It’s one of Facebook’s most significant changes to the Facebook Platform since it first launched almost three years ago: developer access to user emails. It’s a major milestone in Facebook’s continued opening of the platform. This latest step, schedule to take place next Wednesday, January 20, is a technique adapted from the OpenID authentication protocol. While developers are anticipating access to user emails for obvious reasons, some developers are concerned about what the impact will be.

User Protections

In preparation for the transition, Facebook has highlighted complete details of how this will function for developers. Most significant are the numerous safe guards Facebook has put into place
to avoid abuse by third-party developers.

Email Domain Setting

The first protection Facebook is putting into place is the creation of a email domain setting, from which developers will have to specify the domain which emails will be coming from.
As Facebook states, “This is to safeguard against users’ email addresses being sold to third parties.” While Facebook doesn’t specify how they will ensure emails won’t be sold, the assumption is that among those developers who are suspected of abusing the system, Facebook will investigate and based on their findings they will shut down those developers who are in violation. Whether or not this layer of protection will be sufficient for protecting users is unknown.

User Education

The other step Facebook is taking to protect users is education about the new functionality. When users visit an application that request access to their email address, they will see a dialog (pictured below) at the top of every application canvas page which promotes the new feature. According to Facebook:
We will display these dialogs to all canvas application users — on every application they visit — for their next three sessions with each application. We’ll leave these dialogs up for three months after we launch email functionality, so that a user will see the prompt any time they visit your application during this period.



Proxied Email Addresses

In addition to educating users about the removal of notification and the sharing of email addresses, users will have the option to use a proxied email address if they wish to in order to completely protect against spam. This is an optional setting which Facebook decided to implement after extensive testing. As Facebook states, “In our tests we found that users strongly prefer having the option to share an anonymous email address.”
Additionally, if Facebook determines that an application is abusing the email settings, Facebook will set the user’s email address to the proxied version by default. This will be based on an automated algorithm, meant to detect abuse.



User Experience

While most of the user experience has been shown in the pictures above, we thought it would be useful to clarify the process which users go through when granting an application access to their emails. One thing to keep in mind is that applications can require users to grant access to their email. Alternatively, developers can make email access optional as it is at their own discretion. Developers should probably perform a fair amount of A/B testing going on as this new feature is rolled out to determine what the most effective balance is.
If you choose to request email permissions, the user will be prompted with the dialog below. Following their approval, users will continue to see the dialog pictured above, notifying them that they are sharing their email address with the developer of the application.



Email Address Disclosure Results Are Unknown

So what will the impact of the new email address permissions result in? Ultimately the change will be almost unnoticeable in the short-term as applications will function almost identically to how they previous did. Within 30 days of the launch of email permissions though, applications notifications will be deprecated. While abuse is possible, Facebook believes that the three primary protections put in place will be sufficient.
I can only imagine the future articles about applications which are set up for the purpose of collecting emails, however this is a transition that needs to be made. Facebook believes that the gradual opening of their platform presents a competitive advantage and will ultimately establish the company as the leading online identity provider. This is truly a huge milestone in the world of online identity and authentication but we’ll have to wait and see what the impact is.