What does this have to do with you? Well, Facebook is the Death Star, and you're helping build it.
Ok, so you're not part of the Empire, but you're contributing to the construction nonetheless. You're the plumber or the electrician, the guy that forgot to put in safety rails, the girl that builds the strangely located trash compactors in prison blocks and then ensures they have large tentacled creatures in them, or maybe you're just the one responsible for naming Mr. Coffee and Mr. Radar. The point is, you don't need to work for the Empire to be complicit in its success.
Tim Berners-Lee, in his Scientific American article, wrote, "If we, the Web's users, allow these and other trends to proceed unchecked, the Web could be broken into fragmented islands. We could lose the freedom to connect with whichever Web sites we want." One of the trends he speaks of are the walled gardens of information; silos of user data owned by the likes of Facebook and LinkedIn. He argues, "Each site is a silo, walled off from the others. Yes, your site’s pages are on the Web, but your data are not."
Many applications now provide the ability to log on to their system using Facebook Connect. In many cases, this is now the exclusive means of registering. Signing up to just about anything is becoming a simple matter of clicking the "Facebook Connect" button. For many of us, it's almost too tempting to take the quick route rather than signing up a whole new account with a new password. What we're not doing, however, is giving thought to what we're really doing. By joining something like Digg with that one click, we're permanently tying our Digg identity to our Facebook identity. Without thinking, we've made an implicit decision that our Facebook account will be active longer than our Digg account. From this point on, we can't delete our Facebook account without losing access to Digg as well. By doing this, we've all decided to make Facebook our permanent record, our online authentication protocol and our secure means of access to dozens of websites and applications.
Most of us sign up to a social network with little thought to the security behind it. Afterall, do I really care if someone knows what I did last summer? But if your Facebook account becomes your online passport, how secure is it? If your Facebook account is compromised how many sites does that hacker now have access to? How many sites can a hacker sign up to and assume your identity in the process? How many sites have your Credit Card stored securely for easy checkout? The hacker now has access to it all. The more ubiquitous Facebook becomes in your life, the more likely it is to be compromised and the more destructive it will be when it happens. What was originally a means to connect with friends, has become your single online identity. But you don't need a hacker installing malware on your PC. This an identity that is persistently logged in on your home laptop, your iPad, your iPhone and your work PC. Have you ever lost your phone or even just left your computer logged on at work? Someone now has access to everything you do online. Worse than that they even have a handy list of every website you're signed up to with Facebook Connect.
These are all personal issues, things that affect the end user. I'm not proposing people go out deleting their Facebook accounts. Facebook connect is actually really handy. But what about the big picture? What happens when everybody on the Internet uses Facebook as their online identity? What happens when sites start offering Facebook Connect as the only means to sign up? Without realising it, you've made Facebook the sole authentication system for logging on to just about anything on the Internet. A closed-network owned by a private company now has a complete record of every site every person on the web visits. Think about that for a second. Remember that kid from that Social Network movie you saw the other day? He's holding all the keys to everything...literally.
The danger in Facebook isn't in that you can't take your friends elsewhere, the danger in Facebook is having it become a defacto standard means of authentication on the Web. Every time somebody hands the keys to their Blippy account over to Facebook, that is one more person who is now "stuck" with Facebook. You can decide to leave your social network behind, but if you use Facebook Connect, leaving Facebook also means leaving behind every account on any one of a hundred different websites. The barrier to entry is insignificant, yet the barrier to exit is so insurmountable that it's scary. It doesn't matter what the Diaspora project do. The social network is all but irrelevant now, it's the online authentication hook that is what will ensure Facebook survives any new up and comer.
The real problem is having Facebook as a permanent centralised authentication system in the first place. It's one thing to "get started" with Facebook Connect, but an application should always provide another means of accessing the application without Facebook (even for those who connected with Connect in the first place). If Facebook becomes inaccessible, or we want to stop supporting Facebook, or even if Facebook stops supporting us, we need to have a solution ready to allow users to continue using our application without that reliance on Facebook Connect.
The goal here is to prevent Facebook "lock in" and I believe, the humble "forgot password" is the place to start. I'm putting forward the suggestion that applications that implement Facebook Connect should add a "login without Facebook" next to their "login with Facebook" link. This would work something like a "forgot password" function for Facebook users who no longer want to connect using Facebook. This would transparently modify their accounts to allow manual login and simultaneously perform a "forgot password" retrieval. The user gets an email with a link to create a password, and from then on they can use that to login instead of Facebook. Groupon is actually one site out there that is already subtly doing just this using their existing "forgot password" function, but it certainly isn't obvious. As time goes on, users are going to become more and aware of how much they're relying on Facebook for authentication, and eventually they're going to want out. It's up to us as developers to give them by providing that "out".
Of course, Facebook may have already worked this out. Now they want you to use Facebook for your email as well...can you see where I'm going with this?
We're building the Death Star, make no mistake. And every time a user signs up using Facebook Connect another Ewok dies. Do you want that on your conscience? We have an obligation to ensure that there are as many exposed shield generators and poorly positioned ventilations shafts as possible. Only by creating weaknesses in the Death Star as we assist in its construction can we ensure that some whiney kid in an X-Wing can destroy it when the world finally realises what we've built. As developers, it's our responsibility to make sure we don't contribute to the yet to be coined "Facebook lock-in". We must provide our users not only a means to use our applications without Facebook, but also a means to use our application should they have already stopped using Facebook. By perpetuating the need for Facebook logins in our applications, we perpetuate the security risk that Facebook Connect presents to our already over-connected users.
