What do sites need from social login buttons?

Not want.

Need.

If a site has one of these…

social-signin

… what is the least information they need from the user?

Seems to me that “social” login buttons like these are meant for the convenience of the user. But too often liberties are taken with them.

For example, here is what one company says in its terms & conditions:

Certain functionality may enable you to log-in using Facebook Connect, a Facebook, Inc. application, which is intended to provide interconnectivity between the Services and your Facebook.com profile. By using the Connect feature, you permit us to access your facebook.com profile, including without limitation,  information about you, your friends and privacy settings. When you use the Connect feature, you also agree to allow Facebook, Inc. to use information about your activities on our site and to access your facebook.com cookies.

This is an otherwise respectful (and respectable) company, which is why I’m not naming them here. They are also a retailer, and not supported by advertising. Nor is their offering “social” in the “social media” sense.

And, while the company might want Facebook profile stuff to better understand their customers, do they need it?

In answering the question, What do fully respectful sites need from social login?, it helps to ask another question: What does the individual need from that button, other than to log in with one click?

I’m asking these questions because this button here…

respect-connect-button

… needs definition of what respectful login is.

As I said in Time for Digital Emancipation, the definition (via the Respect Trust Framework) is that the user and the site respect each other’s boundaries. So we need to say what those boundaries are, or what they might be under different conditions. But a good place to start is by asking what the bare minimum needs of a site are.

So, what are they?

9 comments

  1. Phil Windley’s avatar

    What any given site needs might vary depending on their business. As you point out a retailer doesn’t need, but might want a Twitter handle. On the other hand a blog that automatically tweets comments you post on it would need the Twitter handle to provide service.

    The bare minimum is pretty minimal: a unique identifier.

    The identifier doesn’t even have to be the same identifier used at the social login site. So, for example, if I log in with my Twitter handle, Twitter could simply provide a UUID back to the relying site.

    For some uses that would be sufficient.

  2. Doc Searls’s avatar

    Thanks, Phil. Very helpful.

  3. Tim Boudreau’s avatar

    I played with doing social login for blog comments on my website, to combat a rash of comment spam that had become a daily battle. Really, all I was after was to let a site with the scale to do something about abusive accounts handle weeding out the worst offenders, and put a small barrier in front of someone trying to post spam.

    In practice, Facebook gives you the farm whether you want it or not. I don’t actually want to know someone’s hometown, school, etc. – just to have Facebook say “I vouch for this person” or not. But there is no way to not wind up collecting a vast blob of personal info when using Facebook login. I’m sure in someone’s mind this is a feature, not a bug.

  4. Alan Ralph’s avatar

    A couple of years ago, I actually made a point of going through the list of sites that I was using my Facebook ID to gain access to. Then I looked into which of those sites I could persuade to use a username / email address plus password instead. Some were amenable (Pinterest, for instance), others required me to create a new account, but for quite a few it was either a social network ID or no deal. Needless to say, I closed a few accounts.

    The main reason many sites ask for a social media ID, apart from the convenience factor, is that they can find out who your friends are. Mostly, it’s just used to let you know if friends are also on the same site or app. (Potentially useful, if a little presumptive, as they’re hoping you’ll connect and use the service even more as a result.) Some, though, step over the mark by trying to persuade you to hawk the service to your friends, or even hawking to them itself.

    The most presumptive, though, are those sites or services that will only accept a subset of social network IDs, or even only accept IDs from, say, Facebook or Twitter. As I’m no longer on Twitter, the latter requirement is guaranteed to ensure I won’t be using that service.

    I just hope that the Respect Trust Network and similar efforts actually gain traction, and we don’t end up with another situation like OpenID, which showed such promise but ended up being virtually unused. (Pun intended.)

  5. Doc Searls’s avatar

    Thanks, Tim.

    That’s helpful input. All you needed, then, was a unique identifier (even, I would presume, if it’s “Anonymous Coward,” so long as it’s not a spammer). Have I got that right?

  6. Bradley’s avatar

    Once the link has been shared on the social network, the number of clicks is then tracked by the network. You can see the redirect when you hover over the link without clicking it.
    Is it really a problem though?

  7. Anonymous Marketer’s avatar

    Any site that has social login will probably have it at the request of marketing. We want to be able to capture as much data about you as possible to better target people like you, which really means spending less money to win your business. And we want to track you when you leave so we can know what other sites you visit so we can figure out what sites people like you visit, and advertise there. We want to follow you so we can “re-market” – follow you around with our ads. Social login makes that a whole heck of a lot easier.

    I probably should have posted this on Secret.

  8. Doc Searls’s avatar

    I know what marketers want, AM. But I don’t believe that’s what every site wants; and I’m sure that’s not what every user wants, or ad and tracking blockers wouldn’t be the top browser add-ons.

    Tracking a person after they visit a site isn’t respectful, unless they explicitly say they want it. That marketers can do it, and that it yields some good results for users, doesn’t make it right.

Comments are now closed.