At the same time, doesn't AA have the right to protect themselves from potential abuse? I don't have a problem at all saying that I'm not supposed to share my credentials with 3rd parties. The user has no control over what the 3rd party might do, and can only make that decision based on what they think they are going to be doing.