I appreciate your advocacy in this space, but I take issue with your charge of hypocrisy. One of the key motivations of the Portable Contacts initiatives was the realization that the mere presence of APIs was not sufficient to shift developers over from scraping, so long as each provider created a new, proprietary, and completely unique API (often with its own proprietary and unique delegated auth system and its own unique UX). Portable Contacts (which specifies OAuth for delgated auth) offers a way out of the madness. So rather than Plaxo (and every other social site out there) paying the tax of having to develop and maintain separate code for each data provider, we should be able to write our secure import code once (or better yet, use a freely available open source library) for Portable Contacts and have it work with GMail, Yahoo Mail, and Microsoft's Live Mail. The good news is that we made enormous progress in 2008, going from conception to draft spec, to early implementations, with wire-compatibility with OpenSocial RESTful API 0.8.1 and above. And right before the holidays, Joseph Smarr demoed the full Open Stack with an end-to-end implementation between Plaxo and Google, that included Portable Contacts out from GMail. So, while my tweet might have sounded lie foot-dragging or fancy positioning, it is not that at all. We are on the cusp of seeing broad support for a single standardized and secure method for accessing address books, social graphs, and profiles. In the meantime, investing in developing code against the various "beautiful snowflake" APIs does not make business sense.
Matthias Pfefferle
· 11 months ago
But that's not exactly the point, John... I understand your argument with Portable Contacts and a standard way to share contacts, but every proprietary API is better than using the "password antipattern"! Besides Google and Yahoo! already using OAuth for authorization, so it is much easier to implement their APIs as to use a Screen-Scraping mechanism.
We "all" want to have a standardized way to share contacts (as Portable Contacts will provide it) but I think in the meantime we should nevertheless avoid the "password antipattern" the best we can.
Carsten Pötter
· 11 months ago
Thanks for your comment, John.
I am well aware of Joseph's demos of Portable Contacts working with Gmail. I have linked to your article about it. I am also not suggesting that web services like Plaxo should develop code for every single API out there. Like you have written above, that doesn't make (business) sense. OAuth and Portable Contacts are the way to go. There is no diagreement between you and me.
I admit that the title of the posting is provocative - but that's been the intention - and I understand that you take issue with being called "hypocritical", however just "a little bit". Though believe me, we're both supporting the same cause.
Matthias Pfefferle
· 11 months ago
I agree, that implementing a whole bunch of APIs isn't the right way and definitively not a good solution for a business.
But why is screen-scraping the easier method? Because there are a bunch of classes around there ready to implement. And if a service like Plaxo is using such functionality it becomes "state of the art" for other sites and companies, because users are habituated to use them... so I think using other standardize ways to import contacts like XFN/hCard, Foaf or vCards is much better than using the "password antipattern". We have to educate our users first, because they have to use the things we build!
And that shouldn't be an attack to what plaxo is doing, because I love what you guys have done with "Portable Contacts", "The Social Web TV" and your dedication to many other "Open" solutions... but the "password antipattern" can't be an alternative!
Jeremy Keith
· 11 months ago
I deleted my Plaxo account a while back precisely because of this.
John, I'm sorry but it *is* hypocrisy. As it is now, you are scraping email addresses differently for each email provider—that is as much work (if not more) than implementing using the APIs now provided by each provider.
More importantly, the ethical issue here is that you are telling people it's perfectly okay to hand over their email passwords to anyone who asks. That may make "business sense" but "business sense" does not trump moral responsibility.
John, you and Joseph know better than this. It is precisely because you know better than this that I was so disgusted by Plaxo's continued support of the password anti-pattern. Hence, my account deletion.
Chris Messina
· 11 months ago
I'd like to give John the benefit of the doubt, not just because we're friends, but because I know how long and much work needs to go into getting large organizations to shift.
That said, I agree with Jeremy's point with two additional questions and one statement:
1. What's the delta between how things are today with your scraper and getting to a point where you can simply use PoCo? If you're waiting on the service providers to adopt the protocol (clearly it needs to get finished in the mean time!), how far away are we from seeing live support? Two months? Three? Six months? Perhaps providing a non-binding timeline, and the things it depends on, would help to assuage these claims of hypocrisy. At least you're doing something about it.
2. Why don't you at least offer optional support for the delegated authentication protocols provided by all of the major service providers in the meantime? At least the solutions exist today and would show a genuine commitment to making it possible for people to have control over how they provided access to their data.
3. While I'm an advocate against the password anti-pattern like the rest of you, I do think that giving up your account credentials to sites and companies you trust is not always a bad thing. It certainly isn't an ideal solution, and in fact makes for lazy developers, but if you trust a company, say, with your credit card number and secret code, that's hardly different than trusting a company with your email credentials. If people make an informed decision about trusting Plaxo and hand over the keys to their accounts, that's their decision. How they become informed, is another topic, though — and the greater point about teaching people bad security hygiene still stands.
Carsten Pötter
· 11 months ago
Of course, trust is necessary in quite a lot of activities on the web. I have to trust my email provider, my OpenID provider, merchants,... The list is endless. Though I think it's different with Plaxo:
1. It knows better. That's really simple. 2. Plaxo has a bad reputation about spamming people's contacts. While this is a thing of the past, Plaxo still suffers from it and some people still make unfounded allegations. Scraping plays into the hands of those people.
All Comments
We "all" want to have a standardized way to share contacts (as Portable Contacts will provide it) but I think in the meantime we should nevertheless avoid the "password antipattern" the best we can.
I am well aware of Joseph's demos of Portable Contacts working with Gmail. I have linked to your article about it. I am also not suggesting that web services like Plaxo should develop code for every single API out there. Like you have written above, that doesn't make (business) sense. OAuth and Portable Contacts are the way to go. There is no diagreement between you and me.
I admit that the title of the posting is provocative - but that's been the intention - and I understand that you take issue with being called "hypocritical", however just "a little bit". Though believe me, we're both supporting the same cause.
But why is screen-scraping the easier method? Because there are a bunch of classes around there ready to implement. And if a service like Plaxo is using such functionality it becomes "state of the art" for other sites and companies, because users are habituated to use them... so I think using other standardize ways to import contacts like XFN/hCard, Foaf or vCards is much better than using the "password antipattern". We have to educate our users first, because they have to use the things we build!
And that shouldn't be an attack to what plaxo is doing, because I love what you guys have done with "Portable Contacts", "The Social Web TV" and your dedication to many other "Open" solutions... but the "password antipattern" can't be an alternative!
John, I'm sorry but it *is* hypocrisy. As it is now, you are scraping email addresses differently for each email provider—that is as much work (if not more) than implementing using the APIs now provided by each provider.
More importantly, the ethical issue here is that you are telling people it's perfectly okay to hand over their email passwords to anyone who asks. That may make "business sense" but "business sense" does not trump moral responsibility.
John, you and Joseph know better than this. It is precisely because you know better than this that I was so disgusted by Plaxo's continued support of the password anti-pattern. Hence, my account deletion.
That said, I agree with Jeremy's point with two additional questions and one statement:
1. What's the delta between how things are today with your scraper and getting to a point where you can simply use PoCo? If you're waiting on the service providers to adopt the protocol (clearly it needs to get finished in the mean time!), how far away are we from seeing live support? Two months? Three? Six months? Perhaps providing a non-binding timeline, and the things it depends on, would help to assuage these claims of hypocrisy. At least you're doing something about it.
2. Why don't you at least offer optional support for the delegated authentication protocols provided by all of the major service providers in the meantime? At least the solutions exist today and would show a genuine commitment to making it possible for people to have control over how they provided access to their data.
3. While I'm an advocate against the password anti-pattern like the rest of you, I do think that giving up your account credentials to sites and companies you trust is not always a bad thing. It certainly isn't an ideal solution, and in fact makes for lazy developers, but if you trust a company, say, with your credit card number and secret code, that's hardly different than trusting a company with your email credentials. If people make an informed decision about trusting Plaxo and hand over the keys to their accounts, that's their decision. How they become informed, is another topic, though — and the greater point about teaching people bad security hygiene still stands.
1. It knows better. That's really simple.
2. Plaxo has a bad reputation about spamming people's contacts. While this is a thing of the past, Plaxo still suffers from it and some people still make unfounded allegations. Scraping plays into the hands of those people.