Comments on: Searching for Users by Email

By: Mick

Mick — Sat, 05 Apr 2008 17:54:41 +0000

Hey Leah,

I think that since you have added authentication to the Pownce API go ahead and allow an email search function, just make sure that it is from a registered account. Beyond that I assume that you track API usage by account / API key. So keep an eye on the largest users of the email search, as I’m sure you keep an eye on other API functions.

As for on the site, again, make sure that it is a registered user that is preforming the search, and again keep track of extreme usage.

However I think that you have to respect the user’s privacy, if they have there email set to friends only they cant be included in the search.

That is just my 2 cents.

Also it is great to see you blogging again, keep it up

By: Daniel Cedilotte

Daniel Cedilotte — Fri, 04 Apr 2008 19:05:39 +0000

Don’t allow it. If I trust you with my emails, it’s not for you to turn around and hand it to 90 million spammers on the other side. Don’t add a search by emails.

By: andrew woods

andrew woods — Wed, 02 Apr 2008 03:20:33 +0000

I agree with the majority in that it should never be displayed. However, I think it would be ok to to use it internally for matching addresses of existing pownce users, but only displaying the names of the friends that match. that way you get the best of both worlds. btw you would not expose this in the public api. this matching would be internal only. As a developer that’s how I would do it.

hope that helps.

By: Andrew Hallock

Andrew Hallock — Mon, 31 Mar 2008 20:55:29 +0000

Published and search-able email addresses are two different things. Simply add a new privacy setting for whether or not your profile can be searched by email address. Turn it on by default, but let users know there’s a new privacy setting. And I agree with Curtis, you should be logged in to search.

You have most of your bases covered by providing the address importer mechanism for the major email providers - but a lot of people store their contacts in Outlook.

By: Derek

Derek — Sun, 30 Mar 2008 18:42:14 +0000

I haven’t sat down to think about it for more than 10 minutes of reading the post & comments, but I think you should open it up for anyone via the API/Website. If someone has your email, there’s a reason why they have it, and I don’t think there’s any harm in saying “user with email X has a pownce account here“. Beyond that, it is up to the pownce user to determine whether or not to make their pownce updates available to the world, or just their friends.

The reason for not sharing your email via the pownce website has nothing to do with not wanting people to find you via your email address. Don’t tie the two together.

Going one direction it is using someone’s pownce account to determine their unique identifier (email). Going the other direction it is someone using your unique identifier (email) to determine your pownce account.

By: Edward Slipszenko

Edward Slipszenko — Sun, 30 Mar 2008 18:38:07 +0000

I don’t think it should be done. Imagine if someone tried to get all the friends of the “Pownce” user (the one that is used for making announcements) and got all there email addresses listed? Is that not going to be possible still? Surely username is enough identification?

By: j

Sat, 29 Mar 2008 22:33:26 +0000

Go ahead allow it

It’s a great way for automated bots to find email addresses that will work.

@gecko68: “People who do not know your email address wouldn’t know what to use”. Please. If your email address is shorter than 20 characters, a bot will eventually find it.

Dictionary attacks, anyone?

Even the captcha idea is defeated by OCR, just observe how good bots are nowadays at beating captchas.

By: Isaac

Isaac — Sat, 29 Mar 2008 19:22:09 +0000

Because being searchable by your email address and publishing the address aren’t exactly the same thing but both could potentially be privacy issues, I suggest that you create a new preference bit that allows users to decide if they want to be found by their email address.

Then insert a small header into every page on the site saying something like “Pownce has introduced the option to be searchable by your email address. Do you want others to be able to find you using you email address?” with Yes and No buttons.

Leave the default as “no” in their user record unless they click on that Yes button. Problem solved.

I don’t see a realistic way to keep this out of the API but I guess that’s up to you guys. I think people understand that if they allow something on a site it can also be done by applications and tools that work with that site.

By: Noah

Noah — Sat, 29 Mar 2008 18:05:21 +0000

You should allow for a user to enter in the email, and then return a message saying if the email exists then the user will be notified of a friend request.

By: Eldin

Eldin — Sat, 29 Mar 2008 17:56:54 +0000

I agree with Auguafresca.
Pownce already has the Find Friends feature, which is already “good enough” feature when it comes to Importing from other places.