So, sure! People who read CodingHorror are concerned about the security issues... but how many of your users even know what the hell CodingHorror is?
If your social network is focused on people who might have heard of CodingHorror, you might want to have second thoughts. If not, keep it secure and be careful about your implementation. Personally, if I trust a site then I'll use the address book import if provided.
EDIT: Like mentioned above, definitely use Google's actual tool to do the import:
It's irresponsible to expect your users to care about their privacy, just as it's irresponsible for a doctor to expect his patients to care about their health as much as he does.
Your duty, as a provider of web services, is to be far MORE concerned with your users' privacy than they are themselves. You know about these things; they don't. They're trusting you.
So do the right thing. Don't add to the problem. Don't add to the list of sites that subtly enforce the very false notion that it's safe to share your email credentials.
It's a bad idea even if you do trust the site to be careful. Every site that has my email credentials, even for a moment, is another potential failure point of the worst kind. Steal my twitter login, fine. You post some garbage, and I have to clean up a mess. Steal my email, and I'm left broke and fighting with credit bureaus to clean up my reputation for 7 years.
Most users don't care about these things. But the fact that about 100% of savvy web professionals are very concerned by this should give you pause before asking for email credentials on your site. Even if you're 100% careful with the info, you're helping the next guy make the case that it's ok ("everyone does it"), and he might not be so careful.
"So, sure! People who read CodingHorror are concerned about the security issues...but how many of your users even know what the hell CodingHorror is?"
If the topic being debated was about the blog in it's entirety and why Jeff Atwood writes it, you might have an argument here, but considering two people pointed to a blog entry I'm going to disagree wholeheartedly with everything you just said.
The article makes a VERY good point that some folks very often use their email password as the de facto password throughout the Internet. Just because someone comes along and eloquently it's a bad practice doesn't mean people are automatically NOT going to do it, and immediately become
more informed to privacy and security concerns.
And even for people who don't use the same password, they just as easily don't want this information just flying across a random connection string for the sake of seeing what your "friends" are up to on this new socially-capable website.
It's not about "Who reads this random arsed blog" any more than it is keeping in mind every avenue of user interaction that will occur on your site, and being accountable for how you use data given to you.
Despite the Facebook Beacon blowup in the blog echo chamber, very few users cared:
http://www.sawickipedia.com/blog/2007/12/05/facebook-bites-t...
So, sure! People who read CodingHorror are concerned about the security issues... but how many of your users even know what the hell CodingHorror is?
If your social network is focused on people who might have heard of CodingHorror, you might want to have second thoughts. If not, keep it secure and be careful about your implementation. Personally, if I trust a site then I'll use the address book import if provided.
EDIT: Like mentioned above, definitely use Google's actual tool to do the import:
http://code.google.com/apis/contacts/