- August 19th, 2011
- Write comment
My last post was a rant. I posted it quickly without reviewing to get the problem out there (I’m sure there’s some terrible grammar in it, I really don’t want to reread it). It was also much more focused on CNET than Google. I’ve decided to write the problem up again, focusing on the bigger problem, not just the particular instance.
My last post was about two tiny words on the Google Accounts Authorisation page – Google Contacts.
What these words mean is to comment on this blog, I had to give the website access to every email address, phone number, and actual address for every friend I had in my contacts.
Before I go any further, CNET was not aware of this, and when I pointed it out to them they very promptly fixed it (There comment is in the previous post).
So I no longer have CNET in my sights, now I have Google. It’s one thing to let us share our information with sites, it’s quite another to let us share other people’s. In my opinion, here’s what Google has done wrong.
- If a website claims to require this data you can only let them have it or not login at all. This is an option (and there are probably others) which Google should FORCE to be optional.
- They describe it in two words and draw little attention to it. It should have in red next to it exactly what information will be shared with the site and point out the dangers.
So what should this look like? How about something along these lines…
As we’ve talked about, it provides a clear warning. Next it forces you to opt in to that permission. And finally there’s an option we haven’t talked about – send them fake data.
Why fake the data? Well to have Google force the option as optional is good but when the website gets the data back, there is nothing stopping them from saying, “Hey, you didn’t give us this permission, give to us or we’ll block you.”
Now it could definitely be argued that a website which behaves like this is one you should stay away from. But it could also just be a lazy coder – Look at what happened to .NET’s security system. By letting us send them fake data they cannot guarantee it is accurate, and thus any use of the data which does not benefit us, becomes useless (or at least less useful).
You might think you’re smart enough to always read these dialogs so this is a problem that won’t affect you. But remember, if you have any less technical friends, they may not only be unknowingly giving away their private data, but yours as well.
Please tweet/contact Google about this, blog about it yourself or just share this page to spread the word and get this problem fixed.