JS-Kit Comments Pushes Limits of Facebook's Terms of Service

Right after I posted about the new Facebook Connect feature for Disqus, Chris Saad sent me an instant message about their implementation of Facebook Connect. JS-Kit comments enables it so that you only need to log in once via Facebook Connect and it will instantly keep you logged in via any site you go to. It’s technically feasible to do this but it clearly violates Facebook’s terms of service. With new services launching every day, Facebook is going to need to clearly articulate what policy they have on widgets implementing Connect services.

Does each site need to create an application? Currently the JS-Kit comments service doesn’t require users to log in more than once. This is the first instance I’ve seen of this type of implementation. If Facebook is going to have an open door policy, they should open it up completely. I’m for Connect being completely open and people choosing what tools to implement on their site but there could quickly be some serious privacy issues.

If a user has granted a widget access to their information, that widget should have access to the user’s information no matter what site they visit. In other words, once you’re logged in, you’re logged in. Facebook hasn’t communicated that to developers though and in fact they have gone so far as to make the following statement:

When a user connects with a website, they should be establishing a relationship with that site. If you are a 4th-party plugin or widget developer, then you should enable that direct relationship. A user does not establish a relationship with a 4th party widget.

While that may be the case, it is technically feasible to make widgets that go against this policy. This puts Facebook in a police role, and being in that position could become extremely expensive very quickly. Right now the company doesn’t even have enough resources to monitor applications that are on their platform, so how on earth will they be able to monitor each implementation of Connect on other sites?

Like I said, I’m all for the open web but Facebook has been pretty clear that they don’t want it completely open yet. That’s why they took the time to publish their fourth party code policies. If Facebook decides to drop these policies then there will be a revolution on the web overnight. The movement has begun but so far no company has had the guts to completely open up. Facebook could lead the charge and I hope they do but for now I just don’t see it happening.

So which way should widget developers implement Connect? Is it on a site by site basis or is it “Connect once, run anywhere”?