Trying to sign up for twitter these days gives you the same stupid thing. Real turn-off.
I’m not sure it would be too practical for MS to give user-friendly URLs for every API in the MSDN library. They do have quite a bit more to index there than Google or Yahoo.
@Derek, the changing your password deal will work to an extent, assuming it’s sites that you trust in the first place. The problem is that the whole thing encourages people to trust websites with their email accounts. If you trust the wrong site they can automatically go in and change your password, date of birth, zip code, security question, etc. so that you’re locked out of your own account before you have a chance to change it back yourself. Then they have free reign to whatever is saved in your email, whatever services you used that email to sign up for, and to spam all of your friends from your account. And if you’re using a free email account like Yahoo the chances of you recovering it are slim.
Even if they don’t lock you out, they’re still likely to have plenty of time to scrape a lot of data from your saved emails before you can change it again.
Personally I would never give any site access to my address book anyway, password or no password, for the simple fact that I respect the privacy of the people in my address book. If I want to know if my friends are on a particular service, I’ll ask them.
Best Regards,
Gerald
Simon, can you provide links to those Google / MSFT / Yahoo address book APIs?
I am frequently getting spam indirectly from people that have my emailadres and signed up for some stupid website which asks for acces to their address book. The website collects all the emailadresses and sens emails to all of them with content like:
“Hi, your friend : friendsemailadres@example.org signed up to win a super extreme fantastic 100000” inch HD television. He invites you to click HERE to join the competition"
Ofcourse the people didn’t invite me, but just missed a superhidden opt-out option that allows this, when registering for those sites.
Really really frustrating stuff.
Flickr (a Yahoo property) was recently able to access my Gmail address book, presumably through the aforementioned APIs. Flickr sent me to a Google page, where I clicked a button to authorize one-time access, and Google sent me back to Flickr.
Jeff, Google is a helpful tool 
Anyways, hear hear! Yelp, Facebook etc etc should be ashamed for being so lazy in using OAuth to protect the privacy of their users.
The OAuth movement is very much needed:
not to mention, mayhaps your friends don’t want their contact information given out just because you want to be a member :-/
Seeing that would make me queasy. I was unnerved when Feedburner wanted to integrate with my Google Accounts–Google even owns Feedburner, this I know, but still…
Factory Joe’s blog has links to the Google, Microsoft, and Yahoo address book APIs, as well as a criticism and feature comparison to vcard:
Jeff,
CAPTCHAs are an anti-pattern now too. Did you miss the memo?
They are only acceptable if they contribute to some “greater good” type of project.
BTW LinkedIn does this email thing as well, and I think they automatically parse your Outlook addresses if you use IE (or at least they used to).
Joe
Jeff - here are the links for you:
Google Contacts API: http://code.google.com/apis/contacts/
Yahoo! Contact API: http://developer.yahoo.com/addressbook/
Windows Live Contact API: http://msdn.microsoft.com/en-us/library/bb463989.aspx
I’m glad these malpractices are getting more attention, they deserve to get the bad wrap on their wrist for these kind of infringements of respecting users’ data.
Most of the services need the credentials for accessing the address book.
It is time for sombody to develop a central address book that can be accessed seperately.
FriendFeed has already figured this out with their remote key feature, which allows 3rd party software access using a completely separate key. It would be nice to see this kind of feature in Gmail, Yahoo! Mail, and MSN/Live/Hotmail/whatever-the-hell-it-is-now-I-lost-track.
I really dislike that the social sites and applications are using brute force shotgun spam recruitment techniques, and effectively spoofing their spam by having you willingly ‘certify’ it.
It’s evil on evil.
Couldn’t agree more. I did this once, but only after I changed my password then changed it back 20 seconds later.
I find it interesting that you seem to keep the same hours I do (I’m also from california). Is your wife really OK with you blogging from 3-5AM?
Anyway, this is not a new FAIL by any means. I’ve seen similar forms on Facebook and LinkedIn, maybe a year ago, and I had the same reaction.
To be fair, though, you’re also trusting Yahoo! or Hotmail or AOL or Gmail with your single point of failure. And if you use Thunderbird or Outlook or some other desktop e-mail client, you’re also trusting it. And you’re trusting Microsoft or Apple or some random *nix vendor. You’re trusting a lot of people with your secrets already, and it’s rather unavoidable.
Here’s what I do. I never sign up for something with my personal e-mail address. I have some accounts on the side with completely unguessable names. A nice extra benefit of this is that none of the spam, “solicited” or otherwise, gets to my personal account.
I agree with all you said Jeff. I would add one more thing. Not all my contacts are personal friends. Many of them are business associates, clients, and vendors. There are even a few that I’m not all that fond of.
I would rather not get them involved. Especially if the end result is an email that invites them to join because their good buddy Bill has seen the light and offered their names and email. It’s unprofessional.
Isn’t it firstly a breach of the license agreement you accepted when you created your email account on those sites to give your password to a third party?
Secondly isn’t Yelp breaching the license agreement for the API’s they are using by asking other users to break their contracts and give away their passwords?
This has to be the sort misuse EULA’s are supposed to ban.
I think it’s becoming a de-facto standard (read un-stoppable ‘evil’) that any website who wants to drive the hassle away from the users and quickly gain access to potential users.
There should be a central service something like ‘Contact Service’ which stores your contacts for you and can import them from hotmail, yahoo, gmail etc or alternatively you can mark any contacts in hotmail, yahoo, gmail etc as ‘shared’ which are then available in this service which is accessible to all third-parties using your credentials.
Jeff, do you usually use the same password, or use a different one on each site? Because if you gave Yelp your email address upon registration, and used the same password on your account, you’ve effectively given them your email address and password without thinking about it.
I doubt that you would be so insecure as to use the same password for everything, but a majority of people do.