After a successful return to WordPress.com from WordPress Multisite, I began rooting around the Settings and Tools and Appearance areas for my WordPress.com account to discover any new joys that were added during my inattention.
I found I could now add my “Google Profile” as a “verified” external service via Gravatar. I clicked to continue to complete the verification process for my “Public Profile.”
I was then presented with this popup window at Google that asked me to grant Gravatar permission to access my Google Apps account. Of course, I granted access so Gravatar could confirm I owned the Google Profile I wanted linked to my account.
After I clicked “Continue” things became a little strange and concerning.
Google, not Gravatar, was asking me if I really wanted to give Gravatar access to my Google Contacts? Huh? What? Why? No, I only wanted Gravatar to confirm I owned the account, not to slurp all 12,000 contacts from my Google Apps account.
In my mind, I was immediately transported back to February of this year and the iOS auto-address book upload debacle that pinned Path and other companies:
Path has moved quickly to try and quell the backlash stemming from the social networking app’s practice of uploading users’ address books to the company’s servers. CEO Dave Morin just posted a lengthy apology on Path’s blog, saying “we are deeply sorry if you were uncomfortable with how our application used your phone contacts.” The company has also just released an update to the iOS app that allows users to opt in or out of sharing their address book with Path’s servers.
I’m so glad Google had my back to protect my privacy. If Gravatar wanted my Contacts, why didn’t the service directly ask me before taking me to my Google account for verification? I understand some companies believe it is better to ask for forgiveness later than to ask for permission now — but my Contacts belong to me, and not to any online service, including Google!
I clicked the “Deny Access” button.
I was taken to a Gravatar page that told me my “Verification failed” — when in reality what failed was Gravatar’s grab for my Google Contacts.
I really hope Gravatar will remove the requirement for our Contacts when verifying a Google Profile. If Gravatar must have our address book in the exchange, then Gravatar should warn of that requirement right there on the page where you can add external services at WordPress.com so no time will be wasted in the failed effort.