as days pass by

Tim Bray from Google is starting a conversation about “federated login”, the idea of logging into websites using your Google/Facebook/Twitter/something identity. It starts well, with

When you click on the dark-blue button to sign in with Facebook (or bright red for Google) what does Facebook (or Google) learn about you? What does the app you’re signing into learn about you? Uncertainty makes people nervous about federated login.

but unfortunately I think Tim’s missed a reasonable proportion of the point here. You see, there are two questions asked there:

1. When I log in to GreatNewApp with my Google identity, what does GreatNewApp learn about my Google identity and what can they do with that information?, and
2. When I log in to GreatNewApp with my Google identity, what do Google learn about me and what can they do with that information?

and Tim then goes on to only treat the first of those questions. I think that the second question is a big part of the reason why people are “nervous about federated login”.

When you sign in to an app with Google, you see, as Tim notes, a thing showing you what the app can know about your Google identity. At the bottom of that thing in tiny writing is “Google will use this information in accordance with their respective terms of service and privacy policies”. Which means nothing.

I’ve spoken to a few people about this; most importantly my daughter. She’s not massively technical, and she’s a heavy Facebook user. We talked about “Sign in with Facebook” buttons, and what she thinks. And she doesn’t use them. I asked why, and she said “because then Facebook posts on your wall that you’re using that app and I don’t want it to”. It’s similar with other people; as far as I can tell, the biggest worry is not that GreatNewApp might do something weird with your Google information, it’s that Google will do something weird with it.

Perhaps that dialog should look like this.

It’s not about what the RP (that is: GreatNewApp) can do with your information, Tim. That’s important, but it’s already taken care of; everyone involved in federated identity in any way spends all their time worrying about that. In talking to people, the biggest example of this is “sign in with Twitter”; if you sign in to an app with Twitter and Twitter displays “this app can read your direct messages” and “this app can tweet as you”, everyone’s justifiably worried: this thing is going to spam my friends with messages about itself! I don’t want that! And that’s correct. The existing federated systems deal with this problem — with the issue of apps doing things to your Google or Twitter or Facebook account — quite well. That’s now not the concern.

It’s about what the IDP — Google, Facebook, Twitter — can do and will do with your information, either now or in the future. If someone at Google (or at Facebook, or Twitter, or at my OpenID provider) starts building a new social network and says “hey, we know what everyone’s signed in to: why don’t we add an ‘Apps I Like’ column to this new network and show it to all the user’s friends?”… is that allowed by the current “terms of service”? Will the “terms of service” change so that suddenly it is allowed? When I sign in with Google, what does Google do with that information? Are there any constraints at all?

That’s what people are worried about, when I’ve asked them. It’s not just about protecting your Google identity from random applications. It’s about protecting your use of the internet from whatever Google want to do with it. Will a new post appear on my Google+ saying “Stuart just signed up with GreatNewApp”? Not created by GreatNewApp, but created by Google+ itself? There will be some who will say, Google will never do that. But I bet you’d believe it of Facebook, wouldn’t you? As Tim said right at the beginning, uncertainty makes people nervous about federated login. Let’s be certain about what all the parties are going to do with the information that I’ve just signed in somewhere, and let’s help everyone else feel certain too.