If you’ve seen this feature on many of your favorite apps, it’s a button that lets you log in with your Google or Facebook account. Sometimes it’s for sharing files, photos, or emails. Other times it’s a quick way to connect all your accounts together by using either Google or Facebook.
Although I could easily write articles, it’s much more difficult not to.
Even though these buttons can be useful, many sites are receiving your personal information. Sometimes this is done by accident, but you probably won’t regret it if you notice how many random sites have access to Google data or Facebook data. Just check back below and revoke access!
Many users were alarmed to find that in May, Facebook warned 1 million Facebook users that their accounts may have been compromised by a 400 malicious apps designed to trick them into handing over their Facebook log-in information. The fake log-in buttons tricked users out of their personal data and caused harm across the internet.
It’s really important to know what kind of data you’re sharing with apps you use on the internet. It can happen without you even knowing, and it might not be so easy to find out what happened to your personal information. An interesting case that recently caught my eye is a Google log-in button that was designed on a job site called iCIMS, which unfortunately granted them access to the entire content of your Google Drive account.
You agreed to what?
Did you know that iCIMS is used by over 2.4 million people? It has a great reputation, and companies such as Microsoft, Uber, UPS and Target use it for recruitment. The iCIMS job application site allows qualified candidates to apply directly from Google Drive.
When she clicked on the Google Drive button, a pop-up message read: “This will allow iCIMS to: See and download all your Google Drive files.”
Google Drive is a popular cloud storage service for both documents and people’s photos. Others have complained about the same privacy breach on Reddit and Google’s own support forums — and I confirmed the details by applying for a job myself.
It appears that iCIMS told me it is not currently rummaging through the other files of job applicants uploading a résumé. Apparently, “iCIMS does not access, transfer or otherwise process any additional information from the candidate’s Google Drive account” according to Al Smith, their company’s chief technology officer.
Smith stated that by granting copy access to Google’s files, you’re only sharing them with iCIMS–something that isn’t explicitly a different entity. In order to share your information with other people/organizations/devices, you’ll have to give them copy access to your Google Drive files.
Google’s spokesman told me that users have “choice and control” and then they have to click their consent terms on an “access permission” screen. But how many people are actually going to read through all the fine print?
Google has many policies that they ask sites and apps abide by in order to stay in good standing. It’s their job to look over the standards and make sure they’re complying with them, but adding safety measures before an app or website goes live is another story altogether.
iCIMS tells me that it is soon planning to shift to a newer version of Google’s Drive plug in. One of the benefits of this change is that users will be able to share only the specific Google Drive files they use with the app. This decision builds on the company’s commitment to protecting its users’ privacy, as emphasized by its recent restructuring and business model revision.
If you use Google, your data will be protected. If you don’t, your data may be even more vulnerable. If you’re considering using Google to log in and navigate your social media accounts, there are important things to keep in mind when using the service.
Log-in buttons are at a different place in the content somewhere. Use them when the text size is too small and you can’t see it clearly.
If you have a legitimate site or service, it’s okay to use log-in buttons. “If it is a legitimate site or service, then you don’t have too much to worry about,” says Bogdan Botezatu, the director of threat research and reporting at security company Bitdefender.
For example, you can grant the Zoom video conferencing app access to your calendar through the Google login.
There’s been a lot of talk in recent years about web services that make it difficult to distinguish between “legitimate” and “illegitimate,” but this is something you’ll probably encounter regardless of where you work or what industry you’re in. Jen Caltrider, Mozilla’s head of Public Policy, notes that her team isn’t always sure about spotting the difference either. As a privacy researcher, she writes, “I am not 100 percent sure.”
The Online Security Guidelines: Fending off scammers, hackers and digital threats
And, Google has a long history of enabling questionable oversharing. In 2018, my colleague Doug MacMillan exposed how hundreds of apps that sought access to the entirety of people’s emails in order to provide various features, such as price comparisons and an automated travel planning tool. He found that the apps were teaching their computers how to read people’s emails as well as giving their employees these same privileges.
Facebook made headlines for falling victim to another privacy scandal. In March 2019, the Federal Trade Commission fined Facebook $5 billion after investigating how it allowed a company called Cambridge Analytica to gather user information.
Have you ever wanted to make your Google or Facebook account a log-in if it’s not the only site you use? You may want to choose this option instead of creating yet another username and password for a new website or app.
Facebook tells us that this could be a safer way to login. Instead of using a password from just one app or website, you’re better off logging into many different ones with this one new password. This is something you should definitely not try to do on your own–the No. 1 security mistake people make online is reusing passwords across websites and apps.
Despite the many benefits digital logins offer, I usually don’t use them.
Sometimes these buttons can be fraudulent tricks to steal people’s important log-in details.
If a hacker managed to hack into your Google or Facebook account, they would also gain access to any site you used.
Digital marketing platforms can help make you more relevant by letting companies such as Google and Facebook track your use across different websites, even when you’re not using them.
A better idea to simplify your password headache is to use a password manager. Manage all your different passwords, plus you get extra protection for the most important sites.
Search for what apps have access to your Google and Facebook account.
If you’re thinking about doing a data audit, be sure to check out Google and Facebook’s respective tools for tracking the sites or apps that you’ve connected with. It’s a good idea to do a census periodically, and cut any bad relationships out of your life!
Google should have your permission to share any personal data they collect when you sign in with a third party app. To access Google’s permission center, go to the account settings and then select Google permissions from under Privacy & Security.
You can find Facebook’s app and website settings here. Facebook now automatically disables connections you haven’t used after 90 days, but it’s still worth reviewing your settings to ensure they’re up to date.