So, some sites have gone two ways, allowing OpenID, but also a proprietary registration system. This too, is problematic. It would seem that given a choice, the John Doe the Plumber style user will choose a proprietary account over the confusing user experience presented to them through OpenID.

But the annoyance doesn’t just lie with account registration for web applications. Typing your personal information on every blog you comment at is also repetitive and unnecessary. Some sites even require account registration for something so minor and transient as a blog comment.

Unfortunately, for the time being, it looks like registration forms are here to stay. So, what can we do to make those registration forms more usable, more efficient, and ultimately downright friendly? I know that you’re ahead of me on this one: Let’s auto-complete information for the user.

Please keep in mind that this power can be used for both good and evil. Essentially what we’re discussing here is data mining available information from various social networking sites on the internet, trying to glean personal information about an end user that has volunteered a piece of their data already. What can we get from what we already have?

Once a user has typed in their e-mail address, we can:

• Retrieve Twitter profile information (example shown on Chris Heilmann’s blog):
  • Full Name
  • Short Personal Description
  • Location
  • Web site URL
  • Time Zone
  • Favorite Colors (used on their profile)
• Retrieve an avatar if they’ve registered for the Gravatar web service (See my earlier post discussing this).
• Get their upcoming calendar events from a public Google Calendar. (Perhaps not as useful for autocompleting forms, but interesting)
• Find their UID on Flickr, which gives you a source for:
  • Full Name
  • Location
  • Flickr Avatar

If you know any of their social networking usernames, you can:

• find their MyBlogLog profile, if they’ve linked the service to their account (Sample query, I added my twitter). Now we have:
  • MyBlogLog Screen Name and ID, from which you get their MyBlogLog profile:
    • Nickname
    • Picture
    • Age
    • Sex
    • Location
    • A list of tags they use to describe themselves.
  • MyBlogLog Avatar

Those are only some of the proof of concept API’s that I’ve listed here. The interesting piece of this, is that once you have a small piece of information, it opens up the door to other searches.

One can only imagine how many leaves are in this tree. For example:

• Facebook’s Users.getInfo (in JavaScript)
• Yahoo’s Social Tools, get an end user’s GUID and go to town on their profile.
• Google Contacts, I didn’t even start to look through their API’s.

Before you start jumping the privacy fence to a self induced heart attack, remember that all this information has been volunteered by each individual participating in each of these services. Remember, with great power comes great responsibility.

What do you think? Scary or useful?

Obviously there are some accessibility issues with Captcha images, in that they are useless to those that are vision impaired. Some sites provide an alternate link to an audio file that speaks a random word that you must then enter into the form.

One of the easiest ways to implement a Captcha on your site is to use the reCAPTCHA plugin. But that’s not what I’m going to talk about here. What I want to talk about is these new methods being introduced.

The first that was recently linked was a method that involved drag and drop to authenticate the user. Obviously this method is flawed, especially if the automated robot has access to fire JavaScript events. It does nothing but introduce a different door that the spammer may not have seen before. When this method gains any sort of popularity, or if a spammer decides to attack the site implementing this method specifically, it would not be difficult to bypass the Captcha. This is referred to in the computer world as “Security through Obscurity“. This is not good practice.

The next post I read was regarding an implementation that presented the user with 8 boxes, with one of those boxes colored differently with an invitation to find and click on the differently colored box. The was implemented by Passpack (a password hosting service — should be focused on security, right?). Correctly me if I’m wrong, but how is this difficult for the Spammer at all? The whole point of a Captcha is to distort the text inside the image so much that the image can’t be read by an Optical Character Recognition (OCR) program. Basically, they’ve simplified it down to a one pixel image, which is an infinitely easier optical recognition problem. You don’t even have to recognize characters, you can just see if the pixel is a 1 or a 0. Forgive me for asking, but is that problem NP complete?

I am all for having more friendly humane methods of Spam Bot detection. Just be wary of the methods you’re using. Are they actually secure, or are they just obscure?