

The Problem with Facebook Connect - teej
http://dcurt.is/facebook-connect

======
idoh
I work on viral FB apps, it is a numbers game. Without an auth flow the 2nd
day retention is maybe 1-2%. With an auth flow + wall posts, it is true that
60-80% won't auth the app, but we get enough people who do and come back the
second day to make it very worth it.

Facebook policy is that an app should not autopost without permission, even if
technically there is the capability, and that policy is enforced on their end
and respected on ours, so you are still free to auth the app but decline the
autoposting if you choose to.

------
gabaix
Every time I Facebook Connect to an app, I check my profile that nothing was
posted. Even if Facebook does say if the app will post on my wall or not, I am
just confused on what is going to happen next.

It is one of those things that prevent me from signing up at all.

~~~
cwilson
This is why it's a very good idea to include the line, "We will never publish
anything to your timeline without your direct permission", on your sign-up
form. Or even more direct, "We promise not to post to Facebook that you signed
up with us!".

Something along those lines will go a long way in getting me to use Facebook
Connect to register for your application, because like you, I immediately go
check... and I'm infuriated when they do.

~~~
gtufano
You're right about the line. But, as an anecdote, pinterest have a very
similar line and I found a bunch of "xxx has begun to following yyy" (or
something like that) after the "automagic auto-follow all my friends". I
discovered the "feature" of the posting only because someone answered to my
post... Now I'm _way_ less confident on the promises made on login...

~~~
cwilson
Yep, this happened to me as well. There seems to be some confusion, which no
one is addressing because they want the virility, around the initial "User
signed up for Product! Try it out!", and then future pushes based on user
interactions or automagic sharing.

You have to remember too, that we are the minority, and most users (especially
of services like Pinterest, which people absolutely love) don't really care
about this stuff, or think it's normal.

------
xxbondsxx
If you're ever worried about an app posting to your timeline or you want to
use an app that only grants access based on the permissions you give it (like
the horrid Washington Post social reader), there's a really simple fix. Just
select "only me" from the "who can see this activity?" dialog box. It's
sometimes a very light non-contrasty color (which is sneaky), but after doing
this the app can spam 1000 stories on your timeline but it will never be seen
by your friends.

Sure you will be able to see it, but you can then remove the stories at your
convenience. Even when I disable permissions and double check the dialog box,
I always click this to make sure.

------
latchkey
This is why I'm gunning for BrowserID and so should you. At least someone is
trying to solve the problem and doing a good job of it.

It doesn't abuse user trust and when it is fully integrated into the browser
(I imagine it as a replacement for those lame http auth dialogs), it'll be a
no brainer.

~~~
thomaslangston
It seems to me like most of my Twitter authenticated apps don't auto-spam. I
think this is a Facebook culture and default settings problem more than
anything.

~~~
philgo20
bingo

------
LocalPCGuy
This post is quite misinformed, IMO. Yes, many apps ask for the permission to
post to your wall. You can say no. You can also go into your Facebook settings
and remove that specific permission from the app, and then the app can no
longer post as you, but the login functionality would still work (assuming
they were halfway competent in their coding.) I often will remove the wall
posting permission right after I grant the permission.

And as to the proposed solution, Facebook doesn't need to do anything. Those
developing the apps don't NEED to ask for the permission to post to your wall.
The developers (and business rules) determine what permissions to request, and
we frequently build apps where all we ask for is basic information or basic +
pictures, for example. There is absolutely no reason that the developers MUST
ask for permission to post to your wall except that they are going to do it,
probably without asking you first (which is EXACTLY what you granted them
permission to do!)

So the answer to the problem is, don't login with apps that require you to
grant permission to post as you. Or, immediately deactivate that access if you
must use that app. Or do as others have mentioned, and just set that app to
only be visible to you. You get the "benefit" of the posts, and it doesn't go
out to anyone else.

The real problem is, most people just don't care. Facebook gets 80% CTR on
permission dialogs, and almost 50% of people prefer social login to creating
an account or using a guest account. Facebook has a great incentive to make
sharing as frictionless as possible, so we are only going to see more ways to
share things easier. I'm not saying that sharing is bad or evil, just that
people should be making that choice consciously, not just blindly clicking it.

------
deepkut
I agree with you that FB Connect has tremendous potential, but I disagree with
you regarding how negative people view it.

Using FB Connect for Greekdex has (seemed) to be effective. You must consider
your audience--Greeks, even at UPenn, are less worried about their "sensitive"
data in comparison to a startup that targets techies who are very aware and
paranoid about their data.

I wrote about how companies should "stand on the shoulders of Facebook," feel
free to read about it here:

[http://blog.greekdex.com/post/17396768249/stimulate-the-
econ...](http://blog.greekdex.com/post/17396768249/stimulate-the-economy-via-
facebook-data)

EDIT: I made a bold statement out of pride that was relatively unrelated to
the discussion.

~~~
FuzzyDunlop
This logic is fallacious.

    
    
        > In just a week at UPenn, our startup Greekex has
        > received 500 registrations via Facebook Connect 
        >(we do not offer an alternative login). 
    

500 registrations via Facebook Connect compared to what, exactly?

Any idea of how many _didn't_ sign up after visiting, or backed out?

You have no alternative login so you can't compare it against people opting
for those.

How about projected signups? Were your expectations met or exceeded?

All you're saying here is that you've had 500 signups through Facebook. No
useful conclusion can be drawn from that.

~~~
deepkut
Ok, in hindsight, I agree that might have been a pointless statement in the
grand scheme of things, but 500/3000 Greeks in one week is significant market
penetration. This is also a MVP that we developed in 4-5 weeks, so I say that
with pride.

------
tlianza
The new auth dialog resolves a number of the fundamental problems described in
this article, namely the second step where the user can individually reject
extended permissions: <http://developers.facebook.com/blog/post/578/>
[http://developers.facebook.com/docs/opengraph/authentication...](http://developers.facebook.com/docs/opengraph/authentication/)

I think the post is a bit anachronistic. The dialog box has changed probably
ten times since Connect launched, and there was a period where it was a slew
of checkboxes to enable/disable ("always been bewildered by the way Facebook
implemented Facebook Connect").

In addition, the feature of an off-site app to publish to your stream without
asking you has come and gone (remember Beacon?), and has only recently come
back with the advent of Timeline and publish_stream permissions. (which, IMHO
is just like Beacon, only this time "we're ready for it.")

The article does seem to suggest that it has been a longstanding problem
however, and that's simply not true - the abilities of what a Facebook-
connected app can do, and the UX around it, have changed many times.

------
grandalf
Facebook is very intentionally trading trust for virality. This is b/c most
users don't really care. Over time the balance will shift back toward trust.

Google made the opposite choice, and is now shifting its focus to de-emphasize
the trust of its users, or put differently, google's new privacy policy (if
successful) leverages the years Google spent building trust.

~~~
zyfo
This is a good point but we shall never forget the intersection between FB and
G+: _if you aren't paying for it, you aren't the customer_

~~~
Drbble
That canard doesn't hold sway anymore.

------
sofifonfek
It seems like a more or less reasonable solution but it defeats the whole
point which is to use and abuse users' data and circle of facebook friends.

If you remember several years back when it was discovered that ads had become
inefficient because people learned to filter them out after being exposed too
much for too long but that if the ad came from a member of the social circle
it bypassed this filter and has the potential go viral, which pretty much gave
birth to so-called viral marketing.

Well it seems facebook is the realm of a combination of viral marketing
(trying to pretend not to be an ad in disguise) and spammer strategy (a large
enough number of potential marks insure some will fall for it). IINM this is
what facebook currently pushes for in a renewed attempt to monetize their
userbase.

This _seems_ like a reasonable solution I said, because the real problem with
facebook connect is that it links real world identities (or rather facebook
profiles which is close enough to real world identities) to online activities
that users don't necessarily want the world to know about. And while facebook
uses this to collect even more data about its users, the users have no control
over it

tl;dr: the real underlying problem of facebook connect is the same old "if
you're not paying for it, then you're the product being sold".

------
SMrF
I think solving this problem is just a band-aid. As sites like Facebook and
Twitter have become mainstream privacy concerns are also becoming mainstream.
We're going to have to develop better ways of working with people's data --
kind of like PCI compliance but for personal data. I'm no fan of regulation,
just making a prediction.

That said, if you don't need access to someone's entire social graph and just
need an email, you should just ask for an email. Let's at least start there.
But when the only business model anyone seems to know is "collect metric tons
of data and sell it to advertisers" I'm probably yelling into the void.

Edit: err...oops. That probably sounded a bit spammy based on the down votes.
Suffice it to say I'm starting a nonprofit in this vein. Info is in my
profile.

------
uiri
As a developer it wouldn't be hard to implement this. Create a Facebook Login
button which logins in with facebook but doesn't allow the post-as-me
permission. Create a separate button once they've logged in which says
something like "I want to share this with my friends now" which would ask for
the share-as-me permission. Or set up the dialog so that it only asks for the
share-as-me permission when the app needs the share-as-me permission. I think
this is more developers not putting enough thought into what permissions they
actually need vs what permissions are nice to have.

------
jseims
From the perspective of a web developer, what I don't like about Facebook
Connect is I give up ownership of my user accounts.

In other words (unless I ask for and maintain separate user tables), all the
login credentials stay with Facebook. And if they ever decide to stop
supporting my site, I lose all my users.

I'd be willing to pay for a FB Connect like service if I trusted it (which
would probably mean the ability to download login info on anyone who
connected, so I could roll my own user management whenever I wanted).

~~~
slig
Someone posted this idea other day: save the user's email and if you ever want
to get rid (or if you get kicked from) fb connect you can ask the user to
reset their password.

------
steve8918
I agree with this posting. Facebook has done a terrible job of protecting
users with the Facebook login to the point where it's completely untrusted.

When I come across an iPhone app that asks for a Facebook login, my first
thought is "Which one of my fake Facebook accounts should I use to log in
with?" There is no way I want some app to upload my friends list, etc, on
first use without me knowing exactly what is going on, a la Path. Both Apple
and Facebook are guilty of this and they need to fix this quick.

------
krausejj
i wanted to write a similar blog post to this - facebook has done itself and
all developers a huge disservice by botching Facebook Connect and frankly the
entire permissioning system for accessing the social graph - users are so
frightened that apps will be able to publish on their behalf that they will
not even click a Facebook Connect link - even if the text next to it says it
is only asking for the most basic permissions.

This hurts the whole social ecosystem on the web - cool apps can't get
traction, new redundant networks end up springing up because people can't
leverage the existing graph, and users are frankly scared. The really sad part
is that these days they usually have nothing to be scared of - Facebook's
permissioning system is so onerous that most developers have access to very
little data and can do hardly anything without a user's explicit permission.

I wish there was a way for Facebook to redeem itself with regard to Connect,
and to rebuild user trust. I am doubtful.

~~~
Drbble
Yoe right about everything except where you mistakenly think that users care.
Users who care are statistical noise.

------
prabirshrestha
FB recently introduced Enhanced Auth Dialog which solves the problem you
mention
about.([https://developers.facebook.com/docs/opengraph/authenticatio...](https://developers.facebook.com/docs/opengraph/authentication/))

It allows users to remove permissions such as posting to facebook.

Unfortunately it is opt-in for apps.

------
ashot
they sort of have this with extended permissions (which can be turned off by
the user), but he's right in that its too complicated and not communicated to
the user well enough to actually be useful

------
Baba_Chaghaloo
I can't believe anybody actually uses those Facebook connect things.

