It’s one of Facebook’s most significant changes to the Facebook Platform since it first launched almost three years ago: developer access to user emails. It’s a major milestone in Facebook’s continued opening of the platform. This latest step, schedule to take place next Wednesday, January 20, is a technique adapted from the OpenID authentication protocol. While developers are anticipating access to user emails for obvious reasons, some developers are concerned about what the impact will be.
User Protections
In preparation for the transition, Facebook has highlighted complete details of how this will function for developers. Most significant are the numerous safe guards Facebook has put into place
to avoid abuse by third-party developers.
Email Domain Setting
The first protection Facebook is putting into place is the creation of a email domain setting, from which developers will have to specify the domain which emails will be coming from.
As Facebook states, “This is to safeguard against users’ email addresses being sold to third parties.” While Facebook doesn’t specify how they will ensure emails won’t be sold, the assumption is that among those developers who are suspected of abusing the system, Facebook will investigate and based on their findings they will shut down those developers who are in violation. Whether or not this layer of protection will be sufficient for protecting users is unknown.
User Education
The other step Facebook is taking to protect users is education about the new functionality. When users visit an application that request access to their email address, they will see a dialog (pictured below) at the top of every application canvas page which promotes the new feature. According to Facebook:
We will display these dialogs to all canvas application users — on every application they visit — for their next three sessions with each application. We’ll leave these dialogs up for three months after we launch email functionality, so that a user will see the prompt any time they visit your application during this period.
Proxied Email Addresses
In addition to educating users about the removal of notification and the sharing of email addresses, users will have the option to use a proxied email address if they wish to in order to completely protect against spam. This is an optional setting which Facebook decided to implement after extensive testing. As Facebook states, “In our tests we found that users strongly prefer having the option to share an anonymous email address.”
Additionally, if Facebook determines that an application is abusing the email settings, Facebook will set the user’s email address to the proxied version by default. This will be based on an automated algorithm, meant to detect abuse.
User Experience
While most of the user experience has been shown in the pictures above, we thought it would be useful to clarify the process which users go through when granting an application access to their emails. One thing to keep in mind is that applications can require users to grant access to their email. Alternatively, developers can make email access optional as it is at their own discretion. Developers should probably perform a fair amount of A/B testing going on as this new feature is rolled out to determine what the most effective balance is.
If you choose to request email permissions, the user will be prompted with the dialog below. Following their approval, users will continue to see the dialog pictured above, notifying them that they are sharing their email address with the developer of the application.
Email Address Disclosure Results Are Unknown
So what will the impact of the new email address permissions result in? Ultimately the change will be almost unnoticeable in the short-term as applications will function almost identically to how they previous did. Within 30 days of the launch of email permissions though, applications notifications will be deprecated. While abuse is possible, Facebook believes that the three primary protections put in place will be sufficient.
I can only imagine the future articles about applications which are set up for the purpose of collecting emails, however this is a transition that needs to be made. Facebook believes that the gradual opening of their platform presents a competitive advantage and will ultimately establish the company as the leading online identity provider. This is truly a huge milestone in the world of online identity and authentication but we’ll have to wait and see what the impact is.
Do you think Facebook’s decision to allow developers to request access to user emails is a step in the right direction? What do you think the impact will be?
be interesting where @proxymail.facebook.com ends up
the Facebook 3rd party email or a somewhere in the Facebook Inbox (a tab called ‘Anon Subscribed Emails’ or just ‘unwanted cr@p’ should suffice) we should also be getting a ‘Requests’ one
The advantage of notifications is that they *don’t* go anywhere near my email inbox. I play a fair amount of games on Facebook and some of the notifications are quite useful to have, but I certainly don’t want them arriving when I’m not actually using Facebook or playing games…. it’s actually a step backwards IMO.
Seems like it’s a technology step backwards to communicate now via email? Is Facebook sick of wasting bandwidth on Farmville messages? I am sure sick of seeing them!
Why would I ever want an app to email me? This is insane, it’s bad enough there are thousands of stupid pointless apps like ‘What’s My Jersey Shore Name?’ that litter my homepage, but now Facebook wants to let those developers have access to my email address? Why, so they can send me ads and offers? This has nothing to do with staying connected with family and friends, and I don’t see anything positive or productive about this, it’s just another means of spam. Someone please make a big enough complaint about this to get this off of Facebook.
This is a good thing for the users of Facebook.
Locks down yet another layer of privacy protection.
Thank you Facebook!
This seems like a poor decision and an opening for people to create apps to steal people’s identity. The ACLU has already commented on how much information people allow when they accept an app, so now it seems it’ll be worse.
I could see an application e-mailing you a status update. For instance, Sorority Life could let you know when you get attacked or Cafeworld could e-mail you when something you are cooking is ready to serve–all things that you would normally have to log in to FB to see.
giving facebook my email…yeah, okay. After reading that they probably already hack my account I really don’t see that happening any time soon.
If they don’t mind their own damn business I might as well just go back to myspace.com…
The things these APPs are doing is getting into very murky waters in language of policy like SAFE HARBOR PRIVACY PRINCIPLES between US Dept of Commerce and the EU for disclosing personal information to 3rd parties and then that 3rd party’s retention and further disclosure. Facebook should be proud to likely bring on further industry regulation to update the laws on privacy that they have been exploiting and tinkering with for self serving purposes while disguising their strategy with their own assumptions and predictions of the general public’s view on privacy and sharing “norms”. Frameworks of privacy developed back in the late 90’s and early 2000s will surely be revisited by authorities because of irresponsible exploiting conduct. Forced sharing of personal identity attributes with no verification process is reckless. Back when Facebook was collegiate only, the .edu verification made for a totally different playing field of somewhat authenticated identity. They open up to general public all the profiles with a current design of no verification of true identity. It is a paradise for impostors and identity thieves now.. Their statements of protecting privacy are at best, disingenuous. Unverified identities they now chose to publish to search engines may emerge as a huge liability for both Facebook and App developers who are complicit in potential identity fraud and harboring fakes that harvest more people’s personal info under a pretense of being secure and protecting the users with limited controls that fit the revenue strategy. Facebook would be wise to return the ability to OPT OUT any and all profile attributes any particular user is uncomfortable sharing with the world.
Facebook is so concerned for security that they strike up a deal with McAfee to secure their users? Do they realize that when they make a woman’s profile REAL name public and anyone could see the relationship association of her husband, the friend’s list or open wall, that the exact street address of this person is a nearly instant search link to property record publications? The exposures are enormous! Facebook should not confuse a new social norm to share with naivety of it’s users.
I can tell you that, as a parent, I will have to leave FB and take my family with me. Our concerns about cyberspace security are already huge enough! I won’t take further chances into the unknown! We have enough safe entertainment already with the gaming industry. Why would we risk our security for the not-so-incredibly-great applications on FB? They can be tossed out the window as far as I’m concerned!!!
I’m creating a new e-mail account right now to replace the old one. No way, I’m not allowing FB applications to spam my primary e-mail account. I can’t stand them spamming my profile page so my e-mail account? I haven’t lost my mind. Yet.
I’m waiting for the day Facebook is fined by the EU for privacy violations.
Read the SAFE HARBOR PRIVACY PRINCIPLES - ISSUED BY THE U.S. DEPARTMENT OF COMMERCE ON JULY 21, 2000. Consider if Facebook conduct with profile exposure, controls and 3rd party information sharing is consistent with the intent of this document? One thing you may get from reading this is government was more proactive on privacy than you would have thought years ago. Facebook is giving them lots of ammo now to revise and better regulate these concepts. Good job Facebook, you are about to put handcuffs on an entire industry with your behavior of attempting to force your interpretation of social norms on the public. You don’t think politicians with poll numbers in the toilet might not want to jump on an issue like this to bolster their “good guy” score? Congress is controlled by the same people that support the ACLU, who doesn’t like Facebook strategy a whole lot.. Not a good time for social experimenting with people’s personal info kids!
The title of this article suggests Facebook is allowing developers to access the user’s Facebook email (notifications), or emails they have sent/stored within the facebook platform, which is not the case. This confusion is evident from many of the tweets I am reading.
I think a subtle changing of the title will help clarify this as we spread the word.
I hated notifications, but you could turn them off, albeit one app at a time. I’ve already reported most of the games I play for sending me notification spam. I’m guessing maybe Facebook just got tired of getting involved with notification complaints, and it’s easier for them to let the developers spam our email instead. I’ve already gone and linked my FB account to an email address I never check, that is the one I’ll be giving out to any apps that require one, as well. And their spam will never be read.
Let me know where to send a copy of my key to mt front door. I suppose they’ll want my snail mail next.
I disagree with this new feature it is stupid and like someone above said it’s a STEP BACK this is crazy crap and annoying and frustrating. Come on facebook don’t be stupid keep things as they are because change that you think is for the best is not always the case. In the case of this change it’s dumb! End of story.
Facebook has just realise of letting the power to the hand of it user by letting user to decide how they handle their privacy.
This certainly can be consider as new level of knowledge. May god guide us. Amin
I accept
i wanna leave because there is 3 like gabeaud antonio
my messages are not sending and not a friends request add as add friends why?