Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Is No Friend of Power.com (nytimes.com)
19 points by twampss on Jan 2, 2009 | hide | past | favorite | 10 comments



So, let's get this straight.

1. It is fair for Facebook to ask for usernames and passwords to Gmail, Hotmail, et. al. to provide functionality to their users.

2. It is unfair for Power.com to ask for Facebook usernames and passwords to provide functionality to their users.


I think that's a good point. It seems to me that it should probably be legal to act as a proxy for a user and do anything that user could otherwise do themselves regardless of any TOS.


I know that Google provides an API for accessing Google Contacts w/o passwords, but does Hotmail provide similar? If not, then it is fair... you use what you can. Otherwise, if there is a better way, then it should be used. I don't think that legal pressure is the best way of doing that, but it certainly is understandable to me.


Hotmail does have an API: http://msdn.microsoft.com/en-us/library/bb463989.aspx (looks complicated but is fairly easy)


If it's in Facebooks TOS that you need to access their site specifically through them then yes, Power.com is in the wrong.


Facebook doesn't get to define or create laws and ethics through their TOS.


Then they should ban the users who access through a proxy. A site can't put up a TOS that says you can't access through a proxy and then wait for it happen to sue. The web would be chocked full of liabilities if shit like that were allowed to happen. Searching Google would be too dangerous, what if one of the sites in a SERP had a TOS against coming from a referrer?


The title here is misleading to me... it sounds like the kerfuffle is about Power.com not using the proper APIs and instead choosing to capture login credentials. That's a real breach of security, and given that Facebook implements an alternate authentication method, seems completely unnecessary. Maybe I'm missing something; is there anything you can do with direct logins that you cannot with Facebook Connect and full permissions?


"is there anything you can do with direct logins that you cannot with Facebook Connect and full permissions"

Yes, and that is exactly the problem. Facebook's APIs enforce very strict access controls on the data available to external or embedded applications. If you have my user name and password, you effectively have full permissions.

Secure by design means no access by default. Sometimes, there are things not yet or not fully exposed to the APIs under the API's definition of full permissions. Other times, the granularity of access controls doesn't exactly match what your application needs. The user name and password lets you avoid playing by the rules and has the potential to greatly undermine user confidence in the security of their data.


I had never heard of power.com until now... no such thing as bad publicity?

That said, I don't use any of the social networks they support, except Facebook...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: