Hacker News new | ask | show | jobs
by hipadev23 816 days ago
Because it’s not a reasonable expectation that your private messages would be shared with an advertising partner when you link your account to it, and “give access” is rarely a step that your average user actually reads, much like agreeing to TOS’s upon signup.

And catering to the average user’s expectation is what should dictate policy, not a “technically we have permission” caveat.
2 comments
vel0city 816 days ago
> would be shared with an advertising partner

In this case Netflix was not an advertising partner. You were signing into Facebook Chat inside the Netflix chat, and participating in Facebook chat messages inside the Netflix app.

You were opting in and using the Netflix app as a Facebook Chat client. Its like being surprised the Pidgin executable could see your Jabber messages.

link
rezonant 816 days ago
In the sense that some users may not have realized what they were allowing, that's fair. But that just implies that the permission dialog for this sort of thing should be pretty onerous while being very easy to understand.

There are details that aren't clear here too: Did Netflix request read permissions when you signed in via Facebook? If so, that's shitty and is worthy of condemnation, but the onus falls more on Netflix than Facebook there. You should be able to sign in with Facebook without expecting your DMs to be sent to Netflix. It's still on Facebook, but to a much lesser extent: They should make what's being shared super clear when you sign in with Facebook, and that includes making the sign in super onerous and scary if its something like reading DMs, so the user doesn't miss these details. And they should be reviewing third party apps and what permissions they request, and making sure its inline with the functionality the app is presenting.

However, if the normal Facebook authentication flow did not grant this permission, and the permission was only granted when the user accessed the "Netflix Chat" or whatever feature which obviously did, in actuality, require the read permission to function, then this isn't that big a deal.

link