obfuscurity.
hidden in plain sight

By now you've heard the adage "You're not Facebook's customer, you're the product". This is a readily accepted dirty secret of social media. In fact, the practice of selling user data for advertising precedes the origins of the Internet itself. And yet, how many of us never give a second thought to granting third-party access to our private social data via OAuth logins on Facebook, Twitter and Google?

I've complained incessantly about abuses of these authentication services. On one hand you have rudimentary, coarse-grained access levels from the authentication providers. On the other you have lazy (or ill-informed) developers configuring their application to demand more rights than it actually needs to fulfill its service contract with the user. Fortunately the OAuth dialogs are mostly transparent about the privileges you're granting the application provider. Yet many users disregard this notice in exchange for the instant gratification of a popular new social media-powered toy.

Let's assume for a moment that the third-party app you just granted access to your private data is trustworthy. What happens in six months when that app continues to skyrocket in popularity and gets bought out by Evil Data Acquisition Conglomerate, Inc.? Your data just became their data. Which also happens to be sold out to advertisers and information brokers; or to anyone who wants to scrutinize your personal behavior, contacts, buying patterns, friends and family, education, political connections or employment history.

Think about this the next time you're signing up for a new photo-sharing app with sepia filters.