I work on viral FB apps, it is a numbers game. Without an auth flow the 2nd day retention is maybe 1-2%. With an auth flow + wall posts, it is true that 60-80% won't auth the app, but we get enough people who do and come back the second day to make it very worth it.
Facebook policy is that an app should not autopost without permission, even if technically there is the capability, and that policy is enforced on their end and respected on ours, so you are still free to auth the app but decline the autoposting if you choose to.
Every time I Facebook Connect to an app, I check my profile that nothing was posted. Even if Facebook does say if the app will post on my wall or not, I am just confused on what is going to happen next.
It is one of those things that prevent me from signing up at all.
This is why it's a very good idea to include the line, "We will never publish anything to your timeline without your direct permission", on your sign-up form. Or even more direct, "We promise not to post to Facebook that you signed up with us!".
Something along those lines will go a long way in getting me to use Facebook Connect to register for your application, because like you, I immediately go check... and I'm infuriated when they do.
You're right about the line. But, as an anecdote, pinterest have a very similar line and I found a bunch of "xxx has begun to following yyy" (or something like that) after the "automagic auto-follow all my friends".
I discovered the "feature" of the posting only because someone answered to my post... Now I'm way less confident on the promises made on login...
Yep, this happened to me as well. There seems to be some confusion, which no one is addressing because they want the virility, around the initial "User signed up for Product! Try it out!", and then future pushes based on user interactions or automagic sharing.
You have to remember too, that we are the minority, and most users (especially of services like Pinterest, which people absolutely love) don't really care about this stuff, or think it's normal.
Pinterest seems to have take a page from Spotify and WaPo with their "sure you can turn wall notes off...if you ever realize that we're doing it" approach. Easier to ask forgiveness and all that.
You just convinced me to remove the 'social discovery' option (the developer option that posts whether or not a user is using your application to the timeline) from my Facebook Application.
If you're ever worried about an app posting to your timeline or you want to use an app that only grants access based on the permissions you give it (like the horrid Washington Post social reader), there's a really simple fix. Just select "only me" from the "who can see this activity?" dialog box. It's sometimes a very light non-contrasty color (which is sneaky), but after doing this the app can spam 1000 stories on your timeline but it will never be seen by your friends.
Sure you will be able to see it, but you can then remove the stories at your convenience. Even when I disable permissions and double check the dialog box, I always click this to make sure.
This is why I'm gunning for BrowserID and so should you. At least someone is trying to solve the problem and doing a good job of it.
It doesn't abuse user trust and when it is fully integrated into the browser (I imagine it as a replacement for those lame http auth dialogs), it'll be a no brainer.
It seems to me like most of my Twitter authenticated apps don't auto-spam. I think this is a Facebook culture and default settings problem more than anything.
I agree with you that FB Connect has tremendous potential, but I disagree with you regarding how negative people view it.
Using FB Connect for Greekdex has (seemed) to be effective. You must consider your audience--Greeks, even at UPenn, are less worried about their "sensitive" data in comparison to a startup that targets techies who are very aware and paranoid about their data.
I wrote about how companies should "stand on the shoulders of Facebook," feel free to read about it here:
I don't think "number of registrations received when offering only Facebook Connect" is enough data to evaluate the effectiveness of using Facebook Connect as your only login option compared to providing a real login option.
Edit: It looks like your product actually depends explicitly on Facebook data to work, so it wouldn't be possible to not use Facebook. While Facebook Connect is a good choice for a product like that, it is also the only choice.
I agree with you, I'm not trying to make a general statement that is true for everyone. Just trying to point out that FB Connect might not be viewed as negatively in certain markets.
Ok, in hindsight, I agree that might have been a pointless statement in the grand scheme of things, but 500/3000 Greeks in one week is significant market penetration. This is also a MVP that we developed in 4-5 weeks, so I say that with pride.
And I also apologize if my anecdote came off as a bold general statement that was backed any formal logic or stats. It wasn't, and I didn't mean to make my argument based on that.
Well I guess it matters how important it is for you to get all the users interested in your service or a part of them. Right now there are two categories which you are definitely missing on:
1) People who don't have a Facebook account.
2) People who have one but are more privacy-concerned.
How affected you are by these two categories is defined of course by the target audience (demographics and social status for example), but it is pretty hard to draw conclusions without alternate methods of registration (for I know those 500 registrations came from 1000 interested users).
Well, we're convinced that 99.9999% of Greeks have Facebooks. But all I'm trying to say here is that FB Connect might be extremely effective for certain markets, and horrible for others.
You may have misinterpreted what I said because I don't quite get what your point. FB connect is not effective for certain markets. Good luck getting cryptologists signing up for your FB Connect website.
This is different than being a complete stranger to an app requesting your Facebook permission since the other students in your school likely knew who you were and where the app was coming from and decided to trust the Facebook auth based on that.
With a user being completely unaware of the app or brand I would say that the bounce percentage is actually very high.
This post is quite misinformed, IMO. Yes, many apps ask for the permission to post to your wall. You can say no. You can also go into your Facebook settings and remove that specific permission from the app, and then the app can no longer post as you, but the login functionality would still work (assuming they were halfway competent in their coding.) I often will remove the wall posting permission right after I grant the permission.
And as to the proposed solution, Facebook doesn't need to do anything. Those developing the apps don't NEED to ask for the permission to post to your wall. The developers (and business rules) determine what permissions to request, and we frequently build apps where all we ask for is basic information or basic + pictures, for example. There is absolutely no reason that the developers MUST ask for permission to post to your wall except that they are going to do it, probably without asking you first (which is EXACTLY what you granted them permission to do!)
So the answer to the problem is, don't login with apps that require you to grant permission to post as you. Or, immediately deactivate that access if you must use that app. Or do as others have mentioned, and just set that app to only be visible to you. You get the "benefit" of the posts, and it doesn't go out to anyone else.
The real problem is, most people just don't care. Facebook gets 80% CTR on permission dialogs, and almost 50% of people prefer social login to creating an account or using a guest account. Facebook has a great incentive to make sharing as frictionless as possible, so we are only going to see more ways to share things easier. I'm not saying that sharing is bad or evil, just that people should be making that choice consciously, not just blindly clicking it.
I think the post is a bit anachronistic. The dialog box has changed probably ten times since Connect launched, and there was a period where it was a slew of checkboxes to enable/disable ("always been bewildered by the way Facebook implemented Facebook Connect").
In addition, the feature of an off-site app to publish to your stream without asking you has come and gone (remember Beacon?), and has only recently come back with the advent of Timeline and publish_stream permissions. (which, IMHO is just like Beacon, only this time "we're ready for it.")
The article does seem to suggest that it has been a longstanding problem however, and that's simply not true - the abilities of what a Facebook-connected app can do, and the UX around it, have changed many times.
Facebook is very intentionally trading trust for virality. This is b/c most users don't really care. Over time the balance will shift back toward trust.
Google made the opposite choice, and is now shifting its focus to de-emphasize the trust of its users, or put differently, google's new privacy policy (if successful) leverages the years Google spent building trust.
If by "leverage" you mean "cash out", yes. The official word from the top of Google is that privacy is deprioritized in Google Social, and that the future of Google is Social.
It seems like a more or less reasonable solution but it defeats the whole point which is to use and abuse users' data and circle of facebook friends.
If you remember several years back when it was discovered that ads had become inefficient because people learned to filter them out after being exposed too much for too long but that if the ad came from a member of the social circle it bypassed this filter and has the potential go viral, which pretty much gave birth to so-called viral marketing.
Well it seems facebook is the realm of a combination of viral marketing (trying to pretend not to be an ad in disguise) and spammer strategy (a large enough number of potential marks insure some will fall for it). IINM this is what facebook currently pushes for in a renewed attempt to monetize their userbase.
This seems like a reasonable solution I said, because the real problem with facebook connect is that it links real world identities (or rather facebook profiles which is close enough to real world identities) to online activities that users don't necessarily want the world to know about. And while facebook uses this to collect even more data about its users, the users have no control over it
tl;dr: the real underlying problem of facebook connect is the same old "if you're not paying for it, then you're the product being sold".
I think solving this problem is just a band-aid. As sites like Facebook and Twitter have become mainstream privacy concerns are also becoming mainstream. We're going to have to develop better ways of working with people's data -- kind of like PCI compliance but for personal data. I'm no fan of regulation, just making a prediction.
That said, if you don't need access to someone's entire social graph and just need an email, you should just ask for an email. Let's at least start there. But when the only business model anyone seems to know is "collect metric tons of data and sell it to advertisers" I'm probably yelling into the void.
Edit: err...oops. That probably sounded a bit spammy based on the down votes. Suffice it to say I'm starting a nonprofit in this vein. Info is in my profile.
As a developer it wouldn't be hard to implement this. Create a Facebook Login button which logins in with facebook but doesn't allow the post-as-me permission. Create a separate button once they've logged in which says something like "I want to share this with my friends now" which would ask for the share-as-me permission. Or set up the dialog so that it only asks for the share-as-me permission when the app needs the share-as-me permission. I think this is more developers not putting enough thought into what permissions they actually need vs what permissions are nice to have.
I agree with this posting. Facebook has done a terrible job of protecting users with the Facebook login to the point where it's completely untrusted.
When I come across an iPhone app that asks for a Facebook login, my first thought is "Which one of my fake Facebook accounts should I use to log in with?" There is no way I want some app to upload my friends list, etc, on first use without me knowing exactly what is going on, a la Path. Both Apple and Facebook are guilty of this and they need to fix this quick.
From the perspective of a web developer, what I don't like about Facebook Connect is I give up ownership of my user accounts.
In other words (unless I ask for and maintain separate user tables), all the login credentials stay with Facebook. And if they ever decide to stop supporting my site, I lose all my users.
I'd be willing to pay for a FB Connect like service if I trusted it (which would probably mean the ability to download login info on anyone who connected, so I could roll my own user management whenever I wanted).
Someone posted this idea other day: save the user's email and if you ever want to get rid (or if you get kicked from) fb connect you can ask the user to reset their password.
i wanted to write a similar blog post to this - facebook has done itself and all developers a huge disservice by botching Facebook Connect and frankly the entire permissioning system for accessing the social graph - users are so frightened that apps will be able to publish on their behalf that they will not even click a Facebook Connect link - even if the text next to it says it is only asking for the most basic permissions.
This hurts the whole social ecosystem on the web - cool apps can't get traction, new redundant networks end up springing up because people can't leverage the existing graph, and users are frankly scared. The really sad part is that these days they usually have nothing to be scared of - Facebook's permissioning system is so onerous that most developers have access to very little data and can do hardly anything without a user's explicit permission.
I wish there was a way for Facebook to redeem itself with regard to Connect, and to rebuild user trust. I am doubtful.
they sort of have this with extended permissions (which can be turned off by the user), but he's right in that its too complicated and not communicated to the user well enough to actually be useful
Facebook policy is that an app should not autopost without permission, even if technically there is the capability, and that policy is enforced on their end and respected on ours, so you are still free to auth the app but decline the autoposting if you choose to.