“Just asking for it” is a terrible idea when you are trying to link accounts with other oAuth login providers as has been described ad nauseum above.
It’s even worse when you realize that there is no simple verification that I as a developer can implement against that email. I’d have to resort the annoying process of emailing a validation code, but at that point I might as well handle the whole signup process myself. With FB/Google/etc I know that one account = one email address. A couple clicks and you’re in. No fuss.
With twitter, what’s stopping a second user from coming along and giving me the same email as another user already in my system? Do I now associate both twitter accounts with my application’s single account, adding unnecessary complexity to my database and codebase? Or do I tell the person, “Sorry but that email address is already linked with a different twitter account. Shucks.” What if the first account created was the one using the email fraudulently? Now I have to worry about dealing with an appeals process, so I have to add an additional note like, “If you believe this to be in error, contact us and we’ll sort it out manually when we can get to it. Meanwhile, you probably don’t have time to deal with it because you just wanted to quickly check out our app, so we’ll probably never see you again anyway. Thanks for trying to join at least.”
Easiest solution at the moment is just to flag twitter support.
Also, I want to second the idea from @BradleyKlco for at least providing a hashed version of the email so we can’t reverse it, but can have a pathway to link logins through other services. Brilliant compromise.
