Has Facebook made any concessions or promises about whether they leverage their opportunity to scrape user data from all these .js HTTP GETs? Maybe they don't use it and it's no big deal to them to not have that source of data. It may be an innocent consequence of offering the .js on every page of an RP.<br>
<br>(halo on head must assume good intentions everywhere. :-p)<br><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Wed, May 20, 2009 at 9:36 AM, Peter Watkins <span dir="ltr"><<a href="mailto:peterw@tux.org">peterw@tux.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Tue, May 19, 2009 at 08:59:44PM -0700, Andrew Arnott wrote:<br>
<br>
> I haven't studied how Facebook Connect works. Does it somehow offer more to<br>
> the IdP than OpenID does for OPs in terms of useful data then?<br>
<br>
</div>Yes. In the traditional OpenID use case, an individual browses an RP site<br>
and the OP doesn't know anything about this browsing. The OP only has a clue<br>
about the browsing if/when the individual logs in with an identifier managed<br>
by the OP -- and even in that case, the OP probably doesn't know anything<br>
about the identity holder's activity on the RP site. Consider the Google<br>
OpenID setup where directed identity yields opaque identifiers that vary<br>
by return_to address -- chances are very good that every OP will see the<br>
same return_to URL for any given RP. So when I log in to Acme Newspaper<br>
with my Yahoo ID, Yahoo, as my OP, has no idea if I'm reading the business<br>
or sports section.<br>
<br>
Facebook Connect relies on RPs embedding <script> tags that reference<br>
<a href="http://facebook.com" target="_blank">facebook.com</a> URLs. Typically, RPs who use Connect will embed those tags<br>
on all their pages -- so Facebook would know exactly what I was reading on<br>
the Acme Newspaper site, even if I never explicitly chose to "log in".<br>
Connect offers more than just a way to authenticate to RPs with a Facebook<br>
account -- that injected JS allows Facebook to add widgets to the RP site<br>
that allow the RP site to feel more integrated with Facebook. But there's<br>
definitely a privacy issue here.<br>
<br>
Microsoft would be ripped to shreds if it tried the same stuff that Facebook<br>
and Google have been pushing these last few years, offering RPs some benefit<br>
(either apparent benefit to individual users as with Facebook Connect and<br>
Google Friend Connect, or benefit solely to the RP, as with Google Analytics)<br>
in exchange for RPs providing data about individuals' behavior.<br>
<font color="#888888"><br>
-Peter<br>
</font><div class="im"><br>
> On Tue, May 19, 2009 at 6:33 PM, Peter Watkins <<a href="mailto:peterw@tux.org">peterw@tux.org</a>> wrote:<br>
<br>
</div><div><div></div><div class="h5">> > I wonder if this means that Facebook might soon be willing to act as an OP.<br>
> > I suspect not -- the Connect "product" gives them another way to watch &<br>
> > learn<br>
> > as its users browse other web sites, and providing an open OP service would<br>
> > reduce the incentive for 3rd party sites to go with the full Connect setup.<br>
</div></div></blockquote></div><br>