There are too many ways using these buttons can leak personal information or help Big Tech track you. There are some exceptions when it’s useful — but you might be surprised, and a little regretful, if you saw how many random sites have access to your Google or Facebook data. (Below, I’ll show you how to check and revoke access.)
What could go wrong? This month, Facebook warned a million Facebook users their accounts might have been compromised by 400 malicious apps that were designed to trick them into handing over their Facebook log-in information. Criminals were making fake log-in buttons.
And I’d like to share a doozy of a cautionary tale: A Washington Post reader wrote to me recently about a Google log-in button on a job portal called iCIMS designed — at least in theory — to help people upload their résumés. Turns out, using it inadvertently grants the site access to your entire collection of digital files.
You might not know the name iCIMS, but many people applying for jobs do: It has 2.4 million users and is used for recruitment by companies including Microsoft, Uber, UPS, Target and IBM. The iCIMS job application site offered The Post reader’s daughter the ability to upload her résumé directly from Google Drive, the online storage service.
Sounds convenient, but when she clicked on the Google Drive button, a message popped up: “This will allow iCIMS to: See and download all your Google Drive files.”
Wait, all of them? Google Drive is a popular cloud storage service for not only documents but also people’s photos, family videos, tax returns and more. Others have complained about the same privacy breach on Reddit and Google’s own support forums — and I confirmed the details by applying for a job myself.
iCIMS told me it is not currently rummaging through the other files of job applicants uploading résumés. “iCIMS does not access, transfer, store or otherwise process any additional information from the candidate’s Google Drive account, other than the file they select to upload to the iCIMS platform,” emailed Al Smith, the company’s chief technology officer.
But the problem is that iCIMS is still asking you to grant it permission to access all your Google files. Smith said this is a “standard connection managed by Google” and was the only way to share Drive files when iCIMS created its website.
A Google spokesman told me users have “choice and control” and have to click their consent to data sharing specifics on an “access permission” screen. But how many people spend time reading and digesting that fine print?
Google does have policies that sites and apps are supposed to follow, including taking the minimum amount of data and making declarations about what they’re doing with it. Google says users can report naughty apps to it — but that’s not the same as vetting them in advance.
iCIMS tells me that it is soon planning to shift to a newer version of Google’s Drive plug in, which offers a more narrow permission: “see, edit, create and delete only the specific Google Drive files you use with this app.” (Google says it has made a more narrow data-sharing plug-in available since 2012.)
But the takeaway remains: When you log in with Google, you’re taking a leap of faith that your data will be protected.
Log-in buttons aren’t necessarily bad. “If it is a legitimate site or service, then you don’t have too much to worry about,” said Bogdan Botezatu, the director of threat research and reporting at security company Bitdefender.
For example, some people log in to Google to grant the Zoom video conferencing app access to their calendar, making calls pop up automatically.
But there’s another thorny problem: “How do you know when it is legit and when it is not?” said Jen Caltrider, who leads the Privacy Not Included project at nonprofit Mozilla. “I am a privacy researcher and sometimes I’m not 100 percent sure.” Many companies today hide that they’re actually in the business of vacuuming up people’s data.
And Google has a long history of enabling questionable oversharing. In 2018, my colleague Doug MacMillan exposed how hundreds of apps that sought access to the entire contents of people’s Gmail to offer services such as price comparisons and automated travel-itinerary planners. He found the apps train their computers and even employees to read people’s emails.
Facebook has an even more tortured history of this. Facebook had to pay a $5 billion fine in 2019 after the Federal Trade Commission investigated how it allowed a company called Cambridge Analytica to access users’ personal data.
There’s a second popular use for log-in buttons: allowing your existing Google or Facebook account to serve as a convenient replacement log-in somewhere else. You might choose this instead of creating yet another username and password for a new website or app.
Facebook tells me this could be safer than creating a log-in with a bad password, or reusing one that you’ve already chosen for a different app. The No. 1 security mistake people make online is reusing passwords across apps and websites.
Yet I still rarely choose to log in with Google or Facebook.
First — as Facebook recently acknowledged — these buttons can be fraudulent tricks to steal people’s important log-in details.
Second, anyone who hacks into your Google or Facebook account would also get the keys to access any of these sites.
Third, using these helps Google and Facebook track you across websites and apps, letting them know when — and possibly even how — you’re using them. (It’s part of how Facebook tracks you even when you’re not using Facebook.)
A better idea to simplify your password headache is to use a password manager.
Some good news: Both Google and Facebook have places where you can check what sites and apps you’ve connected to. It’s a good idea to do a regular census — and boot anything you can’t really trust.
For Google, log in to your account and then pull up the Google permissions center, linked here. It lists all the third party apps with access and places you use Google log-in, and gives you the ability to revoke access.
For Facebook, log in to your account and find your way to the Apps and websites settings, linked here. Facebook now thankfully automatically disables connections you haven’t used after 90 days, but it’s still worth reviewing your choices.