard for externalities and an arrogant
rejection of any sort of social responsibility. This is what makes them so
successful as well as so dangerous to the rest of the ecosystem.

~~~
iamdave
An arrogant rejection that seems misplaced.

He talks about a problem that most people don't have, and then goes on to
state nerds turn a nose up at "security vulnerabilities".

At the core, it's a problem that most people _do in fact_ have, it just is not
presented to them in a fashion that is easy to digest, or even tasty enough to
consider ordering from a menu. The typical computer user doesn't think about
what happens to their password in transit, they enter it, hit enter and say a
short prayer that they didn't typo so they can get where they want to go, and
get on with life.

If the openID marketing initiative focused MORE on the "stop remembering
passwords" a little harder than they had, maybe it'd still be relevant outside
of tech circles.

And furthermore, building on the "solution [...] to a problem that most people
don't really have"

Didn't Facebook essentially go about solving that "problem" themselves, albeit
packaged up in a nice wrapper with your friends and social profile as the
adhesive tape?

~~~
unconed
OpenID was failed from the start, and that's ignoring all the problems that
happened around the project (e.g. at SXIP).

For one, it was too limited in scope: it assumed it would operate only within
a traditional browser, that cookies are the only place you ever need to store
information and that the user is always there to authorize every single
action. You can't use OpenID to delegate or automate anything and OpenID just
doesn't work well e.g. in desktop apps or on mobile devices. It's locked to
one particular interaction flow, and it's not even a good one.

For another, the whole thing was designed by and for people who run websites.
99.99% of the world does not have their own personal domain and the idea of
using a URL as their identity was just confusing and weird. Features like
delegating your identity using HTML Meta tags on your site are misguided toys
for tech nerds with no real world relevance.

Finally, the parts of OpenID that would actually be interesting, i.e. the
selective, automatic sharing of information between sites to avoid long
signups, never went anywhere, ensuring there would be no actual benefit for
the end user for using OpenID.

Facebook didn't just bring a solution that solved all of this, with Facebook
Connect and OpenGraph, but they also delivered the user-base to go with it.
Think of all the bad privacy PR that Facebook has gotten... has it dented
their image? Nope. Because FB connect is too valuable in keeping the barrier
of entry low. When given the option, people prefer FB connect.

The point about security isn't that it doesn't matter, but that OpenID is a
completely secure solution that nobody really wants to use. Anyone who knows
crypto can design a secure handshake, but it takes a lot more to design
something that people actually want to use.

~~~
iamdave
_Facebook didn't just bring a solution that solved all of this, with Facebook
Connect and OpenGraph, but they also delivered the user-base to go with it.
Think of all the bad privacy PR that Facebook has gotten... has it dented
their image? Nope. Because FB connect is too valuable in keeping the barrier
of entry low. When given the option, people prefer FB connect._

EXCELLENT rebuttal, I hadn't thought to look at FB Connect like this with my
original comment.

------
msy
The thing that amuses me is the more Facebook attempts to become the
monolithic center of identity online, the more people I know have multiple
accounts or simply stop using it altogether. Of late I keep hearing of people
setting up 'throw away' Facebook accounts for services that require it. A
single identity is fundamentally at odds with the way people work, the more
this is pushed, the more people will shy away or hack around it and in the
process the more damage Facebook will do to it's much-vaunted social graph.

~~~
gabaix
I am not sure. It might be true for developers, but most people don't care
that much. They just want to sign in, fast.

~~~
henrikschroder
That depends on the service. There are plenty of such where you just want to
sign in, fast, and don't care that you appear as your Facebook personality on
that service.

But there are services where I think people care, where having their activites
on that service tied to their Facebook personality is something they don't
want. The obiovus example is dating sites, but also simple things like blog
comments are affected.

Techcrunch had an article on how their comments "got better" after switching
to Facebook Connect, but they also noted that there were much more positive
comments, and far fewer negative ones, much less constructive criticism,
because people don't want to appear negative in front of their Facebook
friends.

I think a lot of people care enough about anonymity or at least pseudonymity,
so the more services that require you to have a Facebook account, the more
fake accounts will be created. The more they tighten their grip, the more
users will slip through their fingers...

------
spullara
Facebook Connect is winning for more reasons than a great consumer experience.
It is also a great publisher experience.

1) Facebook Connect provide access to real identity (as opposed to an
anonymous token) and they actively try and weed out bad actors 2) Facebook
social plugins are easier to use than OpenID 3) Facebook Connect provides
distribution of content to people that trust the user (on average 150) 4) The
users Facebook profile provides usable insights to the publisher for targeting
and follow on marketing

In order for something like OpenID, Google Login, Yahoo Login, Twitter
@anywhere, to beat Facebook they need to provide a competitive set of
functionality to the publisher and equal ease of use to the end user.

~~~
X-Istence
I've got 34 fake Facebook accounts now, and counting. They all have "lives",
they all have friends, and so far Facebook hasn't removed a single one of
them. None of them are real, none of them have phone numbers. Some of them are
used simply to prove a point to various friends that they don't check who they
friend too closely, and I use them for websites that require Facebook logins
to comment.

~~~
Joakal
But could you automate creation of Facebook accounts with fake real-looking
data?

As it stands, email registrations can be automated to the point that its only
use on popular site is to confirm the being able to receive emails.

------
blues
I intend to retain my independence on the Internet! None of this "cloud" stuff
for me! I will have nothing to do with Facebook, and their identity monopoly.
I would much rather just start my own blog:

<https://en.wordpress.com/signup/>

My WordPress.com site can always be transferred to a host of my choosing
(especially if I register a similar domain name) (and not at giant GoDaddy).

I simply will not post on sites that require Facebook, or Blogger, or Yahoo!
accounts to log in. Period.

Except for banking (which I try to avoid online) and really special logins, I
simply use one very-hard-to-crack password for everything, like
"bluefrogsridelogsatsunset". People argue about how hard it is to crack
passwords, and what kinds of passwords are secure, but I'm pretty sure that no
one (except perhaps the government) can really crack a password such as the
one above. This solution is good enough for me!

~~~
Joakal
> I simply use one very-hard-to-crack password for everything, like
> "bluefrogsridelogsatsunset".

I suggest using the master password to manage other passwords (Browser might
have a password manager, Keypass or other tons password managers). Sony,
Newegg, Facebook and some other companies can see passwords in plain text
which could be used in conjunction with your email or similar contact methods
to infiltrate your account.

~~~
blues
I don't use a "generic" password to register at companies; they tend to
require credit card transactions, etc.

I actually do use KeePass for several things, and I think it really is more
secure than my "simple solution." Plus it keeps my data in a nifty portable
"*.kdb" file. But it's just a bit clumsier to utilize. I don't use the Firefox
password manager, which updates often; who knows what might happen when it
does? KeePass is available at:

<http://keepass.info/>

------
snprbob86
The market share of Facebook's identity system is troubling to many folks, not
the least of which is Google.

OpenID has proven to be too damn complicated. Mortals can't understand it.

Mozilla's Account Manager seems like an awesome solution:
[http://hacks.mozilla.org/2010/04/account-manager-coming-
to-f...](http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/)

It seems to me that Google, with it's popular browser and web services, is
ideally positioned to popularize an account manager protocol. And with the
heated competition with Facebook, they've got just the right motivations.

~~~
Joeboy
> OpenID has proven to be too damn complicated. Mortals can't understand it.

I think it's more that mortals see no reason to bother understanding it. It's
conceivable that lulzsec etc might help change that.

------
AlexeyMK
TL;DR - agreed, I expect the government will eventually force Facebook to open
up and support a common federated social networking standard.

As spullara explains below, Facebook's monopoly has come because Facebook
Connect is an all-round better product. Publishers get access to easy
syndication ("oh, you just joined XYZ? Here are some badges; want to share
them on Facebook and let your friends know about us?") as well as higher-
quality users overall (Facebook accounts tend to be real). Users get a single
login from a service they (mostly) trust and easy integration with their
social network ("oh, John's using turntable.fm too? Sweet!").

The brilliance of Facebook Connect is the tie-in of syndication with identity.
Logging in with Facebook is a better experience than just registering, for all
parties involved. This is why Facebook Connect works and why MSN Passport
failed a decade ago.

The monopoly side of things is going to become a problem in the coming years;
I for one expect federal intervention in the form of mandating a common
federated social networking platform (a la, but not necessarily, via the
protocols developed by diaspora). Federation and decentralization is what
happened with phones and with email; if Facebook/social networking-style
communication is the next generation, it seems like a reasonable next step.

Most users will never tell the difference, at first - Facebook will remain
their default client both for login and for reading friends' profiles and news
feed. With time, however, competitors will begin to emerge and offer alternate
interfaces for either news feed filtration or for identity, opening up space
for innovation in a place once dominated by one or more entrenched players
(Firefox vs IE, Gmail vs Hotmail/Yahoo/AOL). Early adopters will be using
social networking tools but will be able to seamlessly interoperate with
people still on Facebook.

Perhaps I'm naively optimistic, but I'd be excited for a future like that. For
now, though, I'll stick to Facebook Connect - the bigger it gets, the more
likely regulation will occur.

~~~
mattmanser
_I expect the government will eventually force Facebook to open up and support
a common federated social networking standard_

Seriously? This will never, ever happen.

Ever, ever, ever.

That's just not how life works. Or businesses. Or how the US government works.
It's the total antithesis to the American ideals. It wouldn't even have a
chance of happening in social democracies in Europe, let alone America.

Ever.

~~~
Unseelie
Ma-Bell breakup? Standard Oil breakup?

I fail to see how things like that never ever happen. It doesn't happen in
quite the same way, but the fact is, anti-trust isn't antithesis to the
American ideals. Allowing one company a position where it can toss abuses both
upstream and downstream of its supply chains doesn't mesh at all with a market
interested system.

~~~
protomyth
Ma-Bell and Standard Oil were essential services, Facebook is entertainment.

~~~
Unseelie
I don't see an Internet wide login and identity service as related to the
entertainment industry any more it is to many others. Furthermore, I'm fairly
certain that facebook's business, while it facilitates entertainers, is not
actually engaged in entertainment. To argue that its different from Ma-Bell in
its basic feature, connecting people, I feel is a complete misunderstanding of
the service.

Of course, my sister uses her telephone connection for entertainment as well..

~~~
protomyth
I think your taking my "entertainment" to mean the industry and not a
category. Facebook is not an essential service of the internet. It is not the
only way to communicate like Ma Bell was. It is not a dictating force in the
economy like Standard Oils was.

~~~
Unseelie
I'm going to take issue with both of those comparisons. Standard Oil was only
a dictating force in the economy for a short while, after it took over every
other oil distribution company. Oil is a dictating force, the company was
simply an outgrowth of scarcity rent.

Ma-Bell was in fact, not the only way to communicate. That's like saying
Phones were the only way people got in touch. Its simply and patently wrong.
as far as industries that did Ma-Bell's job, you've the post, television, and
radio.

~~~
protomyth
The post cannot be used to get the police or anyone else in a timely manner.
Television and radio are broadcast media and only really go one way. Ma-Bell
was it.

Cars didn't run on something Standard Oil did not sell.

------
IvarTJ
I’ve always found OpenID’s lack of similarity to email adresses immensely
stupid. Email adresses is infrastructure that isn’t going away any time soon,
and your grandma might have had a chance of actually using OpenID if she
didn’t have to type something long and completely unfamiliar that last time I
checked necessarily begins with <http://>.

------
jcfrei
whenever possible I create a separate account for each web service. I'm very
aware of the downsides of managing separate accounts and logins but I refuse
to host my whole identity with one company. I just doesn't seem right to
entrust most of my digital life into the hands of a single private or public
company. there shouldn't be a single institution which holds that kind of
information - not even a government.

------
bugsy
One group wants Facebook to control identity, another OpenID, another Twitter,
and another wants the federal government to impose identity requirements.

They all have in common that individuals no longer have control over their own
identity. Instead they must cede power over their lives to others who pull the
strings.

There is no need for identity providers. The entire concept is totalitarian,
offensive and horrific.

~~~
nametoremember
If we think about real life, you need an identity for things like passports,
state benefits and some other stuff but with normal things like shopping you
don't need an ID at all.

So if I go to a shop and buy a tshirt then I have done that pretty much
anonymously but if I buy on a website that requires a Facebook connect login
then I have given way more information about myself.

------
vnchr
OpenID had its chance.

------
gallerytungsten
Whenever I see a facebook login required for site access, I decline to use
that site.

------
a3_nm
Can we really say it's a "monopoly"? I would agree if users had been
brainwashed to the point where they would refuse using anything else than
Facebook Connect, but, as the authors mentions, there are a lot of possible
alternatives for them to use (or they can roll their own).

There is no real Facebook monopoly imposed on website publishers -- there is
just a monopoly imposed on the users of those websites where Facebook connect
is the only option or the only visible option. I agree that it's a concern,
though.

