Coffeehouse Thread

10 posts

Does Live 3rd party sign-in leak information without being upfront with you about it?

Back to Forum: Coffeehouse
  • androidi

    I was trying to post a comment on this review, without registering a new account since they offer options to sign in with existing account.

    http://www.huffingtonpost.com/frank-schaeffer/the-debacle-that-is-the-m_b_2360368.html

    So I tried the various options for signing up with existing account and:

    If you sign in with:

    Google, you give away "Google Contacts access", and it's not stated if this access is given on a permanent basis.

    Hotmail/Live/AOL, you apparently don't give any access, but reading through the Live URL suggests that you do, since it contains stuff like "%2Fauthorize%3Fscope%3Dwl.basic%252Cwl.contacts_emails%252Cwl.offline_access" but the Live sign-in doesn't say what that entails atleast at the point where you enter your Live password.

    Twitter- "This application will be able to:

    • Read Tweets from your timeline.
    • See who you follow, and follow new people.
    • Update your profile.
    • Post Tweets for you."

    Again, it must be assumed Huffington Post wants access to do all of that in your name in Twitter for as long as they want. If it doesn't mean that, it should be worded otherwise.

    Yahoo- "Allow sharing of your Yahoo! profile and connections info with The Huffington Post."

     

    Clearly, the pattern is that some of these say what they will give access to, Live doesn't say, unless you read the URL and make your own conclusions, but that's not very convenient.

    I would like if C9 could contact Hotmail/Live executives for comment on how they plan to improve the disclosure policies. (no point asking WHEN since we all know it takes Microsoft atleast 2+ years to implement the most trivial of changes in any product)

  • blowdart

    So I just tried to register for a new account, with a LiveID and got this screen.

     

    Which is what I expected, as its using Oauth. There's your disclosure.

  • Craig_​Matthews

    I suspect soon we won't be able to post a single thing anywhere on the Internet without giving up the email addresses, pictures, and phone numbers of all of our friends, business associates, and mistresses.

  • GoddersUK

    I'd be interested to know how them asking for your contacts' email addresses sits with data protection legislation.

    a) Is it legal for me to give their contact details away without their permission (does the legislation apply to private individuals or not)?

    b) (Depending on jurisdiction) they're not allowed to hold, use, disseminate or otherwise do anything with those email addresses without the permission of the account owners, which they don't have. So on what legal basis are they asking for it and can I sue them?

    (Huffington Post UK has a registered address of 

    Shropshire House
    11-20 Capper Street
    London
    WC1E 6JA
    United Kingdom

    which would presumably give UK courts jurisdiction over their UK site?)

  • evildictait​or

    , GoddersUK wrote

    a) Is it legal for me to give their contact details away without their permission (does the legislation apply to private individuals or not)?

    http://www.legislation.gov.uk/ukpga/1998/29/section/36

    Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.

    b) (Depending on jurisdiction) they're not allowed to hold, use, disseminate or otherwise do anything with those email addresses without the permission of the account owners, which they don't have. So on what legal basis are they asking for it and can I sue them?

    They are holding the data based on your express consent for them to hold the data (hence the requirement for you to press "YES").

    Even if the HP were to be holding your data illegally, it is rare for you to be able to extract civil penalties. Normally this is because they are holding data against you that is held illegally (e.g. was hacked), is inaccurate or being used for defamatory purposes (e.g. your photo is being used to advertise adult services).

    In all cases, you will need to contact the Information Commissioner's Office who is able to determine if the act has been breached and can bring action on your behalf if you feel you have been wronged (http://www.ico.gov.uk/Global/faqs.aspx#fF900A848-3AB1-41EA-8ED5-5C3BBBD66D3B).

    As always, this is not legal advice. For details relating to your particular situation, consult an attorney.

  • GoddersUK

    , evildictait​or wrote

    They are holding the data based on your express consent for them to hold the data (hence the requirement for you to press "YES").

    Even if the HP were to be holding your data illegally, it is rare for you to be able to extract civil penalties. Normally this is because they are holding data against you that is held illegally (e.g. was hacked), is inaccurate or being used for defamatory purposes (e.g. your photo is being used to advertise adult services).

    In all cases, you will need to contact the Information Commissioner's Office who is able to determine if the act has been breached and can bring action on your behalf if you feel you have been wronged (http://www.ico.gov.uk/Global/faqs.aspx#fF900A848-3AB1-41EA-8ED5-5C3BBBD66D3B)">http://www.ico.gov.uk/Global/faqs.aspx#fF900A848-3AB1-41EA-8ED5-5C3BBBD66D3B).

    As always, this is not legal advice. For details relating to your particular situation, consult an attorney.

    They don't have MY permission to hold MY data if YOU submit it, which is what's happening here:

    Windows Live wrote:

    The Huffington Post will have access to your and your contacts' email addresses.

     

    EDIT: Emphasis

  • Craig_​Matthews

    This is why the social web is a mess. To be honest, I haven't read, for example, Facebook's use agreement, so far all I know, in my ignorance, I probably gave permission to some far off porn site to use my picture because some friend of a friend of a friend on Facebook posted a comment on a porn site somewhere.

  • evildictait​or

    , Craig_​Matthews wrote

    This is why the social web is a mess. To be honest, I haven't read, for example, Facebook's use agreement, so far all I know, in my ignorance, I probably gave permission to some far off porn site to use my picture because some friend of a friend of a friend on Facebook posted a comment on a porn site somewhere.

    You can retrospectively retract your consent at any time. If a porn site starts using your picture, you can serve them with a notice notifying them that your permission has been revoked. If they then continue to use it, you can seek civil or criminal redress through the courts (depending on your / their jurisdiction).

  • Craig_​Matthews

    , evildictait​or wrote

    *snip*

    You can retrospectively retract your consent at any time. If a porn site starts using your picture, you can serve them with a notice notifying them that your permission has been revoked. If they then continue to use it, you can seek civil or criminal redress through the courts (depending on your / their jurisdiction).

    Well, in that case .. I better start hitting some of these porn sites for "research" to make sure I'm not showing up anywhere. I better check every pic. I have a responsibility, after all Big Smile

     

  • GoddersUK

    , GoddersUK wrote

    I'd be interested to know how them asking for your contacts' email addresses sits with data protection legislation.

    a) Is it legal for me to give their contact details away without their permission (does the legislation apply to private individuals or not)?

    b) (Depending on jurisdiction) they're not allowed to hold, use, disseminate or otherwise do anything with those email addresses without the permission of the account owners, which they don't have. So on what legal basis are they asking for it and can I sue them?

    (Huffington Post UK has a registered address of 

    Shropshire House
    11-20 Capper Street
    London
    WC1E 6JA
    United Kingdom

    which would presumably give UK courts jurisdiction over their UK site?)

    Turns out it's not that legal (in Canada and the Netherlands, anyway):

    http://www.wpcentral.com/whatsapp-found-breach-dutch-and-canadian-privacy-laws

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.