Tuesday, October 24, 2006

Solutions for Web Sites that Force Registration to Access Content

We all come across pages online that require you to register. Sometimes these are straightforward, just asking for your email address and a username so you can post on a messageboard with other information being optional. But some sites want more, like your name and address, date of birth, and lots of other details you might not want to give out. Even if the site says it won't sell or give out your details, how do you know they won't? There is no obligation for web sites to follow or even implement a privacy policy. While most sites will ask if you want to sign up for their newsletter, sometimes they automatically subscribe you without your authorization, forcing you to opt-out, or worse.

So what can you do to bypass these forced registrations?

The first and easiest solution is to use bugmenot.com. Bugmenot is a community oriented site that stores usernames and passwords for websites that require users to register to read content. It's a public database that anyone can access, and when you come across a page that asks you to register, all you do is find the link indicating that you have already registered and that you want to login. Lookup the site on bugmenot and input one of the usernames and passwords. They also have a voting mechanism to get rid of old or invalid logins. Making the whole process even easier is the BugMeNot Firefox Extension that automatically retrieves the data from bugmenot.com and inputs it into login forms. Just right click on the empty login field and choose "Login with Bugmenot" and it goes at it. It will even continue to input usernames if one or more fails and prompts you to go and get more if all the ones it tried have failed. If you've come across a site that doesn't have any logins, you can contribute your own username and password for others to use.

The best way to create a new login for bugmenot, or any other site that requests your email address that you don't want to give is to use a disposable email account. Since most sites often require you to activate your account by sending an email to the account you specify and clicking a link within the email to ensure less abuse of their registration system. Disposable email addresses are simply email addresses that are created on a system that have no password, but a username with the domain as the @ extension. So, to login, all you do is go to the site and put in the username, and the email will show up. One might think that this would obviously be the opposite of private, but the object is not to create an email address for you to use permanently, only temporarily. These accounts can only receive email and not send them, so you simply use them to get the validation email and, depending on the requirements of the site you are attempting to register for, the email address itself becomes the username.

A few services that provide disposable email addresses are:
You can also find a directory of disposable email addresses at about.com and dmoz.org. Among the several email addresses I use, I have a commercial Yahoo account that came with my DSL connection, which includes a feature called AddressGuard. This feature allows a user to create up to 500 disposable email accounts. All the accounts have the same beginning, such as abc123, followed with another word or phrase that you can use to associate with the site you're using, and ends with the @yahoo.com address. So, for example, if I wanted to create an account on CNN, I could use abc123-cnn@yahoo.com. I can send and receive from the email address, and specify a color I want to show when an email from that address comes to my inbox. Other email providers, like Gmail, allow you to add a plus (+) onto your email to track where your email would be coming from, such as janeroe722+cnn@gmail.com. Unfortunaly, many sites do not parse the plus symbol properly and when you attempt to register using an address in the above example, it will come back with an error asking you to submit a valid email address after you submit the form on the server.

Finally, if a site requires you to put in your name and address, there is a site to remedy this problem, without having to pull a random name out of a phone book or create a completely bogus address. The Fake Name Generator will create a fake name, address, city, state, and a selection of countries, along with a phone number, a mothers maiden name, birthdate, email address, and even credit card number. The last feature I cannot see what the purpose is. In any case, the credit card that it outputs would not work on any modern system for the intention of fraud that I am aware of. According to the site's FAQ, the data it generates is essentially random, so you won't hopefully put some total stranger's name into a database of potential spammers.

All of these concepts were originally created out of the needs I describe, essentially in order to bypass annoying and cumbersome web registration when a user simply wants to look at a news article or something related. One of the first people to put this concept into practice was Marc Majcher, with his Random NYTimes Login Generator. This was created of a need to read articles on the Nytimes site without having to register and give out private information. It has evolved into sites such as bugmenot, so it can benefit both groups. The NYTimes will not be overloaded with bogus info in their database, and users who know about these functions and don't want to give out private info can use public accounts for this purpose.

What about the potential for abuse?

With things like this will come the potential to be abused. Bugmenot allows sites who don't want to allow logins with it to request it using an online form. Of course, there will always be methods to attempt to break the rules anywhere one goes. A user can use a proxy to login to a site and post abusive messages, or use a proxy to post anonymous information about a legitimate topic that they might not have otherwise. So, the potential for abuse is always there with systems such as this. It is just up to the community and site operators in general to decide on how best to work around problems and find solutions that will work out best for everyone. If a website operator finds that most of it's registration data is bogus, then they can either disable the need to register to access an article or completely remove access to those articles. Obviously, decisions like those and the discussion of abuse is beyond the scope of this article. If you have any comments to add, feel free to post them.

No comments:

Related Posts with Thumbnails