While the upside for users is a single login and the ability to tote their coterie from site to site, privacy could suffer, researchers say. And there is good cause for cautious optimism: Facebook was badly burned in late 2007 when its Beacon advertising system was criticized for errantly posting data on users, such as purchases they made.
A beta version of Facebook Connect already is available on sites such as CitySearch, and a host of other high-profile partners, including Digg, CBS, the Discovery Channel and video site Hulu, also have signed on.
Because of Facebook's popularity and sheer size, Connect could well succeed and become the web's first truly successful identity model, say experts. OpenID, Google Friend Connect and MySpaceID are similar offerings, but Facebook has clear momentum.
But for Connect to work, users must be able to intelligently control their privacy, says Ian Glazer, a senior identity analyst at the Burton Group. The biggest threat Connect might pose is unintended consequences, such as a user viewing a racy video on Hulu and then accidentally alerting his Facebook friends about it.
“I think it's challenging for versed people to get what these things are doing, and there's less transparency when other sites and applications are involved,” Glazer says.
Amanda Lenhart, senior research specialist at the nonprofit Pew Internet & American Life Project, says Facebook gives users granular ways to control their privacy – but often members don't understand what is protected.
“The users' understanding of privacy, while they want to protect it, is imperfect,” she says. “Often times, they don't make good choices.”
But representatives at Facebook say the draw of Connect is being able to take one's privacy preferences and extend them across the internet.
The company also has taken additional security measures with Connect: Partner websites cannot store user data past 24 hours; fake or spam accounts immediately will be deleted upon detection; and the possibility of phishing is mitigated because Connect users do not need to separately login to remote sites, they just login once to Facebook.