Tuesday, March 18, 2008

Clickpass Privacy Policy

Clickpass uses a 'give us your password' model for their 'assisted account merging' process,

add_openid_to_user

http://yoursite.com//add_openid_to_user/

Description

The purpose of this URL is to check the username and password and registers a new OpenID as belonging to a particular user.

Parameters your URL should accept

Submission method: POST

* openid_url- the OpenID to be authenticated
* user_id- the primary key (i.e. username / email ) for the user
* password- the password for the user
* clickpass_merge_callback_url- a URL at the OpenID provider (i.e. Clickpass) to process the outcome of the process

I'd expect that their privacy policy would clearly cover what they would do with the info?

Is it this sentence that is meant to cover the case?
You may also provide information to Clickpass through third party websites which you log into using the Clickpass Service. Such information shall be stored by Clickpass and handled by Clickpass in accordance with this policy.


Sounds like it's in the right ballpark but why not specifically say 'you may provide us your user names & passwords and we wont use them ever again'? The 'log into using the Clickpass service' could easily be (mis)interpreted as referring to OpenID SSO rather than to the merge process.

They do acknowledge the future relevance of OAuth.

Separately, am I alone in seeing the irony of OpenID deployers, in order to address the perceived 'User Provides URI' barrier, exploring mechanisms that

a) hide the whole complexity of identifiers from the user
b) rely on shared infrastructure to facilitate IDP discovery

Just me?

1 comment:

Phil Hunt said...

I'm with you. I was laughing because Ashish's post seemed to show how all the benefits of OpenID have been nicely eliminated. ;-)