NOTE: WHAT FOLLOWS IS PERSONAL OPINION. IT IS NOT SANCTIONED NOR REFLECTS THE OFFICIAL VIEWS OF MY EMPLOYER.
Right, that's out of the way then. So, i work at Netflix. Specifically, i work in the API group. The guys that offer http://developer.netflix.com and various services tied to it. Anyone who knows me (or just reads this blog) also knows that i'm more than a little paranoid about security and privacy.
Some time ago, a company called Jinni started collecting Netflix customer ratings so that they could store them on their servers and do things with them. Unfortunately, since Netflix doesn't offer a way to pull those ratings directly, Jinni decided that they'd use one of the worst anti-patterns possible, and ask for the user's account name and password, which they store on their servers.
This, not surprisingly, is a violation of the Netflix Terms of Service. Netflix, for those not aware of the company, is a subscription based movie rental company. You set up your subscription via a credit card which is tied to your account by… your user name and password. Netflix, also not surprisingly, doesn't want potentially thousands (or really, even one) credit card to be stolen out of it's service by any site that's suddenly been compromised.
You see, regardless of the sort of encryption being done to store user credentials on a remote site, if you're entering a username and password, it must be transmitted (and therefore stored) in plain text and therefore it's easy to steal via any number of mechanisms. This is why services like OAuth are better because they provide the three parties (you, a third party program acting as your agent, and your data service) to all agree on a common set of alternate credentials that have access to an explicit set of information. For instance, i can use these alternate credentials to let PocketFlicks access my reviews and movie watching history, but not have access to my credit card info. Plus, should i ever distrust a given service, i can have the data service revoke access at any time.
i'll toss in that OAuth is just one solution. There are others, including Yahoo's BBAuth, Google's Auth, and Facebook Connect which all provide similar function (although those are tied to specific vendors). This is what's known as balanced security, and frankly, if you're using either an agent or a data service that doesn't provide that sort of balance, i'd seriously question the goals and aims of that service. (Twitter, thankfully, has recently joined the OAuth bandwagon after having had several accounts compromised by various less than upstanding services.)
So, it both confuses and saddens me when i see companies like Jinni slinging fud. To them, the obvious reason that Netflix is "demanding they remove the import ratings feature" is obviously because Netflix see them as a threat. Well, i'd guess Netflix does, but definitely not in the sort of way that they seem to think.
Netflix's income comes from subscriptions. Netflix's main goal is to increase subscribers. In order to do that, Netflix want's to provide a service that folks are happy enough to both continue to use and to recommend to others. One of the ways that we've found to make our service useful is by recommending movies that you might enjoy watching. We do a fairly good job, but we're about to award some guys $1,000,000 for a way to make it just 10% better than it was before, so we know that others might do a better job than we can. We just want more subscribers*. Heck, if you like watching movies based on random words in the dictionary, we don't care so long as you become a subscriber. Honest, that's the sum total goal.
Now, there are also laws in place that we have to respect dealing with ensuring your privacy. For instance, we can't share your movie rental history without your consent. Every time we look at offering a new service, we have to make sure that it's not potentially violating laws or existing privacy policies. That means that the reason somethings are offered before others isn't always because it's technically challenging. Is it frustrating? Oh man, is it ever, but that's the reality we have.
i'm quite sure that the Jinni folks are fine, upstanding citizens with only the best of intents. That said, i'm still paranoid as hell, and frankly, you should be too. Heck, be rightfully paranoid about Netflix, that's why security experts recommend having unique passwords for every service you use. (Just note that Netflix is required to be SOX compliant and regularly audited by our credit holding insurance agency where i don't believe Jinni is.)
We i believe that Netflix doesn't care if someone wants to store and use their customers movie ratings. Heck, when they're allowed to provide them, i personally hope Jinni does a better job than Netflix does because that will also increase Netflix subscriptions. Netflix just can't provide them yet.
As for giving them, or any site, credentials that could access your stored credit card personal info? Well, that's just stupid.
(*Oh yeah, those stupid pop-up/over/under ads? Those are from affiliate partners. They're not supposed to do that.)
