
I will not log in to your website - seycombi
http://www.scottaaronson.com/blog/?p=3203
======
lucb1e
I do not recognize the problem the author talks about, but it seems weird.
From the article:

> Prof. Aaronson, given your expertise, we’d be incredibly grateful for your
> feedback on a paper / report / grant proposal about quantum computing. To
> access the document in question, ...

It seems odd to want feedback and then ask someone to go and register
somewhere, probably requiring to accept a bunch of legalese in the privacy
policy and terms of service... Just attach the document you want feedback on,
right?

At least if I'd email someone (out of the blue or an acquaintance) for
feedback due to his expertise, I'd be grateful for the time taken and try to
make it as easy as possible to do.

Edit: it has been made clear to me that it's not about individuals contacting
the author, it's some big corporation that probably sends this out, probably
in an automated manner. I still don't understand why anyone would bother with
this when "peer reviews" can happen between "peers" (i.e. sending each other
documents for review, rather than going through the middleman that everyone
seems to hate such as Elsevier, if blog posts linked on HN are to be
believed).

~~~
ebbv
I assume they are trying to keep the documents in question confidential. Email
is not confidential.

EDIT: Folks email is not secure. Even if someone doesn't have access to login
to your mail account. Emails in transit are insecure.

Using outside systems to send confidential data is common practice and has
been for years.

~~~
lucb1e
I disagree. A sysadmin is not allowed to take a peek in emails unless there is
a reason. Or if I create a folder named "private" on my work computer or work
email, they aren't allowed to look in there without a good reason. But I
suppose Dutch privacy laws aren't universal, so I don't know how that would be
in your (or the author's) country.

And if you want to take matters into your own hands, you use PGP. But outside
of the computer security business I guess that's mostly unused.

~~~
csydas
This is not strictly true with US businesses and academia. My last place of
employment was a university, and per our legal, all data going through the
University email or computers is University property; while there is a pledge
from IT that all email is private and will not be accessed except for specific
circumstances, these circumstances could be pretty much anything and had no
relationship to any existing case law outside of what legal felt was necessary
to use as reason for why we could access it.

But the pledge was just a formality - should there be any interest to check
the mail, there was nothing technically stopping anyone with the required
access except for someone else with equal access having a problem with it.
Likewise, various management offices had no issue with submitting email fetch
requests for the simplest of things, with date ranges exceeding two or three
years sometimes for what turned out to be incredibly minor reasons.

There really is no expectation of privacy with academia in the US when it
comes to University owned property or services.

(The only reason I found out about any of this from legal was because I asked
for clarification on our "duty to report", and one of the lawyers was almost
excited as he told me about how we own everything legally.)

------
always_good
Recently, in my customer support tickets, more and more of my users have given
me email addresses "protected" by [http://boxbe.com](http://boxbe.com).

When I write my reply to them and submit, I get an ACTION-REQUIRED from
boxbe.com telling me to register + captcha so that I can get on the receiver's
whitelist.

It's so invasive that I don't bother. They'll have to check their spam folder
for my email.

~~~
tomjen3
I had an email with I think bluebottle that did that, but it automatically
whitelisted people if you sent them an email. Personally I think that if
people aren't willing to complete a captcha to send me an email, that email is
probably not so important for them.

It is a moot point now, because googles spam filters are good enough that I
never see spam, but I just wished there would be an easier way to mass
unsubscribe marketing email.

~~~
dmitrygr
The problem is places like support forms. If you go to my site, click on
"contact us" and fill in your message and email, you did not directly email
me, as per boxbe. So if I honestly try to reply to you, I'll be forced to
waste my time? You better believe you'll never get a reply then.

So to reply to your "if people aren't willing to complete a captcha to send me
an email, that email is probably not so important for them.". No. Replying to
your request isn't that important to me. It probably was to you though....

------
mrspeaker
Ha ha, I'm at the same "get off my lawn!" moment in my internet life to. The
barrier "first, create an account and login..." is a one that very very few
products can tempt me to do.

I realized recently that I have space in my life for three log-in websites
(HN, a gamedev site, one subreddit), three web apps (gmail, github, slack),
and three non-built-in phone applications (instapaper, ride sharing app,
twitter). If there's something new in town - it needs to be more valuable than
these to knock someone else out of rotation!

~~~
bdefore
could this be alleviated by password managers or is the act of logging in, in
and of itself, a burden you would prefer not to do?

~~~
nuxxx
I'm not mrspeaker, but I have a similar stance regarding apps/logins/etc.

For me, it is the burden of having to create accounts for stuff I'll probably
only use once, plus the mental burden of knowing that the website has my
personal information and might leak it.

That, and the fact that having an account/app these days is synonymous with
"oh, sure, send me all the spam you have!", via e-mail or mobile
notifications.

If anything, password managers help me see which accounts I should be
deleting.

~~~
oneeyedpigeon
> If anything, password managers help me see which accounts I should be
> deleting.

I think this is a hint towards what, IMO, password managers should be moving
towards. I would like a password manager to really be an _account_ manager
that can do things like:

* Alert me if a site I have an account on has a publicly declared breach

* Let me manage personal details (such as associated email address, phone number, etc.) all in one place

* Tell me how often I use each account (and when I login to them from 'unusual' locations/computers)

etc.

~~~
nuxxx
Oh, I have been fantasizing about a similar thing for about a decade!
Currently my "account manager" is either an e-mail folder (I save the welcome
e-mails), or my Facebook/Google account (the "authorized apps" page), and this
is far from ideal.

I also wish I could sign up for new websites/services using such a manager. If
it already had all my personal info, it would take just one click to sign up.
And maybe selecting which personal details I would like to disclose with the
website.

Mozilla Persona with browser integration[1] was the closest thing to that. Too
bad it was abandoned.

[1] [https://people-
mozilla.org/~faaborg/files/projects/firefoxAc...](https://people-
mozilla.org/~faaborg/files/projects/firefoxAccount/index.html)

------
hyperpape
This is, in principle, no different than the fact that you have to log in to
Github to create issues or add comments.

What makes it different is that as a profession, we have decided that Github
is nice, good, and ubiquitous. Unfortunately, the portals that he's describing
are crappy, bad, and balkanized.

~~~
hk__2
You have to log in _to GitHub_ in order to create issues _on GitHub_. But that
doesn’t mean you must have a GitHub account to report issues to a project
hosted on it. Emailing the author with an issue report (and a patch) works as
well.

~~~
mcguire
You would have to use it if you wanted to keep the reviews/issues anonymous.

~~~
hk__2
Can’t you use somerandomemailaddress@gmail.com?

------
droithomme
On the topic of "the humans failed to engage them through the intermediary of
their bureaucratic process", we long ago stopped accepting any purchases for
under $20,000 if the customer insists we apply to their organization, sign
contracts, and fill in paperwork to obtain a vendor account with their
organization.

------
mnm1
Yup. In addition to not creating accounts, I've stopped filling in Captchas,
especially Google's notoriously horrible re-captcha (I've already clicked all
the storefronts about a million times and still it's not good enough), turning
on JS for sites that don't present content without it, using sites that don't
work with ad blockers, etc. except when I have no choice (banks, work). To me,
all these sites are broken. If they want content, they need to fix themselves,
and present something useful and secure. Most won't due to their business
model.

------
bostik
I applaud this attitude, not least because it reminds me of the UX design
story on allowing guest checkouts:
[https://articles.uie.com/three_hund_million_button/](https://articles.uie.com/three_hund_million_button/)

Add a hurdle, _any_ hurdle, to your potential users' workflow and you are
doing yourself a massive disservice.

------
lutusp
This describes an increasingly common practice among online businesses --
aggressively monetize visitors, turn them into clients and corporate assets.

When you visit a typical modern website, within 15 seconds an overlay appears
encouraging you to sign up, give away your email address, and become part of
what's _really happening_.

In a hypothetical parallel universe where telling the truth is mandatory, you
would visit a website and ask, "So, what are you selling, what is your
product?" The website will be forced to reply, "You."

All this apart from the present state of the scientific-technical publishing
business (also discussed in the linked article), which uses different methods
to obtain the same result: monetize people's wish to communicate with each
other.

~~~
AnOscelot
I wish the sites with the annoying "give us your email now!" popups would be
honest. Just say, in plain language:

"You can support this site by giving us an email, which we will then add to a
list we can sell to various entities. You don't have to give us your main
email address. Just please use something other than mailinator (and their ilk)
so it's an saleable address. This will help us stay open despite most of our
visitors blocking our ads. We will send you a newsletter occasionally so we
can pretend this exchange is not purely about money. Thank you."

------
65827
The worst are the companies who seem to get completely new systems every few
years, and if you didn't log in recently you effectively have to create an
entire new sign in, and guess what you can't reuse that email and you have
some silly new password restriction because SAP or whoever says so. Just awful
experiences.

------
TuringNYC
From the article: Oh, Skype no longer lets me log in either.

Funny, I've had the same issue. Between legacy Skype passwords, Microsoft
accounts, and what not, for a period of time it became almost impossible to
log into Skype. It has improved, but the reset process was designed almost as
a maze to help shed all but the most determined. I was not determined enough
and eventually gave up and forced Skype contacts to reach out to me via
WhatsApp/GChat/Signal/Duo/Allo/FBMessenger. Anything but Skype.

Side note: Same thing happened to Wunderlist after they too got purchased by
Microsoft.

------
dredmorbius
I agree with all the advice and sentiments given. Moreover, the proliferation
of user accounts, the stickiness that implies for registration email
addresses, the general failures of password-based security systems, and the
unconscionably high level of tracking implied by indivdually registerd,
client-side tattling interfaces, are all rapidly reaching a crisis point.

Some months back, another HN user mentioned as an aside in comments that he
had _over seven hundred_ site authentication credentials. This is a slight
inflation over ordinary users, but not tremendously -- the typical citizen
will have a score or several accounts -- social media, email, various vendors,
and quite easily 100 or more.

There's also the problem of multiple worlds colliding. As YouTube's founder
famously noted when faced with a "Please create a G+ account" prompt a few
years back. After being reasonably assured that G+ and YouTube activity were
separate, I've just learnt that they are not, with results that 1) I'd
inadvertantly changed my G+ identity and 2) I've yet again blown away a
YouTube profile I really don't care for.

I'm not sure what we're going to replace this system with, but extending the
current path ain't gonna work.

As for the haircuts, a $25 set of electric clippers addresses that need. Or a
blade. A 35 year old man is old enough to learn to cut (or shave) his own
hair.

------
cknight
I'm no scientist, but I was involved in a couple of projects with a research
group to develop web apps that others could use to run biophysics simulations.

When submitting them for peer review, there was an absolute requirement from
the journals in question that the sites did not require a login to use, and
not even an email address to be entered to alert the user to
results/completion. Result pages and download links were to be provided at a
hidden URL which was linked to from the submission page after the form was
submitted. So while we did this, we also ended up maintaining emails for job
alerts, but optionally so. Most users have since used their emails to run jobs
as it is more convenient for them.

But for the reviewers, their requirements made sense. We were submitting to
journals which had entire dedicated editions for online scientific apps.
Hundreds of them, all of which required peer review by scientists who were
being very generous with their time. For a free service, such requirements
don't seem at all unreasonable.

------
bgrohman
"Whenever my deepest beliefs and my desire to get out of work both point in
the same direction, from here till the grave there’s not a force in the world
that can turn me the opposite way."

Words to live by.

------
a_bonobo
The Journal Of Open Source Software does the review process rather nicely: You
send them a PR with your software/description, and then a reviewer will
publicly go through the review process (described here:
[http://joss.theoj.org/about#reviewer_guidelines](http://joss.theoj.org/about#reviewer_guidelines)
)

Of course that doesn't work with all of science, you don't always want open
peer review, usually because several people are working in various stages on
similar or related things, or you don't want to publicly criticize the
reviewed party, or you don't want to make the reviewer look bad when the
reviewer doesn't know what s/he is talking about

------
Animats
Google now hosts web pages on Google Drive you can't even read without a
Google account. Please don't use or link to those.

------
glangdale
On a related, but more trivial level, I note that a lot of places that used to
have a nice little punch card or whatever for a loyalty program now have
accounts you can log into. So I can, if I want, choose to have to remember a
_burrito password_. Awesome.

------
kerouanton
This is a global issue. We all experienced friends or people asking for
joining them on their social network, or their IM app, which unfortunately
you're not on. Same for vendors and partners and such that ask you to create
accounts on their websites for sometimes just a single event or document to
sync. XKCD recently published a fun illustration of it (1810).

On the other hand, most of us want to split between work and friends, between
private and public. So we have different accounts for this purpose. I don't
use Twitter and Linkedin the same way, and I don't have the same circle of
relations connected by those means. So it may be "convenient" to have separate
accounts, but at the same time this becomes a burden to maintain and check
every of these (not counting data breaches and so).

My current practice is the following : \- an email address for my close
friends & family. \- some public accounts for infosec usage (linkedin,
twitter...) \- some undisclosed accounts for my professional usage. \- some
undisclosed accounts for my private usage (ecommerce etc.) \- all the rest (a
vast majority) uses throw-away emails (I own a domain, enabling me to generate
unique email addresses per website) and random passwords, so I don't care to
monitor them or if they are breached. If I know I won't use the site
frequently I don't even remember the password, I just do a "recover password"
if I need it in the future.

My rules: 1\. never reuse the same email twice for websites. That also helps
me monitor breaches and/or spam and/or db resellers. 2\. never reuse the same
password twice. Obviously. 3\. never use 3rd party authent such as "Login with
FB, Twitter or Gmail", as it breaches the first rule.

It generates some work to maintain all of this, but I've been doing it since
probably over a decade, and it's now an habit I can't quit, considering the
benefits.

So, back to the paper, I'd tend not to follow this guideline, even if I'm
tempted to do so.

~~~
GrinningFool
I'm in the process of setting up the same thing for my email. Any interest in
sharing what you're using?

~~~
AstroJetson
I have a godaddy domain with email. I give each company
companyname@myfakedomain as the email. They all forward to me at
astro@myrealdomain. If/when they aggressively send me aggravating email, I
flip it to forward to some big wig at the company and forget about it.

Works well and is pretty cheap.

~~~
GrinningFool
Thanks, though I am looking for something that I can manage myself. I won't
say without a third party - using a VPS - but I am trying to build it such
that I can pick up and move to a different VPS provider without a lot of pain.

------
joshuaheard
The author was me before I started using LastPass password manager and form
filler. I can input my name, address, credit card number in seconds, and it
will automatically track all my logins. There are many other such apps out
there besides LastPass, so this is not a particular endorsement of that
product. And, of course, LastPass or other password manager will not fix all
the bad websites out there.

------
EGreg
And that is why we have implemented this in our platform:

[https://qbix.com/platform/features/invitations](https://qbix.com/platform/features/invitations)

[https://qbix.com/platform/guide/invites](https://qbix.com/platform/guide/invites)

------
InquilineKea
Lol this reminds me of the Demolition Ship Captain incident at AoKH where DSC
hacked into Angel THS's account (and then ban half the active users on Age of
Kings Heaven) by just creating a website where he could get Angel THS to use
the same password he could use everywhere (HUNTER)

------
kapauldo
Unreadable for the over 40 crowd on mobile.

~~~
intrasight
Everything is unreadable for the over 40 crowd on mobile. That's why I use
Firefox reader view on mobile. On desktop it's as simple as ctrl-shift-+

~~~
CydeWeys
No, this site is especially bad. 50% of the total screen real estate is taken
up by useless margins that shouldn't be there on mobile, and the text size is
way too small. Most sites do a way better job of rendering on mobile.

~~~
intrasight
Yes, that site was poorly designed. Unfortunately is true of most sites to
varying degrees IMHO. I browse in desktop mode on mobile (because I don't want
the sites to treat me differently) and then use reader mode to read (because
then I get a consistent experience).

------
ibgib
> __Why didn’t I call myself? Mostly, because I hate making unsolicited calls
> of any kind, a phobia that I admit isn’t entirely rational and that often
> causes inconvenience. __

Interesting. I hadnt thought of a reservation as being unsolicited. What about
online reservations that are more pubsub-like?

------
kapauldo
Readable version

[https://read.feedly.com/html?url=http%3A%2F%2Fwww.scottaaron...](https://read.feedly.com/html?url=http%3A%2F%2Fwww.scottaaronson.com%2Fblog%2F%3Fp%3D3203&theme=white&size=medium)

------
jasonkostempski
The unnecessary accounts I hate the most are the ones that are needed to send
feedback. An account should not be required for that if you want feedback from
outside your happy users bubble.

------
hujouo
Narcissistic proclamation in a blog that brings no discussion or interesting
thoughts.

~~~
ekidd
A recent link from Scott Aaronson's blog points to his survey paper on P and
NP
([http://www.scottaaronson.com/papers/pnp.pdf](http://www.scottaaronson.com/papers/pnp.pdf)).

If you think that this brings no "interesting thoughts", this probably says
more about your intellectual tastes than it does about Aaronson's work.

------
paulcole
If you ever wondered what people meant by out of touch "ivory tower"
academics, just read this post.

Just imagine telling a client, "sorry I don't open Google Docs on principle.
Life is too short and too precious."

~~~
laumars
You say that but if one looks at your example at face value then you would be
surprised how often things like that do happen. I had one supplier threaten to
cancel business relations with us if we didn't send through customer details
(related to the product they were supplying) on an excel spreadsheet via
email. It took quite some negotiation to agree a secure compromise.

That's just the most recent example but I've had to deal with countless insane
demands from suppliers like this over the course of my career. In several
cases being borerline to saying "if you don't want our business then there's
plenty of other suppliers that do".

However by far the most annoying one I've had, and one that used to be common
place 5 years ago in the UK, was recruitment agencies refusing to accept CVs
in PDF form. They would accept a Microsoft Word document or RTF. Some even
accepted plain text files. But a PDF was point blank refused even in tech-
agencies. This used to be a real pain for myself, a Linux developer and
administrator who didn't run Windows so couldnt guarantee what OpenOffice
would spit out when exporting to .DOC. I ended up having to use a spare work
machine and thankfully had a _very_ forgiving boss.

~~~
tomjen3
When they insist on a doc document it is because they want to edit it, which
means they are about to screw you over.

~~~
laumars
I guessed that much myself to be honest :). However it has always been
trivially easy to copy and paste content from a PDF so their restriction
didn't make much sense to me even with that point in mind. And with the added
issue that every tech recruiter I approached enforcing the same policy, it
made it impossible to shop around for recruitment agencies that would honour
my CV.

Thankfully I've not had the same issues when job hunting again recently. At
least not thus far.

