These days every website seems to require a password. In truth, I have lost track of the total number of accounts and passwords I have. When you find yourself needing to sign up for the 79th time, it can be quite exhilarating to be offered the ability to sign on using Facebook, LinkedIn or another network you already have. What a great solution! No need to re-submit information or create yet another password.
But wait… do you really know what you’re trading for the luxury of one less password? Let’s find out.
It’s Sat and you need something interesting to read. http://t.co/G2pmcLsuTB @BinaryTat #CyberAware pic.twitter.com/Xo9KNto2Vn
— Sticky Password (@stickypassword) October 17, 2015
How it works
Let’s clear up one misconception: When you sign in using a network account you are not handing over your network password to the new site. What you are doing is allowing the new site to contact the chosen social network and gain access to your information therein. Let’s say you were using Facebook as a login, you’d select the ‘Sign in with Facebook’ button and it will pop up a new window with a Facebook address. You are now in Facebook. The URL (website address) should have an ‘https’ in the front followed by www.facebook.com. You can then enter your email and password. If the URL is not the site you want, this could be a scam so best not to enter your password here.
If you are already logged into Facebook on your computer (i.e. you never logged out, even if the tab is closed) then you may be presented with your profile photo to click on. At this point, if you login to your Facebook account, you are authenticating with Facebook and giving them permission to work with the new site. In some cases you are granting access to numerous pieces of your information. In other cases, you may also be allowing the new site to post on your behalf. The onus is on you to understand what information or actions you are agreeing to specific to the site or application that wants access.
Information you are giving away
Each social network has a set of user’s information that it gives away to anyone connected. The new site or application (aka third party) can get additional information with the user’s permission. According to the rules of the social networks, the third party that connects is supposed to have a clear display about which special information they are requesting. It should be as clear as “we would like to access your friend list” but could be as vague “we will also collect information about you.”
The user’s age range is almost always passed over by the network to ensure that the appropriate ads are shown. The ranges are usually; Age 13-17 (no adults ads), 18-20 (alcohol for non-US residents) and 21+.
Here is a list of what each major network allows connected apps to see:
Twitter Sign In
Since Twitter is a public site to begin with, most of what a third party site or app can access is what anyone can see. If you do have a private account, be wary that you are giving this away.
Google Sign In
Since Google owns the world’s biggest search engine, the biggest video service (YouTube) and one of the biggest email systems (Gmail), they have a tremendous amount of information about your searching, shopping, and viewing habits. Be wary when signing in using Google and check what information the connect site is requesting.
Facebook Login
Facebook has also become a wealth of insight into personal preferences and demographic information. When a development company uses the Facebook API to create an app that connects with Facebook, they can get the automatic information but much of the special requested info (like user actions or personal posts) has to be reviewed by the Facebook team to make sure third parties are using the information ethically.
LinkedIn Sign In
LinkedIn should likely contain your least private information but third parties can still take a lot of it.
When to use it
Every time you use a sign in you are essentially adding that company or app as a ‘friend’ to your account. Ask yourself, if this third party were a person, would I want them to have access to this information? Do I trust them with it?
I highly recommend that you only connect via another network when you need it. For instance, if you use an app that manages one of your social sites, then you will have to login with the network. One example is a scheduling app, like Tweetdeck or Hootsuite, where the purpose is for that third party app to post updates to your feed on your behalf. If you want to write a comment on the Wall Street Journal website, you do not need to use access via your social sites. In this instance it is better to create a new account or post anonymously.
Recommendations:
Make sure the sign-in screen lists the network URL that you want to access and it uses https!
About the author
Cat Coode is the founder of Binary Tattoo. Her mission is to help educate people with the knowledge of how an online identity is first created and then developed; empowering them to control how theirs evolves in the online world. With an increased awareness in digital safety, we can all enjoy the benefits of online communities while minimizing the risks. Cat is also an engineer, speaker, consultant, author, and, above all else, a parent. Her motivation to help others was born out of her concern for her kids and the new generations growing up in an ever-changing digital landscape. For online identity audits, free downloads, tips, and lots more information, check us out at www.BinaryTattoo.com.