Mostly consuming content on my phone or iPad, I hate typing. Yet a lot of websites ask me to sign in to access content or participate in discussions. Several years ago, I would click on these social login buttons without hesitation.
But since working with sensitive data with a strict security requirement in my last jobs at Workwell and Fitle, and most importantly, after watching the Snowden movie I became more and more concerned with my privacy. And these facts started to bother me:
- Behind the scene, the asking website receives my information, usually email and name when I clicked on the “Sign in with Facebook/Google/…” button. My personal email is therefore given a little bit too easily. And have you received sophisticated, personalized phishing emails recently? Me too. How do these websites get my email address? I don’t know as I can’t remember the number of websites on which I clicked on these social buttons…
- As a tech person, I know the best solution (so far) is to go through the classic sign-up process by creating a random email using disposable, temporary email services like https://10minutemail.net, https://temp-mail.org/en/, etc. But what if the website wants to contact me in the future? As these emails disappear after a short time (~10 minutes), I cannot reset my password or receive important notifications from the website anymore. And do not forget when signing up, the password needs to be random because reusing the same password is bad, here comes into play LastPass, Dashlane or some password generator services. So many steps to go through …
- Do you know that your data is actually sold between websites by the so-called “data brokers”, a $200 billion industry? To match users between different datasets, a common nominator is needed and email is one of the best matching criteria: two different users from Forum A and a game app B with the same email is likely the same person. “I’ve got nothing to hide” you said. Yeah, that’s what I thought before too 😎
- (Only related to Facebook) A website with Facebook button implemented using their official SDK will have their “iframe” injected (a similar technique to the “tracking pixel” used in advertising), allowing Facebook to know every time I go to a website. The fact that Facebook has almost my complete navigation history bothers me as Facebook has already so much data about me. This “iframe” is actually well hidden in their SDK and it takes me some reverse-engineering to find it inside their script code …
I started asking myself the question “what if we could have the best of both worlds?”, i.e. have the seamless experience from the social login button and have our private information protected? What if the alternative solution could send anonymised information to the website instead of our identifiable information? This solution will act as a “shield” to protect our identities and at the same time, keep a smooth experience for users.
I started to work on what the first, MVP version of this solution would look like and ended up with the following goals:
- The new solution would work in the same way as Facebook/Google/… login button: just a button that when a user clicks on, ask this user permission to share their data with a specific website. Nice to have: the button needs to be easily integrated by developers.
- It would generate a random email alias to send to the website instead of user original email. Next versions can include protection for user name, phone number, IP address, etc.
The 1. is actually quite straightforward if it is based on OAuth2/OpenID standard, a domain that I know pretty well after working with big companies (and their strange requirements on security 😉). The 2. was, however, unknown land to me, at least several months ago. I started reading anything available about email alias, a key technology to enable unlimited email addresses. And along the way, I also discovered some nasty practices used by big email providers (Gmail, Outlook) that will be the subject of another post 🙂.
And that’s the story how
SimpleLogin was born.
More stories to come, stay tuned.
A word of advertising: if you think SimpleLogin is working on the fight that’s worth fighting for, please spread the words about SimpleLogin. This can be by following us on Twitter at simple_login , by word-of-mouth, etc. I really appreciated 🙏.