I have been wondering that for a while; why isn't there a conditional permissions system that you can choose what gets shared or not. It wouldn't be that hard for app developers to sanity check for what is available or not, and tell the user if it is an issue.

The all of nothing mentality is flawed, much like most of Facebook's decisions it seems. (imo)

It is not flawed by any means - from Facebook POV.

Facebook has refused to provide that option.

They used to provide this option but it actually made the API harder to work with. You could deny or approve one permission at a time and the developer had to handle it (and by handling that really meant always checking for permissions before actions and bugging the user for the permission whenever they tried something that required it). As a developer I prefer the new way, which is also how Android development works. Giving line-item veto to a user is a terrible idea. If they don't like the permissions, don't use the app. It's good for Facebook's api too because now people aren't constantly checking which permissions are available before they do something, probably reducing the stress on the API quite a bit.

Are you serious? A better API would be if it were just a yes or no to send all my information? I couldn't possibly disagree more.

Newflash: I don't give a shit about how hard your job as a programmer is. If you don't like programming take up something else. I care about my security and not having to worry about what effect clicking "OK" is going to have. Plenty of apps ask you things that they don't need to function.

I love being an engineer. You have a chip on your shoulder. I recommend not using Facebook at all given your concerns. I do not maintain a Facebook account myself for anything but development.

I have a chip on my shoulder? I'm speaking as a customer. You're giving me excuses as to why I should compromise my own convenience and security to make your job easier. Why on earth would I care about making your job easier?

Facebook provides value and poor, lazy anti-security undermines that value and puts me in the inconvenient position of thinking of a move [1]. And for what value? So developers don't have to write a switch statement? Seriously?

[1] It's not as simple as "just take your business elsewhere". The only purpose of facebook for me is connecting with friends and family. So going while they all stay is rather pointless. Getting other people, who have a different circle of friends/family, to move with me would be practically impossible.

Interesting, I didn't know that.

> Giving line-item veto to a user is a terrible idea.

Giving the user choice about whether or not they want to give up their personal information is a great idea. Suppose I don't want the app to have my email and phone number. Without finer-grained control, my only option is to say no to the entire app -- so they lose me as a user.

They'll gain more users by reducing options which make things less confusing than they'll lose because they didn't give fine grain control.

Are you sure? Unless I am misremembering, much of the Facebook code I see and write verifies permissions after they are accepted to see what you actually got.

As I remember, permissions on FB used to be exactly this back in the olden days of connect (you'd get a dialogue for each permission with an accept/reject, rather than a batched one). I can see why they removed that implementation because clicking "Allow" 5 times was obnoxious, but it's not exactly impossible for them to put a checkbox next to each one instead.

That's half true. It's all or nothing on first use, but you can revoke any non-required permissions later: http://www.facebook.com/settings/?tab=applications

You can't take back the data tha you already gave to the app, however. Revoking permissions prevents the app from accessing your info in the future, but it's sort of limited once you've already given that data to the app

The app has to warn you as to what is getting sent; you then get to decide if you want the app or not.

In other words, it's not really "all or nothing" as much as "whatever this particular app asks for, or pass on this app."

Exactly. Give this app "all" of the information it is requesting or give "nothing." People want more granular control.

People who read HN, myself included, want more granular control, sure. I don't think most of Facebook's users would care or understand about the granular control -- I think a simple yes/no like Facebook has right now is probably the best option for most users.

I don't have a Facebook account so I may not be the best person to judge, but it seems like whether "most of Facebook's users would care or understand about the granular control" might not be the best basis for making a decision. In fact, I will go ahead and say that I disagree strongly that Facebook should base privacy control decisions on what most users want.

Most users of any service or product won't fully understand every single configuration option available to them. That doesn't mean we should give up on allowing configuration. And using the interface to subtly educate and inform users about their options is a worthy goal. But that doesn't seem to be in Facebook's immediate best interests.

Android also has a similar dialog when downloading/installing new applications that provides "all-or-nothing" control just like this Facebook dialog. I think it's bad there as well.

Unfortunately it doesn't work that way -- users are foolish and will shoot themselves in the foot quite often, all while blaming you. If there were an option to, for example, disallow sharing of X on app Y, users would click it without understanding why. Then, months later, since X isn't shared, feature Z of app Y doesn't work. But the user doesn't understand how this works (messaging in the app might make it better, but not all apps are going to do it right and not all users will understand anyways). Since it's broken, the user will blame Facebook -- Facebook is broken!! Except the silly user did it to themselves.

This has happened. Since most things on the site are an app, Photos is an app. There used to be an option which ultimately disallowed an app to post certain kinds of stories to your stream (I don't recall the details). You could set this option on the Photos app, meaning you would never see any more photo stories in your stream. The option was very buried, so people had to specifically go to Photos and turn on the option... and silly users did this, forgot about it, and then complained that Facebook was broken since they never saw photos stories. Nevermind that it was their own fault. This option has since been removed in one of the Platform permissions revamps recently (IIRC it was simply forced to "off" for all apps, with Photos and similar internal ones special-cased to be forced "on".)

You are arguing against bad design and lazy development, not against allowing users to control their data.

iPhone apps would apparently have this problem. Simple solution? If the app can't do some function because of a user setting it pops up an alert with a button pointing to the place to change the setting.... pretty simple.

If you explain in terms of what it actually means, a large subset of people will and do care. "Huh? Farmville wants my phone number? What the heck for?"

Wow, what a cop-out.

No, they don't. And most likely, you don't want them to have it, either.

As a developer, you are responsible for asking for the information your app requires to function properly. You are required (by the Facebook TOS) to specify what information you will get, and how you will use it.

The user than has to choose if it is worth it or not, for this particular app.

If Facebook offered the users "more granular control" over what would be sent, this would result in apps not knowing in advance what information would be available to them, which would result in a pretty crappy user experience.