Social Network Anti-patterns

Jump to: navigation, search


While social-network-portability documents what to do to put your site on the open social web and be a good user-centric service in general, it's been noted that not everyone follows such advice and instead opts for a bunch of alternative either one-off (wasteful) or downright user-unfriendly tactics. This page documents such anti-patterns of social network design and implementation and provides (unfortunately) real world examples of such badly designed sites.

Spam your contacts

Many social networking sites ask you to upload your address book, or "Find Your Friends", when what the feature really does is Spam your contacts.

These sites seem to use your uploading of an address book as tacit/implied permission to spam all your friends with invites, which will annoy your friends, and make you look foolish.

Making users annoy, look dumb to their friends, and feel compelled to apologize is not good design.

This spamming behavior is now so bad, that users are creating new email accounts to knowingly avoid the problem:

Apparently this contact spam has in at least one case taken the form of instant-message spam (spim) which is then used to spread a contact-based virus!

Solution: support social-network-portability instead, not address book spamming.

Read more about why this is an anti-pattern:

Here are some sites that are currently doing this:

Bebo invites

Bebo appears to have a user interface that makes it too easy for users to unintentionally spam everyone in their address book.

Evidence that users have unintentionally sending invite spam to their contacts:

As noted by user Valerie Noble on 2008-03-13:

"What the hell, I stupidly sent bebo invites to eveyone in my address book. Boo!"

and user C.K. Sample III on 2008-03-18:

"signed up for bebo. sorry to everyone in my address book who got spammed by the sign up. I thought it would work more like twitter"

Evidence that users are receiving Bebo invite spam:

Brian Alvey notes on 2008-03-19:

"Considering deleting the duplicate Bebo invitations I'm getting. Everyone has 3+ addresses for me. Another address book spam engine. Hurray!"

Still a problem as of May 2008:

Cameron Payne was unpleasantly surprised on 2008-05-15:

"goddamn Bebo just invited *everyone* in my Yahoo address book. I don't think I told it to do that. WTF!? Beware!"

Goodreads are your friends already on

Goodreads also has a user interface that misleads even very web-savvy users into unintentionally spamming everyone in their address book.


Micki Krimmell wrote both a blog post and a post on GetSatisfaction describing her experience with being tricked into spamming all her friends.

A representative from Goodreads has followed up on both Micki's blog post and Getsatisfaction post, however, as far as is known, Goodreads' user interface has not been changed/improved accordingly to be less misleading.

Quechup find your friends on


Quechup has a feature to "find your friends" which, even if it says "no contact present" will spam all your contacts in your address book and thus annoy all your friends and embarrass you. Clearly it is not just finding your friends from your address book, it is inviting everyone in your address book.

Spock scan my address book

Enter your other site login and password

Also known as:

Giving any site your login credentials/permissions for another site or service is a very bad idea. You cannot trust that the site will treat your login credentials with proper care (e.g. Quechup uses this antipattern to implement the spam everyone your the address book antipattern above).

It is also very bad user interface design. These sites that ask for your login (whether gmail or other services) are teaching users a very bad habit, a habit that is akin to what phishing sites depend on. Essentially you are teaching a user that this type of form is safe whereas it actually presents quite the danger given the number of phishing sites out there.

Don't ask users for their login and password to another site like gMail etc.



Read more about why this is an anti-pattern:

Excuses and responses

Pollution analogy

The password anti-pattern = teaching people to pollute themselves.

Here are some sites that are currently doing this:

Blipfm is better with friends

3199489045_7169ea1a63.jpg - Their "Import Address Book" functionality requests that you enter your username and password for your email provider(s): yahoo, gmail, hotmail, aol, msn.

Delta Add To Google Calendar

Delta asks you to enter your Gmail UserName(sic) and Password:


Facebook Connect

Per Ben Ward's post on Facebook Connect, this user interface:


Appears to encourage users to enter their email address and password into something visually resembling (but easy to mimic) a Facebook popup window on any site.

Thus all a malicious site would have to do is put up a button saying "Login with Facebook Connect", then display an identically styled virtual popup, and the user, who has been taught by the Facebook Connect UI, will simply enter their email address and password.

There's also a more detailed follow up on Ben's views of the Facebook Connect UI on his blog — and complements for the alternate version, whereby it uses the iframe to improve the UX for users who are already logged in to Facebook. There's a bit more snark as well, for those who are into that.

Update: This issue was fixed by Facebook. They now use a separate pop-up window, complete with browser chrome, to log in when you're not already signed in to Facebook.

Facebook see if more friends have joined



Facebook - Their "see if more friends have joined Facebook" feature provides you with a popup menu to enter passwords for numerous sites.

GetSatisfaction Twitter This widget

As reported by Jeremy Keith, apparently the GetSatisfaction "Twitter This" widget requests your Twitter username and password. (screenshot needed)

See the support thread on GetSatisfaction "Stop asking for Twitter passwords" for more.

Instagram Twitter Login

As reported by Adewale Oshineye:


Nsyght import your profile and friends


Nsyght - Register for an account to import from Digg, Pownce,, and Twitter (site is in public alpha)

Plaxo - Let's look for your friends in your address book


plaxo - Asks in several forms for passwords of different mail services.

Plinky - Find Your Friends


Plinky's "Find Your Friends" feature, which it presents to every newly signed up user, asks for your email address and password for a variety of services.

As DeWitt tweeted:

Google, Yahoo, and Microsoft all support browser-based delegated authorization apis for contacts. Plinky should use those apis.

See also this thread by Jason Shellen (CEO of Plinky) who says some hopeful things:

DeWitt - You make a good point. I'll discuss it with the team Monday. In other news, we do support OAuth for posting to Blogger.

Quechup which friends already use


ShareThis import your contact lists

1344414673_8e306e265d_o.png 1345315346_8eb2cf4d7c_o.png

ShareThis asks for your username and password to email services and social network sites.

SlideShare signup form

As reported by Jeremy Keith, apparently the SlideShare signup form asks for your (in this order)

(screenshot needed)

Because of the proximity of "Email Address" and "Password" input fields it is easy to mistake this for asking for your email address and email password. Perhaps it is asking for your email password? Or perhaps it asks for that later in the process? Screenshots would help.

See the GetSatisfaction support thread "Asking for 3rd party passwords" for more.

StockTwits login

3061262427_3775189375.jpg asks you to "Login" with your Twitter username and password. StockTwits is not run by Twitter, therefore they are asking you for your username and password to another site.

Twitpic login to twitter


Twitpic asks you to enter your Twitter username and password. They are not the same site, nor are they run by the same people or company.

Twitter are your friends on


Twitter is a service that many users (including many of us active with microformats) love and adore and use constantly. Plus they implement microformats (e.g. hcard supporting user profiles and hcard xfn supporting friends lists)!

However, we still need to call them out for supporting the third-party password anti-pattern.

As co-authors of Oauth, please Twitter, implement and evangelize that path (perhaps even on that "are your friends on" page), rather than this anti-pattern.



TwitterNotes asks you to "login with your Twitter account" username and password. They are not the same site, nor are they run by the same people or company.

Join to fix your profile

Some social network sites create public profiles for you without you having any contact with them. If there are any mistakes, they make you join in order to fix them. This sounds like blackmail: Join our service or else we'll continue to publish inaccurate information about you and therefore spam websearch results about you with misinformation.

Spock join to fix

One Unified Social Network

Several companies are trying to build the "one unified social network" (to rule them all) where they own/control the social network, and you're "allowed to" build applications on top of their proprietary platform. The most recent example of this is perhaps Facebook.

This is a bad idea for the same reason you don't see "one universal blogging service".

Other examples of folks walking down this path:

The hope is that these services will see the potential upside of providing open user profiles and social networks through social network portability and thus enable syndication of such data, as popular blogging services do.

Requesting All OAuth Permissions


PurpleWifi requires that you give it full access to all OAuth permissions of your Twitter Account in order to use their wifi service (which has no need for write access to your Twitter account).



Social Network Anti-patterns was last modified: Friday, July 21st, 2017