How Facebook Connect Freaks Me Out

More and more sites I run into these days are offering a way for me to log-in using Facebook. That’s cool, if it means I don’t have to fill out yet another registration form. But the permission pages that come up sometimes are so scary that I decline the offer.

This happened again with me today when I went to Groupon. The Facebook sign-in icon was there, so I tried it. This is what came up, in response:

You know, all I wanted to do was easily sign-in to Groupon and buy a Kiva card as part of a special charitable offer that’s going on. Instead, I have to contemplate all these things that Groupon and/or Facebook will do with my account. Let’s do the blow-by-blow:

Access my basic information: Includes name, profile picture, gender, networks, user ID, list of friends, and any other information I’ve shared with everyone.

Some of this makes sense. Groupon can pull information it might ask me about on its own form, instead getting it from Facebook. Sure. But when you start talking about “list of friends” or “other information,” it feels like overkill.

Of course, I’m pretty sure this is just asking for permission to pull stuff that’s already public on Facebook to begin with. If so, why ask my permission and complicate things? This is probably a good intention disclosure that’s actually unnecessary and generates more concern than it relieves.

Send me email: Groupon may email me directly

Can’t complain here — simple and clear.

Post to my Wall: Groupon may post status messages, notes, photos, and videos to my Wall

WTF! That’s my initial reaction. Groupon’s going to just start posting things to my wall? Like what things? How often? Is it going to ask me first?

Again, I think this is a good intention disclosure. My guess is that if I do things in Groupon, it might offer to let me share my actions to my Facebook Wall, if I explicitly say so. I don’t know this, of course. And the permissions page does nothing to reassure me. How about a plain English explanation that tells me exactly what might happen?

Access my data any time: Groupon may access my data when I’m not using the application

WTF again. What data is it going to access. Why’s it need to access this any time?

Oh, by the way, Groupon’s not an “application.” Dear Facebook: There’s this thing called the web. It contains web sites. Web sites are not applications that run on Facebook, regardless of what your engineers might think. They are independent entities that may interact with Facebook. I doubt most typical Facebook users would think of Groupon as a “Facebook application.”

Check-ins: Groupon may read my check-ins and friends’ check-ins.

Because why? I mean, maybe you could explain a bit more about why Groupon needs to do this? And maybe I could opt-out of this, if it’s not absolutely necessary? Remember, my goal here was simply to log in to Groupon in the first place, not hand over check-ins from my friends.

Access my profile information: Birthday

This is clearly a template that says something like “List profile items that aren’t public in this fashion, ‘Access my profile information: item A, item B, item C, etc’.”

Again, plain English. Why not just say, “Get my birthday.” Sure, a little more programming time. But it’s worth it for the non-engineering types you’re trying to reach.


  1. says

    Exactly. I usually decline a lot of Facebook social apps for similiar reasons.

    Even Facebook’s default settings for ‘Liking ads’ are interesting, “Hmm… so you liked that lingerie ad Fred did you Fried…?”

    May sound extreme but I don’t even want all my friends to know what I’ve liked reading via Facebook Connect (especially if like some people you have business contacts intermixed with your friends).

  2. @pceasy says

    Last week I saw that I could sign up for ESPN through Facebook connect. I thought that this would be a great idea since I thought I would not have to sign up for an ESPN account. I am so tired of having to create new accounts on multiple websites.

    When I logged on, ESPN wanted to know my birthday. Why? My only guess is so it can determine if I am 18+. After all that – I still need to create an ESPN account. So frustrating.

    Anyways, I have started to pay more attention as to what I am letting 3rd party apps know about my friends and myself and I am trying to warn as many people as possible. This article helps!


  3. Francisco Dalla Rosa says

    Most of that information is probably gonna be used by their recommendation algorithms to improve targetted offers. i really dont like the “post whatever i want on your all” permission too though.

  4. says

    how about “give all my personal info and data to this big corporate entity, in exchange for me getting $5 off my next purchase of your shit.”

    and yes, i think most folks would likely hit the button for $5.

  5. Sidharth says

    I agrree with your concerns. Why not have a simple check button next to all options so that we can decide what the app can or cannot do. I avoid connect as far as possible due to this

  6. says

    Not a Facebook fan but this is more a poor use of Facebook Connect than it is a problem with Facebook Connect. Groupon should ask for minimal rights on first connect and then only ask for subsequent rights when you perform related actions on Groupon (which would also make it easier for Groupon to handle refusals.) Having developed some Facebook Connect systems though I know it is all too easy to get all the rights up-front and not bother requesting it later. Most people (you don’t seem to be a typical user) hit Allow without thinking.

  7. Vincent says

    I had a similar concern with mashups asking access to my Google Account info. We proposed a reputation mechanism for mashups: the service provider (e.g: Google or Facebook) records every access to the user account and sends a report after a week. Users read the report, check that the application did nothing wrong and eventually rate it.

    Here is the link to the paper:

  8. igurvinderpal says

    It is kinda scary when I saw websites asking for the access to post on my wall without my permission. WTF,,I dont want anyone to post any stupid thing or link in my wall…
    Groupon’s intentions might be honest but I will never allow anyone to access that data

  9. says

    I agree with everything you wrote… but then the cynic in me, of course wonders…

    maybe this is a good thing? Because if Groupon is bought by Google, and then Groupon scrapes everything at some point, then Google could do a Groupon transfer of all interesting data and populate Buzz, Gmail, Google Me, etc. with the stuff your permitted Groupon to have.

  10. says

    Okay Danny this makes me take a second look and a much closer look at what I’ve used Facebook to connect with over the internet. My laziness obviously needs to be trumped by good old fashion common sense.

    Point taken. Now off to review my allowed connections in FB.

  11. says

    We are all information collection robots programmed to collect all the info we can on everyone we can in every situation. When will it stop? I guess we all think the person/company with the most info wins. Thanks.

    I too am seeing this more and more and it is happening daily now versus occasionally in the past.

  12. MorpheusMirror says

    What happened to the openID project? I trust that way more than facebook. Facebook wants to spy and sell our online existence.

  13. Dan says

    You can always sign up the old-school way, and then they won’t have any access to your Facebook account. That said, I completely agree with this criticism. When you ask for access to information, explain why you need it. It’s up to us, the users, to deny these kinds of requests, and speak up. These tactics won’t change until they stop working.

  14. says

    I agree with MorpheusMirror: We should be using openid instead of FacebookConnect.
    Hopefully people will start to realise that we do not have to accept everything that Facebook imposes upon us, just because it’s convenient (well, I’m not that hopeful because that’s already what google is doing)…

  15. says

    Hey mom, yeah just type in your OpenID URL then your password and then click allow. No, no, that’s your email address, you need an OpenID URL. It’s like a web address, like, but your own. No, no, don’t put in, that’s not yours, that’s Google’s. Yeah, that thing you got from Yahoo! once, about ten words long with funny characters in it. Oh, you forgot your Yahoo! password? OK so they’ll send you a new one, then you can use your Yahoo! OpenID URL.

    Or, mom, you could just your Facebook account by clicking the little blue button. That worked? Cool.

    (I’d so love to be proved wrong, have setup my own OpenID server before, but it’s still not usable for the average person and Facebook Connect is so much easier. Sure, there is risk and Facebook aren’t fluffy bunnies but you know, it works for thousands of websites and millions of people. We’ll only compete if OpenID solves its usability problems AND provides a social element which you get when you use Facebook Connect. And even then it will be a hard up-hill battle as Facebook are way up the road already.)

  16. says

    And sure Google and others provide nearly one-click OpenID “compliant” systems now but from the developers side it is fairly hairy as there are proprietary extensions/differences in how Google, Yahoo! etc. do it. And users still email you asking you to recover their accounts or merge duplicate accounts or… The reality is just too much of a mess at the moment.

    Now I have to go and try and figure out my StackOverFlow account. Was it email, OpenID, WordPress, Facebook or flava beans that I signed up with? Hmmm *clicks the Facebook button*

  17. says

    I like your point that facebook is easier and openID can be somewhat of a pain but I still think if more people knew about the openID project then more people would use it. Then maybe developers would want to make it better in the veins of wordpress or linux.

  18. @brian_a_jft says

    It’s a little uncomfortable now that you think of it. When i’m at a shopping mall and a cashier asks me for my postal code or email i usually decline, I have no prob. I’m going to rethink that now. Smells like the info gathering is some sort of “Arms Race” or something. :-S We are now bullets!

  19. says

    It reminds me of paying $20.00 for a promotional T-Shirt and then I get the “privilege” of being their human advertising campaign.

  20. says

    Absolutely on board with this post! I have chosen to abandon so many of these types of “applications” just because they want so much information. All I wanted to do was sending a freakin’ card!!! AND you want the color of my underwear today and every other day??? WTH???

    Great POST!! So glad some one else see this is overkill :)

  21. says

    Thank goodness I’m not the only put off and concerned when I consider allowing some of these site to connect to my Facebook account. It’s one of those things where I love the idea, but deny most of the time because it’s too unclear.

  22. says

    It would be helpful if FB allowed you to customize the message to include “why” you want to use the info.

    Having said that, 6 permissions is silly. Too much. Go try Rock Melt, I think it was something like 12.

  23. Eric says

    For groupon, i got them to close me account that connected me through FB. and then opened one where you login manual without the FB connect. At least I have better control of the info. I try to do the same with other sites as well, but I don’t know if it will be an option that much longer…

  24. Don says

    I find it not just a bit ironic that this article takes FC to task yet this site itself contains FC beacons/web bug/pixel/tag. Seems hypocritical to me….

    Good article, nonetheless, so thanks for posting it.