
I was annoyed with sites asking for too many Facebook privileges and made this - chadrs
https://github.com/chadselph/OOptOut-Chrome-Extension
======
sshumaker
I hate the security model where all the permissions are requested up front,
and you have to approve them all (e.g. Android and Facebook without this
plugin).

All permissions should be off by default, and the user should be asked the
first time a permission is needed to perform an action (a'la GPS on iphone) -
at least that way you know what it wants the permission for, and the app can
gracefully handle rejection.

~~~
vdm
This could be like early Windows firewalls all over again; popping up windows
every time you try to do something, until you just disable it.

~~~
psawaya
Maybe. I think the idea of "blocking" a program makes a lot less sense to the
novice user compared to choosing if a program can e-mail you or post on your
wall. I agree that they could easily become a nuisance and lead to the user
reflexively clicking "accept", though.

~~~
bigiain
Maybe there needs to be a reverse version of this - all of your _friends_ who
get spammed by the app writing in your stream ought to be able to vote

[] continue receiving updates from this user using foo-app

[] block updates from this user's instance of foo-app

[] block all automated updates from this user's stream

([] unfriend this clearly unhinged "install every shiney-thing" user)

Then any user with more than a certain threshold of blocks would need to get
permission from a majority of his social network before being allowed to
authorise apps :-)

~~~
notahacker
You missed "block all updates from any instance of foo-app".

My Facebook stream looks so much less cluttered since I blocked Zynga apps.

------
cheald
Well, it's a good idea, but it needs a big, fat "hey, this might/will probably
break stuff in the app you're authorizing" button. Apps usually request that
stuff for some reason, and the vast majority of users don't have enough
understanding of the systems to know which permissions are safe to revoke.

Best case, things silently break and the user doesn't care. Worse case, things
break and the user blames the developer and malign the application. You know
how important the star ratings are in the mobile markets? You know how much
effort developers put into managing the user experience, knowing that their
app's success lives or dies based on their ability to keep from offending the
luddites among their userbase?

This is great for power users who understand and accept the risks inherent in
doing something like this, but it's an _awful_ idea for just about anyone
except developers who understand what those permissions are actually used for.

~~~
bigiain
I'm not entirely sure that's a valid objection for something who's
installation instructions include "clone this git repo, then open chrome in
developer mode".

Perhaps before it becomes a point'n'click install there might need to be more
explanation about what might break, but anyone capable of installing it in its
current form _ought_ to be capable of working out it's various means of
breakage...

~~~
cheald
I agree in this case. If it's a git repo, not a problem. But, it's not the
first time I've seen this issue raised, and the common response is "heck yeah,
I want to do that!" It's not inconceivable to imagine that someone packages
this into a mass-usable extension eventually. One Google search led me here:
[https://chrome.google.com/webstore/detail/mlnhcepfaddcopbegg...](https://chrome.google.com/webstore/detail/mlnhcepfaddcopbeggpobodmmodilgmc)

People, in general, don't understand what the permissions they're granting
(and ergo, revoking) do, and what why they are needed (or what fails to work
when they are revoked).

It's a broken solution to a broken problem - permissions aren't granular
enough, but permissions that are too granular get the TL;DR treatment from
users. Developers have abused the permissions structure (usually under the
"just in case" rather than "active abuse" justification), and users don't
understand it, and the middle ground is that it's a giant mess that can't be
unraveled without breaking a lot of things in the process.

I'd love to see some process by which an app could pass a string that says
"This is why we need this permission, here's what happens if we don't have
it", and then let the user select or deselect it, having been fully informed
of the consequences. Additionally, exposing that UI to the user will encourage
developers to write robust code that deals with that permission not being
present.

~~~
bigiain
"It's a broken solution to a broken problem"

Sure.

That doesn't mean we need to accept Facebook's status quo - which resolves the
inevitable brokenness in the direction of:

"Oh well, your privacy and that of your friends is the price you have to pay
to let poorly written apps to work."

We should at least have the option to choose:

"I'll have a little more control over my privacy and a bit more respect for my
friends, and if that means the new social-media-viral-casual-gaming-sensation-
de-jour fails to work for me 'cause it thought it could spam my friends and
didn't properly check for success (or intentionally crashed on failure), then
that's fine too, maybe I'll do something else with that time."

~~~
cheald
I agree that we should have the right to choose. I also have enough experience
doing support for customers to know that most people are boneheaded about this
stuff, and will immediately jump to blaming the developer for their buggy
software, causing support headaches and user discontent.

For the HN audience - hackers, who know this technology, and understand the
risks, and can correlate their revoking permissions with the effects down the
road - this extension is great. I'm probably gonna install it later today.

For the general user audience, this is like handing someone a loaded shotgun
and telling them they can use it to scratch itches on their feet.

------
psawaya
This is a fantastic idea.

I have a really simple Firefox port running. You can see the code and download
it (.xpi) here: [https://github.com/psawaya/OOptOut-Extension-
Firefox/tree/ma...](https://github.com/psawaya/OOptOut-Extension-
Firefox/tree/master/Firefox)

I only tested it out on one website, so let me know how well it works (or
doesn't) for you. I'd like to keep working on this and tighten up the
interface. I think a lot of people will find this useful!

~~~
mweibel
Thanks mate. I tried it on vimeo.com (as author suggests) and it doesn't seem
to work.

One point is: The UI is somehow broken (no styling, and "application
settings", "update" and the checkboxes each are on their own line). Second
point: When removing the ticks from the checkboxes and click on update, I'm
redirected to:
"[https://www.facebook.com/dialog/undefined/dialog/permissions...](https://www.facebook.com/dialog/undefined/dialog/permissions.request?api_key)

so "dialog/undefined" needs to be stripped.

(Maybe add the issues functionality to your repos.. :))

\- Michael

~~~
psawaya
Good call. I added issues, so file away. :)

------
there
i've just started working with the facebook api over the weekend to integrate
into an app i've built and every permission requested has a checkbox next to
it on facebook's auth dialog to allow the user to reject it.

<http://i.imgur.com/v4jAU.png>

are those apps using a different api than the open graph? i don't see any
setting in my app's page on facebook to allow those to be disabled (not that i
would prevent users from doing it, just wondering).

~~~
chadrs
It looks like there's a "new" auth window in beta:
<https://developers.facebook.com/docs/beta/authentication/>

~~~
mrinterweb
In the permissions section,
[https://developers.facebook.com/docs/beta/authentication/#pe...](https://developers.facebook.com/docs/beta/authentication/#perms),
it states "The user will be able to remove any of these permissions, or skip
this stage entirely, which results in rejecting every extended permission
you've requested. Your app should be able to handle revocation of any subset
of extended permissions for installed users."

I had no idea that individual permissions could be denied. This is a step in
the right direction and good on Facebook for adding this into their new OAuth
process.

------
blhack
Facebook is actually a bit scary even with most of the things you're disabling
here disabled.

(My point is that this is cool, but it really isn't enough)

For instance, I'm using facebook auth on <http://lanmarks.com> \-- I wanted to
be able to pull my users' facebook friends so that they could filter the data
on my site to only their set of friends (this is one of the appealing parts of
facebook auth, imho).

I spent a bit of time looking around the API docs searching for the option for
"allow me to see their friends", figuring that I would have to ask my existing
users to re-auth against facebook with the new permissions.

Nope. I get that by default, and I can pull a list of your friends silently in
the background.

This is with the _most basic_ authentication mechanism that facebook offers.

That's...scary to me. As I was building this out, I asked a friend of mine on
gchat to go to the site and auth against facebook to check that the
functionality was working.

It was... I was watching my DB, and without facebook even telling her, it
grabbed a JSON of all of her friends.

 _Creeeepy_

_I_ tell people this on the site (this will get your name and people in your
network), but I wish that facebook did too. At least I wish they made it more
obvious.

And you know what? Honestly, facebook, you're totally dropping the ball on
oauth here. Where in your documentation does it explain how to exchange an
expired token for a new one?

Most devs end up requesting a permission called "offline_access", which
facebook explains as "The application can access my data at any time"

This, along with "stream_access" (which most apps also ask for) literally
means that the developer can post to facebook, as you, without you knowing it,
whenever they want and with whatever they want.

That's _bad_ , facebook. That's bad to the point where I actually disabled
facebook integration on <http://thingist.com/>. The idea that my application
could just post a status as any of my users, and it could do so without any
interaction from them...was just too much.

C'mon facebook, stop making it so hard for me to defend you all the time.

(By the way, you don't really need a plugin to do this. Have a look right
here:
[http://developers.facebook.com/docs/reference/api/permission...](http://developers.facebook.com/docs/reference/api/permissions/)

then look at the URL in the window that you end up in at facebook.com -- the
one prompting you for permissions. Just edit the URL to reflect the
permissions that you want to give the app.)

~~~
phillmv
I signed up for airbnb using my facebook account and I noticed that they give
away your DOB.

I immediately changed my DOB on facebook and vowed to avoid authenticating
with apps.

I generally avoid putting in real information on facebook but the amount of
stuff they give away is frightening. It's a heaven for social engineering and
spear phishing.

~~~
bigiain
"I immediately changed my DOB on facebook"

Hmmm, I wonder what Facebook does when someone changes something like their
DOB? Or name/address/email/phone? Or any other marketing-useful data in your
profile?

If _I_ were part of the Facebook Evil-Data-Mining Division, I'd certainly be
looking to see if I can discern patterns like "This phillmv guy's _real_
birthday is 12/03/1975, but when he changes it for sites he doesn't trust he
tends to use either 1st April 1980, or 22nd Sept (which is his girlfriends
birthday) instead. And he usually changes his zipcode to the one his parents
used to live at before they moved to Pittsburg."

~~~
mattbot5000
Facebook also limits the number of times you can change your DOB, though I'm
not sure what that limit is.

~~~
phillmv
This is _extremely hateful_. Like with the Google Plus real name thing.

------
gfodor
This is a cool idea, but of course the warning is that if you are turning off
certain permissions, there is a good chance the app you are adding is going to
break since it's coded expecting certain behaviors from the API based upon
those permissions being granted (even if the data is not going to be used.)

~~~
rhizome
In other words, it's a good test to see if an app is coded incompetently.

~~~
ceol
To be fair, I don't believe Facebook ever allowed users to opt out of certain
permissions (barring their recent beta auth[0]). Certainly you'd want to
handle missing permissions gracefully, but I can't blame a dev for making
their app non-functional when 99.9% of their users will either accept all
permissions or deny the app access.

[0]: <https://developers.facebook.com/docs/beta/authentication/> (bottom of
page)

~~~
rhizome
As common as a lazy coding practice may be, there's no excuse for programmers
not checking inputs, access, or the lack thereof.

------
idoh
I'm working on a facebook app right now. In A/B testing the permissions, it
doesn't matter how many things we ask for, the results are about the same. So
might as well ask for anything we think will be useful.

~~~
bkaid
I've seen a study that shows this isn't true, especially when prompting for
offline_acces. Wish I could find the link. Also, Facebook's app analytics
shows you the break down of how often permissions are rejected and from what
I've seen with high usage, the permissions prompted did matter. I would
disagree that you should just ask for ones you might not need, especially
since you can always prompt the user later for more if needed.

~~~
idoh
I'm looking at the Facebook Insights for the app right now. The bucket where
we asked for the most permissions (excluding email) performed significantly
better than the other options. I don't know why that is the case, but it is.

As for asking for permissions later, since it doesn't seem to matter we ask
for all the ones we need up front. We've found that gradually asking for
permissions as needed annoys the user and breaks up the app flow.

~~~
rhizome
it may be consumer psychology: more permissions means your app must have more
functionality.

------
loveat528hz
Does this actually work? I mean, wouldn't the application just go ahead and
use those privileges anyway, since it was built into the API? I think this
just makes you aware of the privileges it intends to use, and doesn't actually
affect what the application can and cannot do.

I'd love it if somebody could prove me wrong, though. This would be swell if
it worked. :P

~~~
chadrs
I included a link to the Facebook application settings on the extension's
space so you can verify which permissions you've granted and which you
haven't.

Basically, when you generate a connect button, you list the which permissions
you want to ask for and you get redirected to a page that asks for those
permissions. My extension just changes the URL of the popup window so Facebook
will be asking for different permissions.

Before yesterday, I've always just done this manually, but I was surprised to
learn that people didn't know this trick. So, last night at 10pm I decided to
just sit down and finally write it as an extension.

------
GiraffeNecktie
Typical Facebook authorization: Give us permission to post on your wall, check
out all your friends, and generally keep tabs on your entire life. Oh yeah,
and allow us to verify that you are logged in to your Facebook account.

Typical Google authorization: Allow us to verify that you are logged in to
your Google account.

~~~
cheald
This is mostly because Google provides very few useful operations. See also:
authorization scopes.

------
dylangs1030
I like this so much, I may fork it and port it to Firefox...thank you for
making one of the most practical extensions I've seen in a while.

------
msumpter
Awesome extension!

I just wish Facebook would include this as a standard option on the auth page.
It would be great to just uncheck the things I don't want it to do on my
behalf. Instead I was allowing the app and then editing it's permissions
immediately afterward.

Great job!

~~~
rhizome
_I just wish Facebook would include this as a standard option on the auth
page._

Sadly, I believe you misunderstand Facebook's business case.

------
Splines
OT, but does anyone know of a way to find all the "things" that you've done on
Facebook? It'd be nice to know if a rogue fb app has posted on me in some
obscure location that I don't see on my screen. I've tried messing around with
the graph API (looking at all posts by me), but I can only see activity on my
own wall, and not any others.

A few weeks ago my wife accidentally clicked on some fb malware and it auto-
posted bad links on other people's walls. It was frustrating to find out where
all those places were. A programmatic way to do this would be good to know.

------
DiabloD3
I think I did the ultimate opt out: I've never had a Facebook account, and I
never will.

~~~
iamandrus
I wish it was that easy for me. My generation almost _refuses_ to use email or
even text messaging -- everything has to be done through Facebook.

I just wish the next big thing would pop up so we can stop worrying about what
stupid privacy blunder Facebook will commit next.

------
jaymzcd
I wish there was a way to request permissions for a given time period, it
seems it's all or nothing. I'm creating some apps at the minute and just need
to checkin the once, I wish I could communicate that to the user but instead
facebook insists that they authorize it 'for ever' (well, until they remember
and go and remove it).

In my opinion that would make take up and "throwaway" usage of apps a bit
easier to sell.

~~~
CGamesPlay
If you request offline_access, the user will see "access your data at any
time" as a requested permission. If you do this, the access token you are
given does not expire unless the user does some action to expire it (such as
updating her password). If you don't do this, the access token has an
expiration date, and the user has to refresh the session (transparently
happens with the JS SDK, I believe) in order for you to have continued access.

------
MartinMond
Wow this is incredibly cool! Can you also package it as a Safari extension?

~~~
chadrs
Presumably, I've never looked into Safari extensions though.

------
burgerbrain
I would have never suspected that this would actually work. Right on!

------
ThomPete
Maybe I am the only one on HN and I can't believe I am defending FB but I
don't get this.

I understand and can appreciate what is being done. I just don't understand
why anyone would want to use a service that they are not comfortable giving
out data to.

FaceBook for better or worse is making money by knowing a lot of things about
you. In return you have a place to hang out and share a lot of things.

Is that such a bad deal?

Personally by default I just assume that everything I post/share/say is going
to be used.

~~~
hack_edu
You forget the huge numbers of users who willingly provide their login data to
phishing or other malicious apps.

If they don't pay attention to those, clearly more obvious sketchy things, you
really expect them to make sense of opting in and out of an already confusing
app permission step?

~~~
ThomPete
That can pretty much be said about everything online.

As far as I am aware FB do a lot to get rid of those sites.

You can also turn it on it's head. If normal good intentioned developers can't
count on the kind of information they are asking to make their apps work then
where does that leave them?

~~~
hack_edu
I think we've found the crux of the problem here.

------
cubik
Hi. You mentioned in the GH desciption that you'd like some help with a name
and logo. Logo-wise, how about something that resembles a door-chain? The
concept is that while it allows you to talk to the person on the other side,
it restricts their complete access to your property. With this in mind, you
could call the plugin something like Book-chain (or something better ;) ).

Either way, I'd be happy to help with the design.

------
dlevine
Chrome should integrate this into the Browser. That way, Google could
"protect" you against "privacy violations" by Facebook. It could show a little
warning at the top of the screen, and allow you to edit the permissions (kind
of like what the app does now, but as an official-looking browser message).

Oh, and Google should also do this with the Android App Store...

~~~
paraschopra
Won't it be anti-competitive? Facebook would probably sue Google if they
specifically integrate such functionality into Chrome. (If they do it for all
sites generally including G plus, then it would be fantastic)

------
mmphosis
Here are some entries in my /etc/hosts file...

    
    
      127.0.0.1	www.facebook.com
      127.0.0.1	facebook.net
      127.0.0.1	plusone.google.com
      127.0.0.1	gooleapis.com
      127.0.0.1	clients6.google.com
      127.0.0.1	gstatic.com
    

Anyone know how to filter out discussions containing "Facebook" in the title,
on Hacker News?

~~~
dspillett
I'm sure a GreaseMonkey script or Chrom{e|ium} equivelant (I'm told many GM
scripts work as-is in Chrome, simpler ones any way, though sometimes a bit of
tweaking is needed between environments) to do this should be easy to
construct.

------
gospelwut
I just disabled the entire API. I see no difference in "user experience" save
not being able to trade eggs.

------
daedelus
Nice idea. Although I haven't allowed an app access to any of my data in
years, I'm worried about what info my friends might be leaking to these apps.
I wish there was someone to stop this / see which of my friends have made some
of my data available to third parties.

------
gcanyon
Doesn't work for me -- I have it installed in Chrome 15.x on OS X. Using
Facebook authentication, I get a dialog with the checkboxes at the top to
disable some requests. I can uncheck some items, but then when I click apply
nothing seems to happen.

~~~
chadrs
Yeah, I pulled in some style changes without testing them and they
accidentally broke the onclick handler for the button. I fixed it here:
[https://github.com/chadselph/OOptOut-Chrome-
Extension/commit...](https://github.com/chadselph/OOptOut-Chrome-
Extension/commit/a937d2ccfeb7a7234bce2a786681e158b4445b10)

------
jconley
Cool hack.

The site owners requesting a huge list of permissions like this should really
test what happens to their conversion rate across various sets of permissions.
Been there, worth testing. I'm just saying... ;)

------
chadrs
Chrome web store link:
[https://chrome.google.com/webstore/detail/lkllliihmodekgjcio...](https://chrome.google.com/webstore/detail/lkllliihmodekgjcioihaaodkbpeleph)

------
JoshTriplett
I don't use Facebook, but I'd love to see the same thing for Twitter. In
particular, I'd like to change requests for read/write permission into
requests for read-only permission.

------
thechangelog
It would be interesting to have a follow up mechanism to indicate how many
requested permissions were actually required by apps. I suspect it would end
up around the 50% mark.

------
billmcneale
Just create an empty Facebook account and use it to authenticate, problem
solved.

Yes, it's against Facebook's TOS, which makes me feel even better whenever I
authenticate with it.

------
tlrobinson
Whoa, this actually works? I always wished Facebook would let me opt out of
certain permissions, but I assumed Facebook would have to implement it
themselves.

------
daspion
This is a great and much needed. It's unfortunate Facebook doesn't offer this
as a general setting when you're prompted. Thanks for putting this together!

------
BrainScraps
Idea for new names: AppBouncer, Blank Check, AppReduce

------
suyash
Excellent, thanks a lot for sharing, I'm sure we all have same problem with
new facebook app authentication protocols.

------
latchkey
If FB served up that page with a hash of the expected permissions and then
submitted the page with that hash, then this plugin would be rendered useless.

I'm surprised for something like this (ie: permissions / security related),
they don't do that already. The dialog is SSL, but if it was a man in the
middle attack that added/removed permissions at will, then it kind of defeats
the security of that dialog entirely.

------
deepkut
I'm currently building a website that will request more permissions than
average (which may incentivize some users to use this extension), but as a
result, if my database isn't filled with the information that's expected, they
won't be granted access to the functionality of the site.

Thoughts? A bit stubborn, but my website hinges on the permissions I'm
requesting.

------
Swizec
This looks awesome! Some sites certainly ask for way more than I am
comfortable sharing.

------
quinndupont
Ahh, Ghostery anyone? A polished product that nicely blocks Facebook requests

------
JacobIrwin
Thanks chadrs - I just loaded it into my Chrome extensions, great package!

------
mwexler
This is fantastic. Sad that so many feel we need it, but great to have.

------
matthewj
Looks great. Though it could use some design help.

------
myoder
Seriously awesome. You are a hero to us all!

------
anonymous
This should be part of the default UI

------
digamber_kamat
This is awesome. Good work.

------
Jgrubb
You are my hero, sir.

------
yanksrock777
genius.

------
LambergaR
You're my hero :)

------
jluan
Fight the system!

------
singingwolfboy
<3

