Mark Zuckerberg's Hearing at the Congress Live Stream (

5 years ago from T. F., UI Designer

  • Darrell HanleyDarrell Hanley, 5 years ago

    Well with the Cambridge Analytica controversy, the issue was that your friends could give permission to share your data rather than you being able to do that. That particular issue has been resolved, but there's lots of sneaky data practices and UI practices that Facebook engages in that could bring regulatory clout. For example, up until recently you could search Facebook by phone number or email address for people. This data was given to Facebook without the expectation it would be made public, yet that's how it worked in regards to search, allowing it to be exploited by scammers.

    Instagram also has some dark UI practices on account creation where it prompts for your contacts and greatly diminishes the option of signing up without giving up data.

    Even if the US doesn't institute new regulations on Facebook, I think this is an inflection point for data privacy in regards to permissions based apis, ad tech, and for the design used to obtain such information. I think informed politicians in the EU could call for privacy supporting options to be given equal graphical hierarchy to permissive datasharing options, and that we should expect to need to overhaul what a oAuth permission screen looks like with greater explanations of what each individual permission does and why a developer may want access to it, as well as, hopefully, the ability to conditionally provide requested oAuth permissions much like how one can do on iOS.

    Case in point. I have a hobby project for Spotify called Dubolt. Spotify requires, for whatever reason, that I request a user's email and date of birth if I want to use their web playback sdk. I personally don't do anything with that data and for me it's an unnecessary tag along, but you could imagine a scenario where I was storing that data anyway for whatever reason. What I would like to see from a user's point of view would be for my user to be able to give me the permissions that I need for basic functionality to work on my app, like the ability to create playlists, but if they don't want to give me more sensitive data, and then I can enable and disable features of my web app depending on the returned approved scopes. You have to design like this now for iOS, but you can't for the web since oAuth is all or nothing.

    1 point