[fr] Il est maintenant possible d'importer des contacts depuis GMail (ou Hotmail) sans devoir divulguer son mot de passe, aussi bien chez Flickr que chez Dopplr. Génial!
A few days ago, I saw this tweet by Matt Biddulph soar by:
Impressed by passwordless import at http://www.flickr.com/impor… – does anyone know if that’s a public yahoo API they use? want!
I immediately went to investigate. You see, I have an interest in social network portability (also called “make holes in my buckets”) — I gave a talk on SPSNs from a user point of view at WebCamp SNP in Cork recently — and I am also concerned that in many cases, implementations in that direction make generous use of the password anti-pattern (ie, asking people for the password to their e-mail). It’s high time for design to encourage responsible behaviour instead. As the discussion at WebCamp shows, we all agree that solutions need to be found.
So, what Matt said sounded sweet, but I had to check for myself. (Oh, and Matt builds Dopplr, in case you weren’t sure who he was.) Let me share with you what I saw. It was nice.
Go to the Flickr contact import page if you want to follow live. First, I clicked on the GMail icon and got this message.
I clicked OK.
This is a GMail page (note the logged in information upper right), asking me if Flickr can access my Google Contacts, just this one time. I say “yes, sure”.
Flickr goes through my GMail contacts, and presents me with a list:
There is of course an “add all” option (don’t use it unless you have very few contacts), and as you can see, next to each contact there is a little drop down which I can use to add them.
When I’m done adding them, Flickr asks me if I want to send e-mail invites — which I don’t.
Neat, isn’t it?
Well, the best news about this is that Flickr isn’t alone. Dopplr (remember Matt?) does the same thing — and also for Windows Live Hotmail now.
Note and question mark: I just saw Dopplr announced GMail password-free import back in March, before Matt’s tweet. Did Dopplr do it before Flickr? Then, what was the tweet about? Thoroughly chronologically confused. Anyway, passwordless import of GMail contacts rocks. Thanks, guys.
Update: Thanks for the chronology, Matt (see his comment below). So basically, Matt’s tweet was about the fact that though GMail and Hotmail allows services like Dopplr and Flickr to access contacts without requiring a password, Yahoo doesn’t. Flickr does it from your Yahoo account because they have special access. So, Yahoo, when do we get a public API for that?
The chronology is:
5 March, Google publishes password-free API: http://googledataapis.blogspot.com/2008/03/3-2-1-contact-api-has-landed.html
18 March, Dopplr release Gmail support: http://blog.dopplr.com/2008/03/18/easier-gmail-contact-import-without-passwords/
31 March, Flickr release Gmail/Hotmail/Yahoo support: http://blog.flickr.net/en/2008/03/31/find-your-friends/
7 April, Dopplr release Hotmail support: http://blog.dopplr.com/2008/04/07/import-your-contacts-from-windows-live-hotmail/
and we’re still waiting for Yahoo to release a public API so that we can do the same for them.
Fonctionnalité sympathique, en effet, mais y a t-il vraiment une différence à divulguer son mot de passe pour établir une synchronisation, et autoriser un accès sans mot de passe ?
Au niveau sécurité, il n’y a pas de gain, globalement. C’est par contre plus élégant et plus facile pour l’utilisateur. Mais, dans une solution comme dans l’autre, on ouvre une porte.
Bien sûr il y a une différence. D'abord, tu n'enseignes pas aux gens que donner leur mot de passe à des tiers est une pratique acceptable. Ensuite, au lieu de donner un accès total (= le tiers a tous mes droits), l'API te permet de donner un accès limité (juste le carnet d'adresses, par exemple).
Là est le problème, je pense : L”utilisateur lambda pense que puisqu’il ne donne pas son user et password, il ne donne pas accès à ses données, alors qu’il le fait pourtant en autorisant un accès via un API. C’est une donne qu’il va falloir intégrer aux enseignements et sensibilisations 😉
Sinon, en effet, quand tu donnes user/password, tu fais confiance au tiers “collecteur” pour qu’il utilise cet accès uniquement aux fins auxquelles tu l’a autorisé, alors que quand tu autorises un accès API, tu fais confiance au tiers “fournisseur” pour qu’il ne fournisse que les données auxquelles tu t’attends. Le risque est différent, mais pas forcément minimisé.
Matt’s being modest there- he had Google Contacts import support running within hours of it being announced, and had 2 good bug reports for it. Then, when the bugs were fixed the next day he again got it working within hours. very impressive.
L”utilisateur lambda pense que puisqu’il ne donne pas son user et password, il ne donne pas accès à ses données, alors qu’il le fait pourtant en autorisant un accès via un API. C’est une donne qu’il va falloir intégrer aux
Good post, thanks for the info and screenshots. I’m implementing this on Publr.