Not signed in (Sign In)

Vanilla 1.1.9 is a product of Lussumo. More Information: Documentation, Community Support.

Migration: Got locked out of my account on MO

Bottom of Page

1 to 20 of 20

  1.  
  1.  

    Today I tried to unsuccessfully log in on MathOverflow (user number 402). The new system apparently has a very special treatment for the particular type of OpenID that I'm using (Google) and demands that I disclose my private email address to it. (Many other types of OpenID do not have an email address associated to them, so such an invasion of privacy is simply impossible.)

    My Google email address is private and is not meant to be disclosed to others, especially not to StackExchange. Furthermore, my user account on MathOverflow already has an email address associated to it, and I don't understand why StackExchange would demand another one from me, especially in such a rude manner.

    How do I resolve this problem and log in to MathOverflow without StackExchange invading my privacy?

    • CommentAuthorWill Jagy
    • CommentTimeJun 24th 2013
     
    Dmitri, SE staff say for you to log in any way you like, they can simply merge the accounts. I'm (temporarily) talking with one of them on the new MO Chat. We never had chat before.
  3.  
    Create a new account with an alternate OpenID, then request a merge. You might subsequently post a question on meta.mathoverflow.net or (perhaps better) meta.stackoverflow.com asking about the special treatment for Google OpenIDs. If you do that, could I advise taking a more conciliatory tone?
  4.  

    Terrific. Now I have to create (and use) a new OpenID simply in order to continue using MathOverflow. Good job, StackExchange.

    @Scott Morrison: I have no desire to post anything on other Metas (e.g., meta.stackoverflow.com) given how they treat their users (see, for example, the conflict between Jeff Atwood and meta.math.SE, which you are probably familiar with).

  5.  

    Dmitri, the Jeff Atwood v. MSE users issues were resolved long before Jeff left his position on SE Inc., which itself is an old event by now.

  6.  

    @Asaf Karagila: Please do not tell me that the issues were “resolved” when in fact one of the moderators had to resign because of Jeff Atwood's abuses. In any case, this seems to be off-topic in this thread, so I would rather not continue this particular discussion here.

  7.  

    If you want to hold grudges, that's fine. If you want to move on from an incident (which no one says is anything less than severe), then you may want to notice that it's been two and a half years now, and that Jeff has been off the SE management for over a year as well.

    But you are right, this is getting off topic. I'll stop participating in this thread now.

    Have a nice day.

  8.  

    Meanwhile, I found an answer to my question: http://blog.stackoverflow.com/2010/04/openid-one-year-later/

    “There is one, and only one downside: we must demand email from Google OpenIDs. Email is not usually required to use our sites, but you can’t log in via Google if you refuse to provide email to us. You can always switch OpenID providers, of course, but we regretfully must make the email demand mandatory in the case of Google.”

    And of course, somebody voiced the same privacy concern there, but it was ignored by StackExchange (hardly surprising, given the identity of the author of that post).

  9.  
    Dmitri, my interpretation of what you quoted above is that this is a defect at Google's end, but perhaps I don't understand the details. It does rather sound like they regret having to do this.
  10.  

    @Scott: The “defect” is a tool to protect your privacy: if you use your Google id on different domains, each of them will get an individual unique id, so there is no way for somebody to link them together and track your activity across multiple sites. In comments somebody named Doekman points out that their goal (identifying accounts on different StackExchange sites) could be achieved without invading users' privacy and demanding them to disclose their private emails. (For example, provide your email only when you want to identify your accounts etc.)

    What is amusing here is that any OpenID provider can employ such a scheme, but StackExchanges only singles out Google.

    • CommentAuthorKConrad
    • CommentTimeJul 1st 2013 edited
     
    I am with Dmitri on this. The issue is something unusual that deserves a closer look and I doubt it is about merging accounts.

    I use a Gmail address as my Open ID on multiple stackexchange sites, and I have never had to grant *any* of them permission to see my Gmail address: when logging in with an Open ID I type my Gmail account name and password into a Gmail window, and once that is recognized as valid (by Gmail, I guess) I am sent to the frontpage of whatever stackexchange site I am using (math.stackexchange, tex.stackexchange,...). That's how it went on MO as well before MO came into stackexchange 2.0. Ever since MO migrated to SE2.0, the Gmail address in Open ID for MO includes an extra step between entering Open ID information and seeing the stackexchange site's front page: I am asked to accept or cancel permission for stackexchange to see my Gmail address. No other stackexchange site I have used treats Gmail as an Open ID in this extra way, so claims that stackexchange needs to see a Gmail address for Open ID to work feel misleading, because that is not how things go with other stackexchange sites in my experience. Or might MO 2.0 be the "Edward Snowden" of stackexchange sites (i.e., it's more explicit than any other SE sites about how a Gmail account as Open ID information is really used)?

    Scott, the defect sure doesn't look like it's on Google's end because Gmail accounts are not treated the same way on other stackexchange sites.
    • CommentAuthorquid
    • CommentTimeJul 2nd 2013 edited
     

    @KConrad: I find the insinuation that there is something not explicit a bit surprising. An official blog-post from more than three years ago, mentioned here by Dimitri Pavlov (and in the other meta thread recalled by me), says:

    That’s a major bummer for site networks like us with multiple domains. We use the OpenID string as your user “fingerprint”, so if your “fingerprint” changes, we can’t tell who you are any more. It’s a frustrating problem, but we think we’ve finally come up with a fix: we demand email from Google GMail OpenIDs! [Emphasis as in original.]

    The following is a guess, perhaps not even an educated one, but it seems a reasonable scenario to me:

    As suggested in the blog post, your OpenID string for stackexchange.com is considered as your 'fingerprint' by SE (in the sense above). This OpenID string is likely the same over all the others sites except MO you use, as all you use seem to be [something].stackexchange.com (yet not stackoverlflow.com for example), so the domainname is the same. Likely, you granted SE permission once, and now long ago, when you started using math.SE (or whichever the first site it was you used on stackexchange.com); they then stored this email-adress as explain in the blog post. All the time you use some SE.com google gives then your OpenID string for stackexchange.com, they recognize this string and thus there is no need to ask for reconfirmation of the email. However, when using MO now, google give your OpenID string for mathoverflow.net (which is different as the domainname is different, and thus google creates a different one for the same email), therefore they do not recognize the OpenID string, and thus ask for the email to identify you via the email-adress instead of by the OpenID string.

    The reason that this was a non-issue on the old MO is that there was only one domainname at all, and no accounts to be connected. Now I did not test this, but I assume that I just the other way round would be asked for each stackexchange.com site all the time since my 'fingerprint' is my OpenID string for mathoverflow.net. (Which seems compatible with what Scott Morrison said, since the OpenID string they have for him as main one is likely also not the one for stackexchange.com but mathoverflow.net or perhaps also stackoverflow.com as he seems active there too.)

    • CommentAuthorKConrad
    • CommentTimeJul 4th 2013
     
    Dmitri: See the answer by Shog9 at http://meta.mathoverflow.net/questions/322/why-the-extra-step-in-registering for a complete solution to the problem that you (and I) have been having with Gmail as the Open ID.
    • CommentAuthorquid
    • CommentTimeJul 5th 2013
     

    @KConrad: I could be wrong, but the problem of Dimtri Pavlov was that he did not want that SE had that email address of his at all; so, I do not think that this is a solution for his problem.

  15.  

    @quid: This is correct and the privacy problem still exists.

  16.  
    When I looked into this, I was being asked for permission to share my gmail email address on *all* stackexchange sites, not just MO as KConrad was reporting. I suspect that the experience is not uniform, and perhaps depends on whether the your "OpenID of record" was created on a site under the *.stackexchange.com domain or on one of the "top-level" sites.
  17.  
    @Dmitri, isn't the solution simply to not use a GMail OpenID? The whole point of OpenID is that you're in charge; you can create as many as you like, and associate, or not, whichever parts of your identity you like with them. What would be better about using a GMail OpenID without revealing the associated email address than using, say, something form MyOpenID?
    • CommentAuthorEmil J
    • CommentTimeJul 9th 2013
     

    I agree with the general part of Scott Morrison’s comment. However, my experience with myopenid.com has been terrible, the site is down more often than not. There are other options (stackexchange is itself an OpenID provider, for starters).

  19.  

    Emil,

    Judging from Dimitry's past comments (on this thread, and on others related to the migration), I don't think that he would like his identity to be "represented" by SE Inc. at all. But there are more options to this anyway.

  20.  

    @Scott Morrison: What would be better is that I wouldn't have to maintain more than one OpenID. The problem wouldn't be as severe if I knew this in advance, before registering on MathOverflow, as opposed to suddenly discovering myself locked out of my account, with no option to log in other than to register with some highly dubious company (such as myopenid) or set up my own OpenID (which is what I probably will have to do in the end, but it requires some time). At least StackExchange could have had the decency of announcing this privacy invasion in advance, so that I at least had some time to change my OpenID.

1 to 20 of 20

  1.  
Back to Discussions Top of Page