There is a clear opportunity for online email providers and social networking sites to limit the damage of phishing and email spam by giving customers tools to regulate the flow of data.

Yesterday, before New York Attorney General Andrew Cuomo suing Tagged.com story broke, I cold emailed a member of the Gmail team:

Gmail could help web security a lot by providing:
1. Authentication (OAuth) to Gmail address book making it clear that you were not providing your Gmail passsword to a 3rd party web site.
2. Default level of access only provided names and salted hashes of email addresses from address book (possibly 3rd party web site part of salt)
3. Allow only a limited number of actual email addresses to be requested in a time period. I’m guessing ~30 would be a sweet spot.

That would seem to be one possible solution. If this is not a good solution, I think it’s important for your team to look to tackle the problem described below in another way.

EXPLANATION

[Background information described in my "Tagged.com Spam? Phishing? Nice Guys? My Personal Story"]

I’ve seen similar UI at othe web services, where everyone in your address book is selected by default. I think there is an awesome opportunity for your team to create an experience that works well for your partners and protects your customers from the type of mistake described above and more importantly from malicious sites.

Some of the problems that I think Gmail and other online email address book and social networking sites should at least take partial ownership by:

• Not allowing 3rd party sites to embed login forms. They should use OAuth or a similar approach. (Even on AppEngine — train us well).
  
• Having a really clear experience about what data you are giving access to (how pissed your friends might be), and a way to provide only limited data.
• Providing salted hashes instead of email addresses, so that a person can find their friends on a 3rd party service without having to hand over the actual email addresses of their friends.

I don’t think I read the Google Chrome Operating System announcement until after I sent that email. When I did read the announcement, I thought about how empowering and freeing it will be for our computing to be in the cloud, but I also thought about problems like this one, and how many scary things can happen when you are no longer hold the container(the harddrive in your PC) for your information and data.  There is a lot of design still to be done to create a safe and friendly experience.