Google begs devs not to password scrape in Buzz gold rush

Search and email  – and maps and web apps – giant Google is kindly informing developers eager to create web applications and web sites that interface to its Buzz service to better stop taking shortcuts like password scrapping and await the official Buzz API release.

While everyone and their mothers are focused on Google’s latest round of changes to its Buzz web service to please the privacy zealots, the GoogleMind has quietly but also kindly requested on developer groups that at least one developer takes downs his web site which was developed in the first days after Buzz became available. The problem is that it asked users to enter their Google account log-in information.

This was spotted during informative and enlightening informal chats on the public “Buzz API” developers mailing list, or, as Gurgle prefers to call them, a “Google Group”).  First, a developer identified as Cory Boatright created a PHP script that would update a user’s Buzz status by using the email-to-Buzz feature of the service. But for doing that, the e-mail-to-Buzz message needs to be sent from the user’s GMail account.

Google’s DeWitt Clinton kindly reminded everyone on that list to please not do this. In his words “This may be fine for personal use, and I realize that people are just making the most out of what it available today, but I want to plead with people _not_ to build apps, however tempting it may be, that depend on asking third party users for their gmail user name and password.  That’s not a sustainable approach, and it will never be officially sanctioned for Buzz – quite the opposite, in fact.”

A day later, a developer identified as “Shan” announced to the mailing list that he built a web site allowing for simultaneous Twitter and Buzz updates, named, and asking for feedback. Dewitt repeated his kind plea not do such things: “I’d like to ask that you take it down until we launch the Buzz API.  We discourage users from entering their Google user name and passwords outside Google. I realize that this inconveniences you, and is no way meant to disparage your hard work, but I think it is important that we all strive to set a good example against the very real risk posed by phishing sites.” The developer has apparently made changes to his code not to ask for the user’s password, and was given the green light to keep promoting it.

Clinton promised that full read/write APIs for Buzz were coming: “AtomPub + OAuth based APIs are coming, I promise.” he said adding that he’d prefer ” see fewer updates posted to Buzz in the short term than see a further proliferation of the password anti-pattern.”. He concluded his warning to developers not to use “password scrapping” by saying “Google’s terms could prohibit password scraping, putting legitimate app authors in a situation they didn’t intend to be in.  I’m just suggesting that for people who were considering asking for third party passwords as a work-around, please don’t do that, as it won’t be ever be sanctioned.”

Pubsubhubhubhubbubbbub, a salmon, and a finger, explained.

Eric Mill is one of the open-standards faithful who is already drooling about Buzz and the underlying new protocols that it brings. Besides warning this scribbler not to drift into  “the wrong side of history” for requesting, well, free will for developers to do whatever they want if they want to mimic a web browser, supply web site log-in data and do screen scrapping on their apps, if that’s what’s needed to do the job-, Eric supplies in his personal blog a list of marvels Buzz brings under the trunk: Pubsubhubbub (“PuSH”), Salmon, Webfinger, and OAuth. “What?” we heard your collective crying. Yes, that’s what we thought. But fear not, we have a priest on the premises.

Mill says in his blog that OAuth “is starting to take off on its own, largely thanks to Twitter” and that “PuSH, Salmon, and Webfinger represent the future of the web. They are open, decentralized, and contain all the lessons we as an Internet have learned over the past 10 years.”. Whoa. This scribbler is excited too, while holding a large bag of salt and planning some evil screen scrapping.

Mill describes Pubsubhubbub as a way to notify your subscribers every time you post something on the web, “unlike RSS where subscribers have to keep checking. PuSH makes things travel around the Internet instantly, and flips a fundamental assumption about the Web – that you post something and then wait for people to discover it – on its head.” Now where did we hear that before?… information traveling to you instead of you having to go looking for information?. Oh yes… Microsoft’s amazing Active Desktop nearly 15 years ago, which would make browsing for information obsolete. But, we reckon, counting Pointcast, “third time’s a charm” and perhaps it will work better for this brave new “social media” web.

Buzz API coming really soon now
This scribbler noticed some excitement along with anxiety on the developers crowd at Google’s Buzz API mailing list, with many of them asking “dad, are we there yet?”, and also asking about Google’s plans and openness.  Google´s DeWitt Clinton reassured them saying:  “Doing this out in the open is absolutely the plan” and that the opening of the Buzz API mailing list in advance of the actual API release was a step in that direction. “Taking a look at the Activity Streams, AtomPub, and OAuth docs in particular will give people a good road map for the near-term read/write API.  Also, Portable Contacts, WebFinger, etc.” he concluded.

So it’s all really easy when you read the APIs and the new APIs of the week. If you thought web programming was all about supplying a user name and a password, storing a session cookie, and carrying on with the heavy lifting work, you’re wrong… and you’re also oh-so-1990s… plus, you’re likely on the wrong side of history. So move over and start learning the new Buzz APIs…. there’s plenty of new fish species to learn in this brave new world of SaaS apps. ☼