There would have been an interstitial page mentioning that his email was being given to Stack Exchange by his OpenID provider.
Depending on when exactly when he registered, there may have been (and now always is, when using a third party login iirc) another page on the Stack Overflow side that confirms new account creation and again displays the provided email.
Basically, he clicked through at least one "sending personally identifiable information, are you sure?" page. Maybe more than one.
Disclaimer: Stack Exchange Inc. employee, I've done some work on our user login stuff in the past.
As I understand the parent post it is not about the email that is shared, but it asserts that the real name from the OpenID provider is used as the publicly visible user name on SO. I don't think this is accurate, but I can't see the internals.
The mail address is not problematic anyway in my opinion, as it is not publicly shown on SO.
What I was pointing out was that there was a confirmation of some sort presented to the user that indicating something that personally identified them was being shared.
Stack Overflow does take a "full name" (in OpenID attribute exchange terms) as a user name if provided by an OpenID provider, though we explicitly don't demand it (it is not "required" in AX terms). Exactly how a provider deals with "optional" attribute requests is up to them, in practice I think most everyone ignores it unless it's also public information on their service (ie. full name == user name).
Offhand I want to say Facebook is the only login option used by > 5% of our users that provides a name. I did not actually confirm that by testing, just working from memory.
You are correct in that Stack Overflow never displays user emails during normal operation, excepting employees and moderators (who are bound to an agreement before accessing such information: http://stackoverflow.com/legal/moderator-agreement ).
Interesting, though I just went through the on-boarding process with a few different providers: Yahoo!, Google, and Facebook:
- Yahoo!: asked to share my personal information and showed a card with my real name and email address. When I completed the association, Stack Overflow used my real name as the profile name.
- Google: Asked to share my email address. When I completed the association, my real name was not used: instead, I got a randomized (userNNNNNN) name.
- Facebook: asked to share my account and indicated that my public profile would be sent. When I hovered over the words "public profile", it indicated that it would include my name. When I completed the association, Stack Overflow used my real name as the profile name.
In all three instances, the interstitial page on Stack Overflow to confirm the association after I granted access with the third party provider only indicated the email address used, not the full name: http://i.imgur.com/mjwds1m.png
Since the confirmation page on Stack Overflow does not indicate what information would be used and where, it would've been up to his third-party OpenID provider to tell him on the page granting access that his real name would be passed along, and—assuming it did—up to him to make the connection that allowing Stack Overflow access to his name would make it immediately public as his profile name.
Depending on when exactly when he registered, there may have been (and now always is, when using a third party login iirc) another page on the Stack Overflow side that confirms new account creation and again displays the provided email.
Basically, he clicked through at least one "sending personally identifiable information, are you sure?" page. Maybe more than one.
Disclaimer: Stack Exchange Inc. employee, I've done some work on our user login stuff in the past.