Can OpenID be a honey trap in the hands of the wrong providers?
May 28th, 2009
Last week Facebook announced it has become an OpenID relying party: any user with OpenID URI can seamlessly login and register to Facebook. After users link their Facebook account to GMail account, they will be automatically logged-in to Facebook after having previously logged-in to GMail.
This move is very good for the user. By using OpenID URIs, the user needs only one set of username/password with which he sign-in to his OpenID service provider. From that point on, the user doesn’t need to remember other set of credentials. Yoohoo! Freedom from long lists of passwords at last!
Single sign on (SSO) poses great advantages to users and web sites. Registration and login processes become much easier to both sides. Users will be more inclined to register to a site without having to manually type their details, wait for the confirmation mail, press on conformation links and so on. Emerging web sites will benefit from easing registration to new users.
However, one has to wonder why Facebook, which already managed to have hundreds of million of registered users without OpenID, would spend resources on this standard. One might say that being open to the web, playing nice and live in harmony with the rest of the big boys is good enough reason. I certainly support this attitude. Sharing, collaboration and overall openness is definitely the direction the web should aspire too. Still, in the wrong hands, utilizing OpenID can have negative consequences.
Maybe I’m paranoid. Maybe I’m missing something but for me, the easiness of registration can also be honey trap. When a user links his Facebook account to a GMail account, Facebook ask for the user’s email, contacts, language and country. That information is not required for SSO. Facebook can use this information to learn more about the user, customize its offerings, match GMail contacts with Facebook accounts and suggest user’s contacts to join to Facebook.
This kind of information is the bread and butter of many web sites. Web sites uses it for promotions, advertisements, customization and much more. Potentially, this information worth a lot for the web sites asking it. I wouldn’t be surprised if major players will start charging for that information crossing over. Maybe we can call it “Information border tax ”.
What do you think?
