In the past couple of years, it’s become commonplace for websites and apps to allow you to “Log in with Facebook” or “Log in with Google”. For many of us our Facebook or Google accounts serve as the centre of our personal universes, so why wouldn’t we link everything else up to those platforms? After all, it saves us having to go through often laborious account creation processes and also having to remember yet another password. It also allows us to quickly share our product or service reviews and experiences. But what exactly are we signing up for when we sign-in in this manner?
Giving away your data
Take a step back and think about the amount of personal data you have on your Facebook profile. Facebook especially has a lot of information available on request (birthday, friends lists, photos, employment and so on). The exact data being requested pops up in a window asking for permission, but how often do we review that request? We often just click through the terms and conditions unaware that we are creating more and more links between the pieces of our online profile.
This seemingly small agreement can carry far larger repercussions. Linking several sites allows companies to collect more data, building an increasingly rounded profile of you. Using one login for several sites presents the old “weakest link” scenario where a chain is only as strong as its weakest link. If the least-secure of the sites you are signing in to is compromised there is a very real risk that your login details will be used to access your data on more secure sites. If a trusted source of your identity is less secure — whether that’s Facebook, Google or another account — they risk becoming the weak link in the chain that gets targeted by attackers.
Facebook and Google are by far the two most frequently used services for logging in to other sites. Facebook snared 62% of all social log-ins across the tens of thousands of sites that support it (as of the end of 2015); Google is used 24% of the time according to Gigya, a customer identity management company.
Social networks want to be a trusted source for verifying your identity. Facebook announced a service called Delegated Account Recovery, which would let you use Facebook to verify your identity if you forget your password on an app or website. It’s important to bear in mind that your privacy is not the main concern of a social network; like any for-profit company, its focus is on monetising its product.
The more data ecosystems that are connected, the more a company can know about us and the more we continue to be their product, helping to maximise their profits. Down the line, it could cue an era of increasingly uncanny ad targeting, in line with the infamous example of Target analysing a teenager’s purchasing habits to deduce she was pregnant.
What they do with your data
The data held by social platforms and service providers like Google covers your habits and preferences. Facebook Like buttons littered throughout the Internet bounce back data about products or articles you’ve liked, while the Facebook Open Graph platform for other sites comes with plug-ins that collect data such as which of your friends already use a particular website or what you do while on the site.
In response to privacy concerns, Facebook does allow you to log in to third-party apps without having to give permission to share personal details. It’s also important to make sure you sever the connection for apps you’re no longer using.
Google monitors and tracks your online behaviour every time you use Google Search, through the Chrome browser and more. This data is used to build a socio-economic profile of you it then offers as a means of targetting in Google Ads.
As for those Terms of Service agreements that detail what will and won’t happen to your personal data: How many privacy changes on Facebook have you agreed to without understanding what they’re changing? The reality is that no-one reads the terms of service agreements, so at the very least make sure you check your privacy settings from time to time.
The key thought here is to make sure you trust the third-party site before logging in to it with your social profile.
The rules of logging in
We use Facebook and Google log-in because it’s easier than creating a new account. The ease of one-click login and account creation is apparently worth the price of trading some of our personal data.
The most secure use of social logins is with closely related sites. For example, Twitter’s login works well with services it’s integrated with its own ecosystem or where there’s a benefit to being able to cross-post — say, between WordPress and Twitter.
Likewise, Facebook could be used for services such as Instagram, Facebook Apps or other third-party services that plug into the Facebook platform.