Monday, August 23, 2010

Consent can't be 'informed' without 'information'

In its OAuth consent flow, Google refers to the requesting party (Flickr in this instance) as the generic 'third party service'

Posted via email from Pre(posterous)

2 comments:

blog said...

It can get worse than that. When provisioning apps in the Google Apps Marketplace the domain admin gets faced with 'this application would like to access contacts/docs/email/etc.' without going into any details about what it's going to do with that data.

This is why I think we need training wheels before we can have trust.

Paul Madsen said...

wrt UI/UX 'training wheels' Agreed, currently Google throws a unicycle at the user and asks them to juggle plates.

I started to collect these a while back

http://paulmadsen.posterous.com/consent-anti-pattern-0

http://paulmadsen.posterous.com/bad-url-bad