The Controversy
Read it if you are not updated with the recent development of Facebook controversy, else jump to next paragraph.
The bad days inside Facebook is happening now. Most of the people already know about the massive amount of data breach happened by Facebook to some data-analytics company Cambridge Analytica, who illegally purchased data of nearly 87 million Facebook users from an individual named Aleksandr Kogan. And those data included some private things like messages, photos of users. And the best part is this was not hack or something. The individual named Aleksandr Kogan built an facebook app and asked for all kind of permission from the users when they signed up for that specific app built on Facebook platform. Users granted those permissions and the developer got access a massive amount of data of Facebook users. He stored those data in his database and later sold to Cambridge Analytica for $800,000. The selling of data is illegal according to Facebook's privacy policy, and Mark Zuckerberg keeps claiming that they asked Cambridge Analytica to delete all data and "thought" this is a closed case. But eventually those data were used in America's election to campaign for Donald Trump. Those data was used to manipulate the election result which surely is not a good thing for a country like America.
Now if we reach to the bottom of the issue, we clearly see, it's facebook who granted access to user's data. And the individual users that data inappropriately. But the question remains same. Why Facebook didn't take a solid action against this massive data breach? Why didn't they monitor that 84 million users' sensitive data is getting transferred to a third party developer? Mark Zuckerberg keeps telling that all data were accessed with user's consent. They supplied data as users granted permission to do so. And that's true. Users granted to access those data.
And here comes the biggest User Experience issue. Can you remember the last app you used where you logged in with Facebook? If you can remember, can you tell me that what kind of permissions were asked to you? And what you granted and what not? If you can remember, then you are safe and congratulation, you belong to less than 1% of users who don't take personal security for granted. But most of the people don't even care. By logging in with Facebook, they grant all permissions they were asked for. They just click on a gorgeous blue colored Continue button and use the app. They don't bother to read what's written in the permission list. But when data leaks happen, then everyone becomes very touchy about the fact. No, I am not putting any allegation against users. Rather, I am suggesting changes in User Experience in Facebook's third-party login procedure(developer terms- oAuth login).
Facebook oAuth Login
So, I am taking Pinterest as an example. Pinterest is a famous photo pinning app used by more than 100 million users worldwide. They have a variety of choices for logging in. And one of them is facebook login which I believe the most-used login procedure.
Now I am going to click on the button "Continue with Facebook". I chosed it because, I hate giving my E-mail ID/Password everywhere. Then they will ask me to open my E-mail and verify that I own that e-mail ID and I have to remember the password. And every time I log in, I will have to type e-mail/password. So logging in with Facebook or Google is way convenient.
Now I can see a pop-up window opens up asking me to log in facebook. This login form will not appear in case you are already logged in on facebook.
After entering my username and password like below, I will arrive at the most crucial part. Where I have to take a decision. That's the judgment time.
Well. I expected that it would be too hard for someone to judge. Like should I share this information with Pinterest or I should just edit the permissions! But instead of all these, what you got a big blue Continue button which of course made your day. Just a click and you are done. No password to remember. No E-mail verification. Life becomes so simple. Isn't it? But if you are not that easy guy, you would click on "Edit this" button. Here you can see list of permissions Facebook is asking from you to share with Pinterest. And here it goes -
They will receive Public profile which includes Name, profile picture, my age, gender and public data, my friend list, Birthday. Wait. Public data? What are my public data? Do you know which things on your Facebook profile is public data? Most of the people don't know. PS: Even I didn't know.
From the screenshot you can see, Public profile checkbox is mandatory, So you can't ask facebook to not grant access to my public profile. Yes other two permissions are optional. You can uncheck it and proceed.
Now the question is do you really check each-time these options? No it's not your fault. Facebook has designed it in such way that logging in through facebook won't cost you much time. It would be done within 5 seconds, though you are compromising your security and information for this. Well, I was curious about what the other public data facebook meant to share with pinterest and I decided to see list of apps I have granted access. And from there I looked for Pinterest, opened it and here what I found -
What? My Likes? I just gave Facebook permission to share my liked pages with Pinterest? Why? if you scroll up a little bit, you can see a list of permissions. My Liked pages were not listed there. So, my best guess is Liked pages are the public data what they referred in the permission named Public Profile. So, just think, a company comes to know you have liked 10 fan pages of Hillary Clinton and it's clear that you are a fan of Hillary. Then some company can target you and can manipulate your thoughts in many psychological ways. Now think, if only liked pages are your public data, why didn't they just write "Pages you liked"? Instead, they wrote "Public data". That's bad. That's stealing. I would never give permission to access my liked pages but they have masked it with the term "Public data" and got your permission.
Criticism is happening, so I am not doing same here. Instead, I am trying to propose some other ways to bring more transparency in facebook OAuth login.
My Proposal
- They could split the flow into few steps. Maybe with the number of permission groups. As we saw in Pinterest there are three permission groups, so permissions will be divided in three steps.This has two advantages -
a) If some developer asks for too many permissions, automatically the number of steps will be increased and conversion may fall. In fear of that, they will ask for permissions without which they can't sign up.
b) Users can grant permissions after review, as permission list is open to see, not like before hidden under a button. - A user can check/uncheck optional permissions. Like for signing up basic name, e-mail, age can be a primary validation point which we can't ignore. So, this information is necessary. So, those checkboxes will be disabled by default. But Pages you liked should not be a mandatory checkbox. You should have power to not allow Pinterest to read pages you liked. It will gain better control and transparency over the data you share which Mark Zuckerberg keeps claiming.
- With the increment of the number of steps, there can be some disappointment in some users, but if you are an Android user, you can see for all crucial operations like for SMS/Call, accessing storage, accessing locations in any app, android asks for permission to the user. Though I have some problems in that too, I will try to explain it in a different post. But it gains better transparency. Also, probably android is not getting many complaints about asking for permissions.
- Frankly speaking, when I allowed Pinterest to access my facebook data, I never thought they would access my liked pages. But they did. It came as a surprise when I saw the list of permissions I have granted to Pinterest. These surprises are irritating. This will be removed completely if everything is written clearly. And most of all Facebook will get a chance to explain permissions.
I have made a small prototype for specifically this area. There is an external Adobe XD link too for the prototype below.
Also, you can see there's a Facebook logo along with Pinterest logo and an arrow from left-right. Visibly, it will give the user an idea that my data is flowing from Facebook to Pinterest, which was before on Facebook OAuth login, but they removed it. I believe, keeping logo with the arrow makes better sense.
Full Prototype link - https://xd.adobe.com/view/e0ebab41-bcfa-4be1-736d-d86339b2dd89-96da/screen/b8a6da71-6d57-4dae-8ce0-6ab68415c11f/Web-1366-3?fullscreen
As a UX designer, I always try to learn from mistakes, and I hope with the recent development of Facebook controversy, which is quite shocking, they will try to rectify their mistakes and will find a better way to improve their security. I believe, they have amazing brains who continuously giving huge effort to make the Facebook a better place, eventually, they will find a better idea than mine to make facebook data-flow more transparent to it's users.
We can't live without facebook and facebook deserves a chance to rectify their mistakes. If you believe in transparency and more control over your data, share the post in social, and I believe in this process more ideas will flow to make the system more trustable.
—
About the author
Showvhick Nath is the co-founder of AppRadius, a design-focused web and mobile app development company. He heads the UX, product design team and love to brainstorm new ideas.
If you liked the post, please hit 💚 so others can enjoy it too :)