Even if I wanted to use Spotify's messaging client, I'd imagine a layman's expectation would be that Spotify needed access to send and receive it's own messages - it's not that obvious it needs to be able to read that email to your boss you wrote three years ago.

Of course as a technician with knowledge of how OAuth and web APIs work, the implication that it really needs access to all messages seems a lot more reasonable - but I don't think this view is necessarily valid in a larger context.

Implementing more fine-grained permissions is absolutely possible. See e.g. Telegram: Even though Telegram bots appear as mostly ordinary users, they by default cannot access the messages of the channels they joined - they can only access commands that users were explicitly sending to them. You need a special permission to have a bot actually be able to access a channel like a human user would.

At various stages of Spotify's life, Facebook login was required to use the service. I'm a long-time user, and I've learned about the messages feature from HN. It wasn't really even advertised in the UI, and not the reason I - or many other people - connected Facebook to it.

Ok, but were you ever asked if you wanted to grant permissions for that? Did you ever see the UI I linked?

Or is your claim that you gave only permission for profile and friends but the Spotify client had messaging permission as well?

I can't recall having any idea that Spotify would have access to my messages.

>At various stages of Spotify's life, Facebook login was required to use the service.

I disagree. I have perused various trials for Spotify and other services over the years and never once had to resort to using a Federated ID/login.

Well you're disagreeing with a proven fact, so yeah... When Spotify released in 2011 Facebook was absolutely required. They removed that requirement a year later or so.

i can’t tell if this is snark, but as an app developer, i have considered facebook login as a means for a relatively frictionless user experience, not as a way for me to gain access to a users facebook account.

But security-wise, it is the same.

Not at all. FUD. If you're going to make a statement like that at least come with some facts. There is a massive difference between me getting login permission TO MY OWN APP, and accessing a users facebook account, or masquerading as them on other apps.

...until Facebook mishandles their end, for example, the API.

Which they have been shown to about a dozen times over this month.

I think you have either misunderstood the reports, misunderstand the API, or misunderstand how to integrate it. There is literally no way for me to accidentally steal a users data. You may not like facebook, but accusing me of putting my users data in jeopardy is just fucking cheeky.

Social logins is - and was, back then - a thing people are used to.

as a spotify user since they only used facebook login, i wasn’t even aware of this messaging feature. blind consent is not consent

but how will a user discover the new app will allow him/her to send messages from within Spotify before installation? If the user only discovers afterward, then there is no valid informed consent...